Credit Card Security Guidelines 5.0 in Japan: How to Comply?

Around the globe, card schemes and regulatory bodies are actively pursuing efforts to enhance payment security for consumers. In Japan, for instance, significant measures are being implemented with the revision of the 3D Secure (3DS) protocol as part of the nation’s Credit Card Security Guidelines.

For businesses engaged in cross-border operations into or within Japan, this shift calls for major adjustments. In this article, we review the essential details regarding the evolving regulations, the necessary actions required from companies, and the ways in which payment service providers can assist in managing these changes.

3D Secure in a Nutshell: What It Is & Why It Matters

3DS is particularly effective in preventing fraud for Card Not Present (CNP) transactions. Due to this, the Revised Payment Services Directive (PSD2) in Europe mandates its use for online purchases to ensure robust security measures, and Japan is soon expected to follow suit.

What Is the New 3DS Mandate in Japan All About?

METI emphasizes that the revised guidelines should be adopted by all relevant business operators, including issuers, acquirers, merchants, and PSPs involved in credit card transactions by April 1, 2025. Therefore, it is crucial for business owners who have not yet begun the preparations to get started without delay.

Essentially, there are two key requirements that must be taken into account to ensure compliance, namely:

1. The Implementation of 3D Secure

The key requirement issued by METI entails that all eCommerce credit card transactions processed in Japan must implement 3DS by mid-March 2025. This mandate applies to both domestic and cross-border transactions as well as all card types. It is also valid regardless of any other payment security measures an organization may already have in place.

However, it is important to note that some specific transactions might be exempt from using 3DS, including:

• Ones conducted using prepaid or debit cards
• Payments initiated from devices that do not support 3DS like game consoles and smart speakers
• Mail Order/Telephone Order (MO/TO) transactions
• Recurring payments after the initial purchase under the same shopper agreement with the same card, aka Merchant Initiated Transactions (MIT). Yet, any change in the agreement or card would require 3DS.
• Internal or B2B transactions in dedicated environments, such as corporate cards used exclusively on certain websites
• Google Pay and Apple Pay transactions

As a result, all Japanese transactions aside from the types listed above need to utilize the 3DS authentication protocol.

To meet this requirement, companies need to start planning and gradual implementation in advance by familiarizing themselves with guidance from regulatory agencies, card schemes, and EMVCo specifications. Besides, it is crucial to seek guidance from PSPs to ensure that the customers’ payment experience flow is not compromised.

2. Potential Need for Extra Countermeasures

In addition to implementing 3DS, businesses may need to adopt additional security measures based on their threshold for fraudulent chargebacks.

For instance, fraud-exposed merchants experiencing a monthly total of 500,000 JPY in fraudulent chargebacks for three consecutive months must use 3D Secure and at least one of the following supplementary measures:

• Require the consumer to provide their card security code (CVC, CVV, CAV2, CID)
• Verify if the billing address matches the cardholder’s address
• Use a fraud detection system

Therefore, it is crucial for companies to do an audit of their operations and identify the right compliance needs for their specific cases.

Embracing the Future of Secure Transactions in Japan

All in all, the 3DS mandate in Japan is a critical step toward improving the security of online transactions and protecting consumers from the ever-present threat of payment fraud. Careful planning, early adoption, collaboration with PSPs, and a focus on staying up-to-date on the latest regulatory updates will be instrumental in achieving a smooth transition.

Ultimately, embracing these advanced security measures will not only help in meeting regulatory requirements but also in building trust with customers, thereby fostering a more secure and reliable eCommerce environment in Japan.