Save 0

The Credit Transaction Security Measures Council of the Japan Credit Association (JCA) has introduced a new mandate requiring all credit card transactions processed under Japanese entities to implement 3D Secure (3DS) authentication by the end of March 2025.

As fraud becomes increasingly sophisticated in Japan, this mandate aims to enhance security by ensuring strong customer authentication (SCA) measures are in place at every stage of the payment process—from account creation to checkout.

With this shift, merchants must act now to prepare, balancing compliance with customer experience to minimize drop-offs and maximize conversions. This week Forter hosted a very interesting webinar to break down the implication of this upcoming mandate.

Before diving into the specifics of the Japanese mandate let’s recap on what is 3DS and how a 3D Secure transaction works?

3D Secure, often referred to as 3DS, is an additional layer of security for online credit and debit card transactions. It was developed to authenticate the cardholder and ensure that the person making the transaction is indeed the card’s rightful owner. The “3D” in 3D Secure stands for “Three-Domain Secure,” which involves three parties in the authentication process:

1. The Issuer: This is the bank or financial institution that issued the card to the cardholder.

2. The Acquirer: This is the bank or financial institution that processes the payment on behalf of the merchant.

3. The Interoperability Domain: This is the domain where the authentication takes place, often controlled by the card networks like Visa, MasterCard, or American Express.

This multi-step process happens seamlessly in the background, ensuring that the online payment is both convenient and secure. It’s akin to having a virtual bouncer at the entrance of an online store, checking IDs to make sure only authorized individuals get in.

The high level 3DS steps can be summed up as follows:

Initiation: The online shopper selects their desired items and proceeds to the checkout page. Upon entering their card details, the payment request is sent to the merchant’s acquiring bank.

Authentication Request: The acquiring bank, on receiving the payment request, checks if the card used is enrolled in 3D Secure. If it is, the authentication process begins.

Cardholder Verification: The cardholder is redirected to their card issuer’s website or a separate 3D Secure authentication page. Here, they may be asked to enter a one-time password (OTP) or other verification details.

Authorization: Once the cardholder’s identity is confirmed by their issuer, an authentication result is sent back to the acquiring bank. If the authentication is successful, the payment is authorized, and the transaction proceeds.

Completion: The cardholder is directed back to the merchant’s website, and the transaction is completed. A confirmation message is displayed, and the order is processed.

Key Requirements & Scope under the JCB Mandate

The Ministry of Economy, Trade, and Industry (METI) has outlined the main requirements as follows:

✅ All eCommerce credit card transactions processed in Japan—domestic and cross-border—must use 3DS authentication by March 2025.
✅ Applies universally to all credit card types, regardless of other security measures in place.

This means every online credit card payment in Japan must pass through 3DS unless it falls under an exemption.

Customer Friction & Conversion Challenges

While 3DS is an effective fraud prevention tool, it can also introduce friction into the customer experience.

📉 Europe’s PSD2 Mandate Impact
In Europe, when PSD2 mandated 3DS in 2020, merchants saw a 20-25% drop-off in transactions requiring 3DS due to friction. This led to lower conversion rates and abandoned checkouts.

Japanese merchants should expect similar challenges, but the JCA has introduced some flexibility to reduce unnecessary authentication where possible.

Transactions Excluded from the 3DS Mandate

To ease the burden on merchants and improve customer experience, the JCA has outlined specific transaction types that will be excluded from the 3DS mandate:

🔹 Prepaid or Debit Cards – Transactions made using non-credit products.
🔹 Devices That Do Not Support 3DS – Such as game consoles and smart speakers.
🔹 Mail Order/Telephone Order (MO/TO) Transactions – Since they are card-not-present transactions processed manually.
🔹 Merchant-Initiated Transactions (MIT) – Such as subscriptions, recurring payments, and installment payments.
🔹 B2B Transactions in Dedicated Environments – Including corporate card payments made on specific merchant portals.
🔹 Google Pay & Apple Pay Transactions – Since these already include their own authentication layers.

By leveraging these exemptions, merchants can reduce unnecessary authentication requests and maintain a smoother checkout flow.

Understanding JCA’s 3DS Implementation Guidelines

Beyond transaction exemptions, the JCA has also outlined three possible authentication scenarios that merchants can choose from:

Scenario 1: Merchant-Determined Authentication

🔹 Merchants decide when to apply 3DS authentication, based on their own fraud risk assessment.
🔹 Offers maximum flexibility, allowing businesses to apply 3DS only when necessary.

Scenario 2: Authentication Only for New Cards

🔹 Requires 3DS authentication only when a customer adds a new card to their account.
🔹 Returning customers using previously stored cards can transact without additional authentication.

Scenario 3: Authentication on Every Touchpoint

🔹 Requires 3DS authentication for every login and every transaction.
🔹 This is the most secure but also the most friction-heavy option.

💡 Merchants who qualify for Scenario 1 or 2 will experience significantly lower friction and better conversion rates.

Merchant Action Plan: How to Comply While Optimizing Customer Experience

To stay compliant while maintaining conversion rates, merchants should take the following steps:

✅ 1. Meet JCA Exemptions to Reduce Friction

If possible, qualify for Scenario 1 or 2 to limit 3DS authentication to high-risk scenarios.

✅ 2. Track Issuer Response Patterns

Not all issuers will enforce 3DS the same way. Merchants should:
🔹 Monitor which issuers require full challenges vs. those that accept frictionless authentication.
🔹 Adjust authentication settings based on issuer response rates to optimize approval rates.

✅ 3. Securely Store Customer Payment Credentials

🔹 Authenticate new card registrations once and store them securely using tokenization or account updater services.
🔹 Returning customers can then skip 3DS authentication, reducing checkout friction.

✅ 4. Partner With Acquirers & PSPs Early

Merchants should work closely with their acquirers and payment service providers (PSPs) to:
🔹 Understand which exemptions they qualify for.
🔹 Test different authentication flows to balance security and conversion.
🔹 Ensure systems are fully integrated and ready before March 2025.

The March 2025 3DS mandate is a major shift for Japan’s payment ecosystem, but with the right strategy, merchants can stay compliant while minimizing customer friction.

By leveraging exemptions, optimizing authentication flows, and tracking issuer responses, businesses can protect revenue while reducing fraud risks.

Now is the time to prepare. Merchants should begin working with their acquirers and PSPs to implement 3DS effectively and optimize for conversion before the deadline hits. 🚀

Need Expert Guidance?

If you’re unsure how to adapt your 3DS strategy while maintaining strong approval rates, we can help. Get in touch to explore the best approach for your business.

Download the visuals here:

Save 0