Understanding 3D Secure in Japan and its impact on merchants

Payment fraud causes significant inconvenience for customers, distress, personal difficulties, and financial loss. Merchants can also suffer reputational damage, a negative financial impact, and a range of other problems.

Unfortunately, transaction fraud continues to rise. 

To address this, the Ministry of Economy, Trade, and Industry (METI) and the Japan Consumer Credit Association (JCA) have introduced updated Credit Card Security Guidelines requiring 3D Secure (3DS) authentication for all online payments from April 1, 2025. On March 4, 2025, these guidelines were updated to version 6.0, reinforcing security requirements for online transactions.

What merchants need to know about the 3DS mandate in Japan?

When: Japan will enforce 3DS authentication from April 1, 2025.

What: 3DS stands for “three domain secure”, providing additional protection against online payment fraud. EMV 3-D Secure, a security protocol on card-not-present payments developed by EMVCo (a body of major global credit card brands), states that authentication can take place using a “frictionless” flow (based on real-time risk assessment) or with a “customer challenge” such as requesting a password, one-time code, or biometric authentication before completing a transaction. 

Why: 3DS intends to protect merchants and consumers from fraud-related loss and disruptions.

Rising credit card fraud in Japan 

According to the Japan Consumer Credit Association (JCA), credit card fraud losses reached a record-breaking ¥54.09 billion in 2023, up from ¥43.67 billion in 2022. The continued rise in the cost of fraudulent activity, driven by increasingly sophisticated fraud techniques, brings the need for stronger authentication measures into focus. 

Stolen card details are the primary source of credit card fraud in Japan. The chart below highlights the sharp rise in total fraud losses and the dominance of stolen card fraud, reinforcing the urgency behind the government’s decision to mandate 3DS authentication.

The 2025 mandate continues ongoing work, such as the 2022 update of the Credit Card Security Guidelines, which explained that issuers in Japan should introduce EMV 3-D Secure for e-commerce card payments. These guidelines have been updated several times since then and support the Installment Sales Act (which took effect in June 2018 and will be modified in April 2025).

The reforms in Japan reflect payment regulation under the Payment Services Directive (PSD2) in Europe. While European regulations focus on consumer protection, Japan’s approach emphasizes strengthening trust in the payments ecosystem. By mandating 3DS, regulators encourage merchants, issuers, and cardholders to take a proactive role in fraud prevention.

What does this mean for merchants?

From April 2025, all online card payments in Japan must go through 3DS. Transactions without authentication may be declined, and merchants will be fully liable for fraud-related chargebacks. 

As a merchant, it’s recommended that you encourage Japanese cardholders to sign up for 3DS authentication with their card issuer if they haven't already. 

It should be noted that the 3DS protocol is not the only form of transaction security you are obliged to undertake. Merchants must do everything they can to strengthen fraud prevention before, during, and after payment. Payment systems must also meet PCI DSS requirements. That’s why it’s important to choose a fully licensed payment services provider with regional expertise, such as Checkout.com.

Balancing security and conversions

In truth, 3DS could disrupt the checkout experience and impact conversions. In this case, you need to consider the trade-off between the business risks of fraudulent payments versus the potential inconvenience to customers. 

To overcome this, you can implement “frictionless” authentication for some customer transactions by configuring a real-time risk assessment within your payment flow. Here’s how it works. Firstly, you should assess the transaction risk using attribute and behaviour analysis based on access history, purchase history, and other available data. A payment services provider such as Checkout.com can include data points such as device ID and IP address in the risk assessment calculation, which helps to produce a more accurate outcome. 

Depending on the outcome of this initial assessment, you can route the payment to the rest of the authorization flow (the “frictionless” authentication) or request additional authentication input from the cardholder (such as entering a one-time passcode or verifying the purchase through their banking app). You may wish to raise the transaction risk threshold for high-value purchases, new customers, or customers with a mismatched card issuer location and IP address (to name a few examples).

Using the above approach, you can minimize disruption to the customer experience and ensure low-risk transactions are sent for authorization automatically (without customer input). 

The advantages of implementing 3DS

Mandatory 3DS authentication has several long-term advantages. First, 3DS helps prevent unauthorized transactions and fraud-related chargebacks by verifying cardholders before processing payments. This added layer of security significantly reduces the risk of fraud. 

One significant benefit is liability shift. If a transaction is authenticated successfully, liability for fraud-related chargebacks shifts from the merchant to the card issuer. This shift reduces financial risk and helps protect against potential losses from fraudulent transactions. Chargebacks cost more than lost revenue; they lead to scheme fees, operational delays, and reputational risk. Excessive fraud rates could lead to stricter scrutiny from acquirers and schemes, even risking suspension of your ability to accept payments.

Additionally, adopting 3DS signals to customers and issuers a commitment to secure payments. Cardholders often perceive that even if fraud occurs, they’re not liable, as the issuer often reimburses the transaction. However, fraud causes much more than financial loss; it leads to the hassle of replacing cards, updating payment details, and managing disruptions to recurring payments. 

By using 3DS, merchants protect themselves and their customers, minimizing disruptions and ensuring a low-stress payment experience.

What happens if merchants don't comply?

Currently, there are no explicit legal penalties for failing to implement 3DS. However, the consequences can be significant. Without 3DS, transactions are more vulnerable to fraud, for which you are liable. Moreover, issuers will decline payments that are deemed too risky.

Japan’s regulators have also introduced a fraud monitoring threshold. If a merchant’s fraud losses exceed ¥500,000 (around $3300) per month for three consecutive months, they must take additional measures, such as enforcing 3DS on all transactions. Keeping fraud rates below this threshold is crucial for merchants wanting to maintain authentication flexibility.

Here’s how to prepare your payment systems for better security with 3DS:

1. Ensure your payment provider supports 3DS and offers a strong authentication solution 
2. Encourage your customers to sign up for 3DS authentication with their issuer.
3. Configure your authentication flows according to your business’s risk appetite. Consider using the frictionless authentication option, which requests automatic cardholder authentication from the issuer based on transaction risk analysis.45

Remember that in Europe, although 3DS under Strong Customer Authentication (SCA) initially raised concerns about conversion rates, many merchants saw fraud decrease, trust grow, and acceptance rates improve.

Checkout.com provides a reliable 3D Secure Authentication solution designed to meet regulatory requirements while ensuring high acceptance rates. It’s easy to integrate, reducing fraud risk and enhancing the payment experience.

Our dedicated regional team in Japan will help you to update your payment logic, monitor your fraud risk, and recommend adjustments to your authentication protocols as needed.

Discover how Checkout.com helped Sunday fine-tune its payment flows, reduce disruptions, and boost acceptance rates with a renewed authentication strategy.