3DS mandate in Japan: What you need to know about changing regulations for 2025

3D Secure, or 3DS, is an authentication protocol developed by EMVCo and supported by major card schemes. It’s a security measure for online payments, with the aim of protecting consumers from the evolving threat of payments fraud. The 3 domains (acquirer, scheme, and issuer) interact with each other using a 3DS protocol where they exchange information and authenticate the transaction.

3D Secure helps prevent payment fraud and is available for Card Not Present (CNP) transactions with all major card networks. In Europe, the Revised Payment Services Directive (PSD2) was introduced to govern electronic payments, making the 3D Secure security measure for online payments mandatory across the region. We’re now seeing similar actions being taken in Japan.

Learn more about 3DS here.

On March 15 2023, the Ministry of Economy, Trade, and Industry (METI) of Japan introduced its new payment security guidelines, known as Credit Card Security Guidelines 5.0. These revised guidelines introduce further recommendations to prevent fraudulent use of credit cards – all in an effort to better combat credit card fraud in digital transactions and prevent fraudulent use of credit card information. 

Affected businesses must comply with these guidelines by April 1 2025 – so if you haven’t yet made preparations, now's the time to start.

The METI has highlighted that the revised guidelines should be implemented by related business operators, such as issuers, acquirers, merchants, and payment service providers involved in credit card transactions, in order to create a safe and secure credit card usage environment.

This means that all merchants in Japan are required to comply with the Credit Card Security Guidelines 5.0 to protect consumers from fraudulent card payments.

1. Implement 3D Secure

All ecommerce credit card transactions processed in Japan require 3DS by April 1 2025 – although it’s best to have this in place as soon as possible. This mandate applies to all ecommerce credit card transactions processed in the Japan market, and includes both domestic and cross-border transactions for all card types.

This mandate applies even if you have other kinds of payment security measures in place. There are a few other  transactions that are out of scope from using 3DS that may apply to your business, which we’ll touch on below.

We recommend early planning and gradual implementation tailored to your business needs. Become familiar with guidance from regulatory agencies, card schemes, and with EMVCo specifications. 

In addition, your payment service provider should provide further guidance to help ensure that while you are complying with regulations, you are also maintaining a good online payments experience for your shoppers. You can learn more about this here.

2. Check if your business qualifies for additional countermeasures 

In addition to the countermeasure of 3DS, you may be required to implement at least one of four additional security measures, depending on your business’ threshold of fraudulent chargebacks. 

Merchants with a monthly total fraudulent chargeback amount of 500,000 JPY for three consecutive months – ‘Fraud-Exposed merchants’ – require to implement and use 3D Secure and at least one additional measure. The Japan Consumer Credit Association advises to choose from one of the following additional measures:

• Require the shopper to provide their card security code (CVC, CVV, CAV2, CID)

• Verify if the billing address matches the address of a cardholder

• Use a fraud detection system, such as RevenueProtect

Fraud-exposed merchants are required to implement 3D Secure and at least one of these additional measures, and all other merchants are required to commit to implementing 3D Secure, by April 1 2025.

Merchants processing 3DS via Adyen will continue to benefit from our authentication engine’s optimisation, powered by machine learning. These capabilities strive for the highest conversion rates whilst ensuring a frictionless checkout experience for your customers.

To learn more about how to integrate with Adyen’s solution and leverage our authentication engine, click here. 

3. Check which transactions are out of scope for 3D Secure

3D Secure is not required for the following transactions:

• Prepaid cards

• Debit cards

• Transactions initiated from devices that do not support 3D Secure, such as game consoles and smart speakers

• MO/TO transactions

• Recurring transactions after the initial transaction under the same shopper agreement with the same card e.g., ‘Merchant Initiated Transactions’ (MIT). A change in the agreement or the use of a new card would require 3D Secure;

• Business to Business transactions in separate environments e.g., corporate cards used on websites dedicated to B2B only; 

• Transactions in separate environments for internal employees e.g., websites dedicated to be accessed by the merchant’s own employees only;

• Google Pay and Apple Pay.

For in-store transactions, Adyen’s technology assures the appropriate guidance to the shopper whilst remaining compliant at all times. That means that if you’re with Adyen, you don’t need to take any action. 

