3D Secure is an authentication protocol that provides an additional layer of verification for card-not-present (CNP) transactions.
By April 2025, all merchants operating in Japan must comply with revised Credit Card Security Guidelines. The upcoming deadline requires implementation of specific security measures, including 3D Secure authentication, to create a more secure online payment environment for credit card users. For merchants, these revised guidelines present new opportunities for building customer trust and protecting revenue against chargebacks and other unauthorised transactions.
At payabl., our payment gateway solution comes equipped with a 3DS service. While most regulations apply to issuing banks and not to you as a merchant, you will get the risk of getting lower authorisation rates if an issuing bank evaluates a transaction as non-compliant, and refuses the transaction as a result. Today, we’re breaking down the specifics of the revisions in Japan, including exemptions, along with the benefits for your business.
What is 3D Secure?
Before addressing the revised guidelines and their implementation requirements, it’s important for your business to clearly understand 3D Secure (3DS) authentication.
3DS adds an extra layer of security to payment processing by asking customers to verify their identity with their card issuer. The process typically works by redirecting the customer to their card issuer, at which point they can enter their credentials to validate a transaction.
Additional steps may be involved, such as a multi-factor authentication process that sends a verification code to the customer’s mobile device or email address.
Examining the revisions to Japan’s Credit Card Security Guidelines
Japan’s Credit Card Security Guidelines compile the most up-to-date standards and requirements for businesses that handle credit card transactions. The primary goals of these guidelines are to protect consumers and guard businesses against the liabilities of fraudulent payments.
Beyond businesses accepting credit card payments, entities covered include credit card companies, payment service providers (PSPs), and e-commerce stores affiliated with the previously mentioned credit card companies and PSPs. Regulators divided revisions to the Credit Card Security Guidelines into two main categories:
1. Measures to protect credit card information
From April 2025 onward, e-commerce affiliates must implement the security measures and vulnerability countermeasures detailed in the official Security Checklist.
Additionally, acquirers and PSPs must inform e-commerce affiliates of any relevant security measures from the checklist that need implementation.
2. Measures against fraudulent use
The new revisions to protect against fraud require e-commerce affiliate stores to introduce and begin implementation of 3DS as soon as possible. Any affiliates that experience a high incidence of fraud must begin implementation immediately, regardless of the April 2025 deadline.
For acquirers and PSPs, these companies must encourage this immediate implementation among their high-risk affiliates. Any new merchant contracts need to include an explanation of the 3DS implementation requirements and deadline.
Issuers also have new requirements to abide by, including the implementation of initiatives that “strongly promote” 3DS registration for company card members. The revised guidelines aim for 80% registration among e-commerce members by the end of March 2025, and 100% of registered members to transition away from static passwords in the same timeframe.
Your merchant implementation questions, answered
To help merchants accepting credit card payments in Japan address new requirements brought about by the guideline revisions, we have compiled a list of the most common questions and considerations:
Will there be penalties for non-compliance among merchants?
While Japan’s Ministry of Economy, Trade, and Industry (METI) may not impose a fine for non-compliance, acquirers and PSPs can initiate investigations into merchants who fail to implement 3DS.
Failure to adopt the relevant security measures can result in the end of a partnership between a merchant and their acquirer or PSP, at the discretion of the latter parties.
Do all accounts in Japan need to comply?
Any account based in Japan must implement 3DS for both domestic and international credit card payments.
Can merchants in Japan still collect and store card information for recurring payments?
Merchants can still store card information for later use. However, merchants must verify each customer upon login, as well as implement strict measures to prevent unauthorised logins.
Are any transactions exempt from the new guideline revisions?
All e-commerce transactions in Japan fall under the 3DS requirements and upcoming implementation deadline, including both domestic and international payments. Merchants can implement additional security measures as they see fit on top of the 3DS requirement.
Some payment scenarios may fall out of the scope of the 3DS requirement, including:
- Debit cards and prepaid cards
- Mail or telephone-based transactions
- Merchant-initiated transactions for recurring payments
- Google Pay and Apple Pay
- B2B and internal payments processed in separate, dedicated environments
- Payments made on devices without 3DS support (i.e. gaming consoles)
Can merchants seek assistance with 3DS implementation?
Yes! With the help of providers like payabl., merchants accepting credit card payments in Japan can ensure the 3DS authentication process verifies all applicable transactions. Working with a trusted provider can simplify the implementation process and meet the April 2025 deadline with ease.
How the new guidelines benefit merchants
The 3DS mandate in Japan may impose new technical requirements for merchants, but it also brings new protections as well. Early implementation of the revised guidelines enables your business to maintain strong relationships with acquirers, PSPs, and issuers. These changes also shift liability from the merchants to the listed providers, helping to minimise losses for merchants in the case of fraud.
The security protocol itself has many benefits:
- Increased customer trust
- Decreased instances of chargebacks and unauthorised transactions
- Improved authentication experiences and efficiency
- Smoother cross-border transactions
- Compliance with other regulations, such as PSD3’s Strong Customer Authentication (SCA) requirement
payabl. supports your 3DS needs
At payabl., our payment gateway solution comes equipped with a 3DS service. If your business follows PCI DSS compliance, you can also provide us with your 3DS parameters.
Contact our experts today for additional information and support.