This will cause two additional years of possible headaches for issuing banks, knowing that those two protocols coexist independently and demand separate infrastructures. Most of the Access Control Server (ACS) software providers have built a new ACS compatible with 3DS2, so issuing banks are mostly turning to ACSs for the next two years.
Running two ACSs is not the most critical point, even though it makes additional operational costs for issuers. One card can be enrolled (in fact, it should be enrolled according to MC/VISA suggestions) on both 3DS platforms. This is necessary for supporting authentication on the merchant side in cases when the merchant has not upgraded to 3DS2. Statistics show that most non-EU merchants did not upgrade to 3DS2.
3DS2 offers a much broader set of functionalities and authentication methods (e.g., push notification, Risk-Based Authentication, frictionless authentication, Merchant Whitelist, etc.), which is the result of efforts put into providing the cardholder with the best User Experience possible. All of the mentioned features were not supported in 3D Secure v1, which means that buyers might encounter a very different user experience when purchasing from different merchants (the ones which upgraded to 3DS2, and those that did not).
3D Secure solutions, which have a modular architecture (ACS core, Authentication Service, Risk Scoring Service built as separate but interoperable modules), enables integration of those modules with 3DS1 platform as well, i.e., ACS that runs 3D Secure v1. This architecture brings two significant enhancements for buyers:
Knowing that adoption of 3DS1 was not well received by the cardholders because of poor User Experience, in the following two years of the transition period, cardholders will be able to process more frictionless transactions, and thus, transaction abandonment rates will be reduced.
As mentioned above, the most notable User Experience benefit of 3D Secure v2 is Risk-Based Authentication and frictionless flow enabled by transaction risk analysis. Transaction risk assessment is based on the cardholder's transaction history and previously created a behavioral profile. In case of any deviations which are not aligned with the cardholder profile, the issuer will require Strong Customer Authentication in order to be sure of the cardholder's authenticity.
Separation of 3DS1 and 3DS2 transactions in situations where a significant number of transactions is still in 3DS1 means that the customer profile in 3DS2 is not completed, due to the fact that behavioral data is not jet evaluated. To override this issue, issuers can deploy a single risk scoring service for both ACS1 and ACS2 to complete the buyers' profile and make a more precise risk assessment.
Having two coexisting 3D Secure protocols is not an easy task to handle on the issuer side, but there are solutions that help overcome this challenge. Technical issues are being handled with a modular architecture, allowing issuers to adapt to any protocol being used to successfully process a given transaction, whether it is protected with 3DS1 or 3DS2. The most notable challenge is to ensure a smooth and uniform user experience in both cases, making the cardholders confident in the security of their online purchases. Different experiences during checkout might make the buyers wary during the processing of online payments, possibly causing cart abandonment rates to soar.