October 15, 2024
The Japan Credit Association (JCA) has announced a major update to its Credit Card Security Guidelines. Starting in March 2025, the use of EMV 3-D Secure (3DS) will be mandatory for all credit card transactions across Japan. This requirement is part of a larger effort by the Japanese Ministry of Economy, Trade, and Industry (METI) to tackle the rising tide of credit card fraud, particularly in the context of online transactions.
In the early years of digital payments, fraudsters primarily focused on counterfeit cards. From 1997 to 2003, the industry saw a significant increase in losses from this type of fraud, as criminals replicated physical cards to make unauthorized transactions. However, with the introduction of advanced security measures like chip-and-PIN technology, counterfeit card fraud began to decline rapidly. By 2023, counterfeit card fraud had almost disappeared, reduced to near-zero levels.
Unfortunately, as security measures improved for physical transactions, fraudsters shifted their focus to Card-Not-Present (CNP) fraud, which involves the misuse of stolen card information for online purchases. Since 2014, CNP fraud has been on the rise, reaching the same loss levels as in 2003, and it continues to increase yearly. In 2023, CNP fraud losses totaled 541 billion yen, marking a 23.9% year-on-year increase. This alarming trend highlights the growing need for enhanced security solutions, like 3-D Secure, to protect consumers and businesses from online payment fraud.
Japan's Credit Card Fraud 1997-2023 (Retrieved data from METI)
3-D Secure, or 3DS, is a global-standard security protocol developed by EMVCo to add an additional layer of protection for online transactions. It involves verifying cardholder's identity before the transaction is authorized, reducing the risk of fraud. "3-D" refers to the three domains involved in the process: acquirer, issuer, and card scheme. By authenticating the cardholder during the transaction, 3DS makes it harder for fraudsters to take advantage of stolen credit card information.
3DS is widely adopted by major card schemes like Visa, Mastercard, American Express, JCB, and CUP and has proven effective in reducing CNP fraud. Japan's decision to mandate 3DS aligns with global efforts to enhance online payment security, as seen in regions like Europe, where it is mandatory under PSD2/SCA regulation.
METI has outlined a roadmap to ensure full compliance with 3DS:
Although no specific penalties have been detailed for non-compliance, METI may conduct investigations, and acquirers could suspend transactions or terminate merchant agreements.
For early adopters, 3DS offers several key advantages:
Reduced Fraud: By verifying the cardholder's identity, 3DS significantly reduces unauthorized transactions.
Liability Shift: With 3DS in place, the liability for fraudulent transactions often shifts from the merchant to the card issuer.
Increased Customer Confidence: Consumers feel more secure making purchases on platforms that utilize 3DS, which can lead to improved trust and potentially higher conversion rates.
Smoother Checkout: Modern versions after 3DS2 offer "frictionless flow," allowing low-risk transactions to proceed without extra steps, providing a smoother customer experience.
Early adoption of 3DS enhances security and demonstrates a solid commitment to customer safety. This fosters greater customer trust, satisfaction, and retention, which can drive long-term growth and improve conversion rates.
Implementing 3DS requires careful planning, and e-commerce platforms should begin preparations before the deadline of April 1, 2025. Integration timelines can vary depending on the setup:
SaaS solutions: Typically take around 3 months.
On-premises setups: Can take up to 6 months.
Starting early ensures a seamless transition and helps avoid disruptions. To ensure full compliance, it's also crucial to become familiar with the technical guidelines provided by EMVCo, card schemes, and regulatory bodies.
For merchants frequently exposed to high levels of fraud (e.g., a monthly chargeback amount of over 500,000 JPY for three consecutive months), the Credit Card Security Guidelines V5.0 require additional security measures beyond 3DS. Options include:
Requiring cardholders to provide a security code (CVC, CVV, etc.).
Verifying the billing address matches the cardholder's address.
Using a fraud detection system like HiTRUST's Veri-id.
These measures are mandatory for "fraud-exposed" merchants, and all others must at least commit to implementing 3DS by April 2025.
Introducing 3DS and SCA reduced regional fraud by 40-60%. Initially, there were concerns about friction during checkout, which caused higher cart abandonment rates. However, many issues were resolved with the introduction of 3DS2. It provides a smoother user experience, allowing low-risk transactions to proceed without additional authentication.
Looking ahead, FIDO (Fast Identity Online)/ Passkeys are expected to enhance security and convenience as an alternative authentication method to SMS and email OTPs. By offering passwordless authentication, FIDO provides a faster and more secure experience, and integrating it with 3DS can further streamline the authentication process.
Japan's decision to mandate the use of 3DS by 2025 represents a significant step toward reducing online payment fraud. Businesses should start early to ensure compliance and enjoy the benefits of reduced fraud, increased consumer confidence, and liability protection. With the successful implementation of 3DS in Europe through PSD2/SCA, Japan is well-positioned to mitigate CNP fraud and offer a safer, more seamless online shopping experience.