As the market for e-commerce sites expands and online shopping becomes more common, the number of cases of credit card fraud continues to increase. To combat this, the Ministry of Economy, Trade and Industry (METI) has announced it will make 3D Secure 2.0 (also called “EMV 3-D Secure”) mandatory by the end of March 2025. This means all e-commerce companies must take immediate action to introduce the new system.
3D Secure 2.0 has several improvements over the previous 3D Secure 1.0, including updates to the authentication method and features. However, it is likely that simply introducing 3D Secure 2.0 will not completely prevent fraud. This is why companies need to implement other security measures to ensure their customers can use e-commerce sites with peace of mind.
In this article, we explain the current credit card fraud situation in Japan, the reasons why 3D Secure alone is not enough to deal with fraud, and other fraud prevention measures besides 3D Secure.
What’s in this article?
- Damages caused by unauthorised use of credit cards in Japan
- Why 3D Secure 2.0 alone cannot completely prevent unauthorised use
- How do e-commerce companies bear the cost of fraudulent credit card use?
- Anti-fraud measures in addition to 3D Secure
- Understanding the current fraud situation and its causes
Damages caused by unauthorised use of credit cards in Japan
According to the Japan Consumer Credit Association (JCA), the amount of damage caused by credit card fraud from January to December 2023 was as high as ¥54.1 billion. This is the highest figure on record, far exceeding the previous year’s figure of ¥43.6 billion in 2022. The damage caused by credit card fraud increases every year. In addition, the methods used to commit fraud are becoming more complex and sophisticated, and it is difficult to completely prevent, making this a key issue.
References:
“Status of credit card fraud (September, 2024)”
“Situation of credit card fraud (December 2023)”
After the METI revised the security guidelines several times, they decided 3D Secure 2.0 would be mandatory for all e-commerce companies as a basic measure to prevent unauthorised use. It is hoped that this obligation will improve the 3D Secure penetration rate in Japan.
Why 3D Secure 2.0 alone cannot completely prevent unauthorised use
When making credit card payments over the internet, the 3D Secure authentication process is effective to a certain extent as a fraud prevention measure. In addition, credit card companies and payment service providers (PSPs) are progressing the introduction of 3D Secure 2.0 steadily, partly due to their increased efforts to encourage e-commerce companies to adopt it. However, it is not possible to reliably detect all fraud methods using 3D Secure 2.0 alone.
The reasons why 3D Secure 2.0 alone is not enough to prevent fraud include:
Risk-based authentication and evolving fraud methods
First of all, it is important to understand that the introduction of 3D Secure 2.0 alone is not sufficient as a response to fraud. Many credit card companies and PSPs expect the 3D Secure 2.0 authentication system to replace 3D Secure 1.0 and prevent more fraudulent use. However, the methods criminal groups who deliberately try to commit fraud use evolve constantly, so there is a possibility that these criminal groups will eventually find a way to bypass the authentication.
Stolen mobile phones and broken authentication
At first glance, 3D Secure 2.0 might seem like a sufficient authentication system. With 3D Secure 2.0, the system provides a temporary password code for authentication. It is sent to your mobile phone or email address and replaces a unique password registered beforehand, as with 3D Secure 1.0. This means customers no longer need to remember passwords. Because the system uses different passwords and codes each time, the authentication method is more convenient and secure.
However, there are risks associated with the change from 3D Secure 1.0 – which was a “knowledge”-based authentication using memorised passwords – to the current 3D Secure 2.0 – which is a “possession”-based authentication using passwords sent to SMS or email addresses. For example, if someone steals your cell phone and breaks the lock, they can easily check your one-time password. They will be able to freely execute credit card payments from any apps you are already logged into.
To reduce the risk of this happening, it’s important to be mindful of your belongings when away from home. Also, try to avoid purchasing items from e-commerce sites in public places where large numbers of people gather. There is an increased risk of incidents, such as having your payment information screen or credit card stolen.
How do e-commerce companies bear the cost of fraudulent credit card use?
One of the most serious concerns for e-commerce site proprietors is chargebacks due to fraudulent use. A chargeback happens when the credit card company cancels the payment and refunds the money to the cardholder if they did not authorise the payment. For example, if there is a transaction on the statement the cardholder does not recognise, they can file a chargeback. If the product does not arrive or arrives damaged, they can also file a complaint.
