Changes in components
As 3-D Secure 2.0 has to support new authentication flows, it extends the 3-D Secure ecosystem by introducing new components and defining new terms. All components present in Acquirer (Merchant) domain now named by collective term “3DS Requestor Environment”.
The 3DS Server – system that handles online transactions and facilitates communication between the 3DS Requestor and the DS, replaces term Merchant Server Plug-in (MPI).
3-DS Client – the consumer-facing component allowing cardholder interaction with the 3DS Requestor. For example – online-shopping web application or online-shopping mobile application. This can be implemented via in-app (3DS SDK) and browser based purchases (3DS Method). Both could be integrated with the 3DS Requestor for a smooth online shopping experience.
3DS Requestor – the initiator of the 3-D Secure 2.0 authentication request (AReq). For example, this may be a merchant or a digital wallet requesting authentication within a purchase flow.
Changes in flows
The biggest difference since 3DS 1.0 is the Frictionless flow which allows issuer to approve a transaction without cardholder interaction based on risk-based-authentication performed in the ACS.
Challenge flow has got changed way of communication from the Issuer to Merchant. In 3DS 2.0 the result of challenge is communicated through the DS. Thus, Merchant is informed about the authentication results via a separate channel, which is more secure.
Non-payment Authentication – 3-D Secure 2.0 also introduces special non-payment customer authentication, which can be used for cardholder Identification & Verification (ID&V) for mobile wallets and the secure request of tokens for card on file. This flow is similar to the 3-D Secure 2.0 authentication flow during a purchase on the web shop, but it does not include payment specific steps like payment initiation, confirmation etc.
Changes in messages
Comparing 3DS 1.0 version 2.0 introduces new messages and change the names for the messages that are exchanged between the components. A new message type is the Result message (RReq and RRes), which is exchanged between the Issuer (ACS) and the Merchant (3DS Server) to communicates the result after cardholder verification.
New data fields were added to messages to support new functionalities. Also, 3-D Secure 2.0 defines messages with JSON, compared to XML in version 1.0.