This will cause two additional years of possible headaches for issuing banks, knowing that those two protocols coexist independently and demand separate infrastructures. Most of the Access Control Server (ACS) software providers have built a new ACS compatible with 3DS2, so issuing banks are mostly turning to ACSs for the next two years.
Running two ACSs is not the most critical point, even though it makes additional operational costs for issuers. One card shouldto be enrolled (according to MC/VISA suggestions) on both 3DS platforms. This is necessary for supporting authentication on the merchant side in cases when the merchant has not upgraded to 3DS2. Statistics show that most non-EU merchants did not upgrade to 3DS2.
3DS2 offers a much broader set of functionalities and authentication methods (e.g., push notification, Risk-Based Authentication, frictionless authentication, Merchant Whitelist, etc.). This is the result of efforts put into providing the cardholder with the best User Experience possible. All of the mentioned features are not supported in 3DS v1. That means that buyers might encounter a very different user experience when purchasing from different merchants. The ones which upgraded to 3DS2, and those that did not.
3D Secure solutions, which have a modular architecture (ACS core, Authentication Service, Risk Scoring Service built as separate but interoperable modules), enables integration of those modules with 3DS1 platform as well, i.e., ACS that runs 3D Secure v1. This architecture brings two significant enhancements for buyers:
Knowing that adoption of 3DS1 was not well received by the cardholders because of poor User Experience, in the following two years of the transition period, cardholders will be able to process more frictionless transactions, and thus, transaction abandonment rates will be reduced.
The most notable User Experience benefit of 3D Secure v2 is Risk-Based Authentication and frictionless flow. Transaction risk assessment is based on the cardholder's transaction history and previously created a behavioral profile. In case of any deviations which do not align with the cardholder profile, the issuer will require Strong Customer Authentication.
Separation of 3DS1 and 3DS2 transactions in situations where a significant number of transactions is still in 3DS1 means that the customer profile in 3DS2 is not complete. This is due to the fact that behavioral data is yet to be performed. To override this issue, issuers can deploy a single risk scoring service for both ACS1 and ACS2. It enables them to complete the buyers' profile and make a more precise risk assessment.
Having two coexisting 3D Secure protocols is not an easy task to handle on the issuer side. However, there are solutions that help overcome this challenge. The solution for technical issues is modular architecture. It allows issuers to adapt to any protocol for the successful processing of a given transaction. Regardless of the implemented protocol, 3DS1 or 3DS2. The most notable challenge is to ensure a smooth and uniform user experience in both cases. This makes the cardholders confident in the security of their online purchases. Different checkout experiences make the buyers wary during the processing of online payments, possibly causing cart abandonment rates to soar.