Chargebacks are an important way of protecting cardholders by providing a means of resolving problems caused by fraudulent activity. However, if a chargeback occurs, the seller of the product (i.e., the e-commerce company), must refund the transaction amount to the credit card company. In some cases, the seller might also have to pay a fee for the chargeback. Furthermore, since shipped goods are not returnable, chargebacks can also result in significant damage to e-commerce companies.
The biggest cause of chargebacks is the continuing rise in credit card fraud. As explained previously, 3D Secure 2.0 is not a cure-all and cannot be a standalone measure to completely prevent fraud. To minimise the occurrence of chargebacks, in addition to the introduction of 3D Secure 2.0, it is necessary to take various measures to prevent unauthorised use by third parties, such as “spoofing.”
Anti-fraud measures in addition to 3D Secure
Security codes
Security codes can prevent unauthorised use of credit cards by third parties, and they play the same role as chargebacks in protecting cardholders. When you choose to pay by credit card when purchasing an item on an e-commerce site, you will often need to enter your security code. By doing so, you can prove that you – the person possessing the credit card – is making the payment. If you enter an incorrect security code, the site will not process the payment or complete the transaction.
Security codes are measures to prevent skimming – a method of fraudulently obtaining credit card numbers, expiration dates, etc. Unlike the card number and expiration date, the security code is not in the magnetic data on the card itself. Even if someone steals the name, card number, and expiration date, unauthorized use is impossible unless they know the security code.
However, entering the security code is not required by law, so there are many e-commerce sites that allow you to complete payment without entering it. The security code might prevent unauthorised use through skimming, but if someone steals the credit card itself and a third party learns the security code, it does not work as a fraud prevention measure. For this reason, it is important that customers take great care when handling and managing credit cards and that e-commerce site proprietors also implement security measures to protect customers.
Fraud detection system
To create an e-commerce site that customers can use with confidence, it is a good idea to use 3D Secure in conjunction with an anti-fraud detection system. With an anti-fraud detection system, you can more effectively prevent damage to your own e-commerce site by detecting and automatically blocking fraudulent transactions that cannot be verified using 3D Secure. In addition, in the case of an anti-fraud detection system, legitimate cardholders can make payments without having to go through any extra procedures, such as providing additional authentication. This also helps to reduce the risk of 3D Secure basket abandonment.
To prevent malicious users from abusing your site, it is important to strengthen its security so you can deal with any fraudulent attempts and have an environment where customers can shop with confidence.
Note that the unique anti-fraud tool provided by Stripe, Stripe Radar, is capable of taking more advanced measures to prevent fraud through machine learning that can adapt to the ever-changing patterns of fraud. Get up and running in no time, since you can incorporate Radar into the payment flow without having to spend time or money on developing an in-house fraud detection system.
Understanding the current fraud situation and its causes
With 3D Secure 2.0 now mandatory and e-commerce companies steadily introducing it, there is growing anticipation that the risk of fraudulent use and chargebacks will continue to decline. However, 3D Secure is not perfect and cannot prevent all fraudulent use. Therefore, it is necessary to take measures to prevent fraud that do not rely solely on 3D Secure.
To deal with the sophisticated methods used by malicious fraud groups, you can start by checking whether fraud is actually occurring. When you confirm fraud, it’s important to understand which order details and customer segments are frequently involved in fraud, thoroughly investigate the causes, and then take measures to prevent fraud.
With the mandatory implementation of 3D Secure, Stripe is currently working on a phased approach in line with the implementation deadline. In addition to the Radar system mentioned earlier, we are using thorough security measures for personal information and transaction data, such as preventing unauthorised access through data encryption (Secure Sockets Layer/Transport Layer Security [SSL/TLS] technology).
In addition, Stripe has a wide range of tools and functions available to help streamline payment operations, including the introduction of payment methods, information processing, and revenue management. For example, if you are currently considering setting up an e-commerce site, you can set up a payment environment that suits your business style without developing your own system by introducing Stripe Payments, which can flexibly respond to online payment needs.
The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.