The cost of credit card fraud in Japan is increasing every year. There is particular concern about the security risks associated with using credit cards for payments not made face-to-face, such as shopping on e-commerce sites.
In response to reports of a sharp rise in credit card fraud, the Japanese government has announced it will require all businesses to implement 3D Secure 2.0 (also known as “EMV 3-D Secure”) by the end of March 2025.
This article discusses the implications for businesses and what they need to do in response to the mandatory implementation of 3D Secure 2.0, as well as what they need to consider when implementing it.
What’s in this article?
- What is 3D Secure?
- Differences between 3D Secure 1.0 and 3D Secure 2.0 (EMV 3-D Secure)
- Why is 3D Secure 2.0 mandatory?
- Why should businesses implement 3D Secure 2.0?
- Advantages of 3D Secure 2.0 for e-commerce businesses
- Considerations when implementing 3D Secure 2.0
- Frequently asked questions about the mandatory adoption of 3D Secure 2.0
- Understanding 3D Secure 2.0 to comply with the new regulations
What is 3D Secure?
3D Secure is a personal authentication system designed to prevent the unauthorised use of credit cards when making payments on e-commerce sites. 3D Secure authentication plays an important role in preventing credit card fraud, which is increasing every year.
The 3D Secure authentication screen is typically displayed automatically when a customer makes a credit card payment on an online shopping site. By completing this authentication, the credit card holder can confirm the payment is a legitimate transaction, and the payment will be processed.
Differences between 3D Secure 1.0 and 3D Secure 2.0 (EMV 3-D Secure)
See the table below for the differences between 3D Secure 1.0, which ended in October 2022, and 3D Secure 2.0.
The features and authentication methods of the previous 3D Secure 1.0 and 3D Secure 2.0 differ, specifically in the reduction of shopping basket abandonment.
Why is 3D Secure 2.0 mandatory?
The government made 3D Secure 2.0 mandatory in Japan because of the unauthorised use of e-commerce sites. According to “Incidents of Credit Card Fraud” released by the Japan Consumer Credit Association in March 2024, the amount of fraud from January to December 2023 was ¥54.1 billion, the highest amount ever recorded. With the increasing complexity and sophistication of fraud methods, it is extremely difficult to completely prevent this fraud.
Because of the increasing damage caused by fraudulent credit card use, the Ministry of Economy, Trade, and Industry (METI) has announced that the implementation of 3D Secure 2.0 will be mandatory for all e-commerce businesses. Owners of businesses that process credit card payments will be required to implement 3D Secure by the end of March 2025.
For more information, please refer to the Japan Consumer Credit Association’s Credit Card Security Guidelines.
Why should businesses implement 3D Secure 2.0?
The mandatory implementation of 3D Secure 2.0 is not just an issue for e-commerce businesses. It’s also important for credit card companies to support e-commerce businesses' adoption of the system by the end of March 2025. In particular, urgent implementation of this system is advised for e-commerce sites that have already experienced large-scale fraud.
E-commerce proprietors
Beginning implementation work as soon as possible ensures businesses meet the deadline set by the METI.
If unauthorised use is already common, immediate implementation of 3D Secure 2.0 can help address the issue.
Credit card issuers
Cardholder enrolment in 3D Secure 2.0 can help achieve the goal of having 80% of members using e-commerce sites enrolled by the end of March 2025.
The goal is to have all 3D Secure 2.0 enrollees using authentication methods other than fixed passwords (such as one-time passwords or app authentication) by the end of March 2025.
Acquirers/Payment service providers (PSP)
Encouraging e-commerce businesses that have experienced a significant number of fraudulent transactions to adopt 3D Secure 2.0 as soon as possible can help reduce risks.
When entering into a new agreement with an e-commerce site owner, clearly explaining the requirement to implement 3D Secure 2.0 by the end of March 2025 can help ensure they understand the requirements before entering into the agreement.
Advantages of 3D Secure 2.0 for e-commerce businesses
More effective anti-fraud measures
With 3D Secure 2.0, the authentication process is smoother than before. For example, while previously it was only possible to authenticate using a predefined password, 3D Secure 2.0 allows authentication using biometric authentication as well as one-time passwords sent via short message service (SMS) or an app. This means that even if card information is compromised, the risk of unauthorised use should be greatly reduced.
Less risk of chargebacks
The most common cause of chargebacks is unauthorised credit card use. When a chargeback occurs, the e-commerce business is unable to recover the goods already shipped and is also unable to recover the sales, resulting in reduced profits.
Improved technical and security features of 3D Secure 2.0 are intended to reduce the incidence of chargebacks. If 3D Secure 2.0 makes it more difficult for fraudulent use to occur, it will also help prevent chargebacks.
Reduced shopping cart abandonment
With 3D Secure 2.0, a risk assessment is performed for each payment and an additional authentication process is performed if the risk is deemed high. This reduces the number of times users are asked for their password when making a payment, thereby reducing cart abandonment rates.
Considerations when implementing 3D Secure 2.0
Unauthorised use: The first thing to remember is that the introduction of 3D Secure 2.0 doesn’t mean all fraudulent use can be detected. Although 3D Secure 2.0 has improved mechanisms over 3D Secure 1.0, it doesn’t completely prevent instances where a malicious third party successfully passes the identity authentication process, such as in the case of spoofing.
Potential fees: 3D Secure 2.0 can be subject to a fee in some cases. As a result, there is concern about the cost of implementing and using the system. While there are no up-front or monthly fees, there can be a fixed fee for each transaction.
Development time and costs: 3D Secure 2.0 requires a feature that links to external systems – such as applications – which can add time and cost to the development of the feature.
Frequently asked questions about the mandatory adoption of 3D Secure 2.0
Are there any penalties for violations?
At this time, there are no announced penalties for not implementing 3D Secure 2.0. However, it is possible that legal action might be taken against non-compliant businesses in the future.
As we explained in the previous section, “Why should businesses implement 3D Secure 2.0?,” ecommerce businesses with inadequate security measures and a high incidence of fraud will be instructed by their credit card issuers and payment service providers to take immediate steps to improve their security, including implementing 3D Secure 2.0. However, if businesses fail to implement 3D Secure 2.0 despite being strongly encouraged to do so, their merchant agreements could be terminated.
Which transactions are not covered?
3D Secure is for credit card payments not made face-to-face. As such, it does not apply to face-to-face transactions where credit cards are used in physical stores.
Understanding 3D Secure 2.0 to comply with the new regulations
The use of 3D Secure 2.0 will be mandatory for all e-commerce businesses in Japan by the end of March 2025. If an e-commerce site operator fails to prevent fraudulent use, it could result in brand damage and risk loss of goods and sales due to chargebacks. A business’s agreement with the PSP could also be terminated for failure to implement such measures. Businesses should consider implementing the latest security measures, including 3D Secure 2.0, to ensure customers can continue to make credit card purchases without worrying about these risks.
Stripe is compliant with the international Payment Card Industry Data Security Standards (PCI DSS) and has implemented thorough security measures for personal and transaction data, including data encryption (e.g., secure sockets layer [SSL] and transport layer security [TLS] technology) to prevent unauthorised access.
In addition, Stripe provides features to improve the efficiency of payment-related back-office operations, including payment method deployment and configuration, information processing, and revenue management. For example, Stripe Payments can handle a wide range of payment needs for e-commerce sites on a single platform, allowing each business to create a payment environment that fits their business style without having to develop their own system.
The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.