3D Secure is up and running since 2001 when VISA came up with an interoperable protocol in order to authenticate Card-Not-Present (CNP) online payments. After more than a decade, EMVCo has taken ownership of the 3D Secure protocol from VISA and designed the second generation of 3D Secure, EMV3DS, or better known as 3D Secure v2. Since adoption to EMV 3DS1 is taking longer than expected, the end of support for 3D Secure v1 is recently prolonged from December 2020 to October 2022 - a two-year-long 3D Secure transition period.
This will cause two additional years of possible headaches for issuing banks, knowing that those two protocols coexist independently and demand separate infrastructures. Most of the Access Control Server (ACS) software providers have built a new ACS compatible with 3DS2, so issuing banks are mostly turning to ACSs for the next two years. However, 3D Secure transition should not make you worried.
During the 3D Secure transition Running two ACSs is not the most critical point, even though it makes additional operational costs for issuers. One card should be enrolled (according to MC/VISA suggestions) on both 3DS platforms. This is necessary for supporting authentication on the merchant side in cases when the merchant has not upgraded to 3DS2. Statistics show that most non-EU merchants did not upgrade to 3DS2.
3DS2 offers a much broader set of functionalities and authentication methods (e.g., push notification, Risk-Based Authentication, frictionless authentication, Merchant Whitelist, etc.). This is the result of providing the cardholders with the best User Experience possible. All of the mentioned features are not a part of 3DS v1. That means that buyers might encounter a very different user experience when purchasing from different merchants. The ones which upgraded to 3DS2, and those that did not.
3D Secure solutions, which have a modular architecture (ACS core, Authentication Service, Risk Scoring Service built as separate but interoperable modules), enables integration of those modules with 3DS1 platform as well, i.e., ACS that runs 3D Secure v1. This architecture brings two significant enhancements for buyers:
Knowing that adoption of 3DS1 was not well received by the cardholders because of poor User Experience, in the following two years of the transition period, cardholders will be able to process more frictionless transactions, and thus, transaction abandonment rates will be reduced.
The most notable User Experience benefit of 3D Secure v2 is Risk Based Authentication and frictionless flow. Transaction risk assessment is based on the cardholder's transaction history and previously created a behavioral profile. In case of any deviations which do not align with the cardholder profile, the issuer will require Strong Customer Authentication.
Separation of 3DS1 and 3DS2 transactions in situations where a significant number of transactions is still in 3DS1 means that the customer profile in 3DS2 is not complete. This is due to the fact that behavioral data is yet to be performed. To override this issue, issuers can deploy a single risk scoring service for both ACS1 and ACS2. It enables them to complete the buyers' profile and make a more precise risk assessment.
Having two coexisting 3D Secure protocols is not an easy task to handle on the issuer side. However, there are solutions that help overcome the 3D Secure transition. The solution for technical issues is modular architecture. It allows issuers to adapt to any protocol for the successful processing of a given transaction. Regardless of the implemented protocol, 3DS1 or 3DS2. The most notable challenge is to ensure a smooth and uniform user experience in both cases. This makes the cardholders confident in the security of their online purchases. Different checkout experiences make the buyers wary during the processing of online payments, possibly causing cart abandonment rates to soar.