Adyen’s in-store solutions determine the applicable Cardholder Verification Method (CVM) limit automatically. All transactions above 15,000 JPY require a CVM. The type of CVM depends on the way the shopper presents their card. If the shopper presents their physical card, the terminal requests to provide a PIN. In case the shopper uses a device instead of a physical card, the shopper will have to use face-authentication or a password on the phone instead of typing a PIN on the terminal.

Some transactions always require a CVM e.g., when the transaction entails one or more of the following product categories:

• Gambling

• Vouchers; prepaid cards; post stamps

• Ticketing

• Jewelry; precious metals; watches

• Home appliances, including smartphones; tablets; laptops

• Gaming software

• Cigarettes

• Devices for electronic cigarettes

Bypass PIN

Following the regulation, Adyen’s functionality to bypass PIN entry will be disabled for in-store transactions in Japan from March 2025.

Signature

Obtaining a shopper’s signature will not be a valid CVM in Japan anymore. If your business requires it, you can still optionally let the terminal prompt for a signature.

In order to stay compliant and keep your business and your customers protected, it’s vital to stay on top of the latest payment regulations, or work with a payments provider that can help. 

We’re expecting further updates to be made under Japan’s Credit Card Security Guidelines 5.0  – for example, which transactions out of scope from 3DS are still being finalized – so be sure to revisit this article in a couple of weeks to get the latest. In the meantime, it’s best not to postpone your preparations. Start getting ready now.

Check back in on this article in a few weeks’ time to get the latest news.

What if I have other measures in place to protect consumers against fraud? Can I keep these instead of 3DS and/or the aforementioned additional measures? 

EMV-3DS is a basic requirement and unless any transaction is deemed out of scope, merchants should implement it, even if the merchants have other measures.

What falls under the category of transactions considered in scope?

All online ecommerce credit card transactions are processed in the Japan market. This includes both domestic and cross-border transactions for all card types.

What penalties and potential business risk will merchants face if they do not implement full authentication by April 1 2025? 

The Ministry for Economy, Trade and Industry may directly investigate the merchant, and the acquirer may be required to take action against the merchant such as suspicion of transaction, and termination of the merchant agreement.

What is the optimal approach for implementing 3DS by April 1 2025?

3D Secure 2.0 is an authentication service for secure online card payments recommended by VISA, Mastercard, JCB, and AMEX. We recommend early planning and gradual implementation tailored to your business needs.

One of the countermeasures requires merchants to have a fraud detection tool. Does it have to be Adyen, or can we use other fraud detection tools?

Merchants are allowed to use internal or external fraud detection tools, as long as they communicate this usage to the acquirer.

If the merchant is fully utilizing Adyen’s RevenueProtect, does it imply that the merchant is compliant by default?

Utilizing RevenueProtect does not inherently guarantee merchant compliance. Although RevenueProtect's comprehensive suite offers robust fraud protection and multiple checks, likely covering most countermeasures, it remains imperative for merchants to routinely assess their configurations to ensure alignment with requisite risk mitigation strategies. 

Alternatively, given that merchants are only obligated to adopt one of the four available countermeasures, achieving compliance without the utilization of RevenueProtect's complete suite remains feasible. Nonetheless, it is consistently advocated for merchants to uphold stringent fraud prevention measures to mitigate fraudulent activities while minimizing the rejection of legitimate transactions.

What is the difference between Security Guidelines 5.0 and Japan Fraud Reporting?

Japan Fraud Reporting is the acquirer's obligation to monitor merchants that become Fraud-Exposed Merchant (Merchants with a monthly total fraudulent chargeback amount of 500,000 JPY for three consecutive months ) and cause the merchants to improve their security measures to reduce the fraudulent chargeback amount.

Security Guidelines 5.0 sets out the necessary measures which should be taken by merchants to protect the credit card numbers and to prevent the fraudulent use of credit cards.

What is the difference between Security Guidelines 5.0 and PSD2?

In Europe, PSD2 allows merchants to ‘request’ for an exemption at a transaction level, where the issuer can choose to accept; or request to force 3D Secure. However, this is not the case with the SCA mandate in Japan. In Japan, transaction level exemptions are not possible. Instead, some transaction segments are considered out of scope as mentioned before.

Curious to learn more?

If you have any questions about anything you’ve read in this article, or would like to explore how we can help you get set up with 3D Secure, we’d love to hear from you.