Japan’s 3DS2 mandate: Trends, impact, and how to respond

Credit card fraud in Japan has been increasing year by year. According to the Japan Credit Association, the total amount of fraud-related losses in 2024 reached ¥55.5 billion, a 2.6% increase compared to the previous year. The situation is especially serious in the ecommerce sector, where 92.5% of fraudulent losses were due to card number theft in online transactions.

To combat this, in the spring of 2024, the Credit Card Security Guidelines, developed by the Council for Security of Credit Transaction, stated a compliance deadline of March 2025, where ecommerce businesses in Japan would be required to implement 3D Secure (3DS).

3D Secure 2.0 (3DS2) refers to EMV 3-D Secure. This is an authentication protocol developed by EMVCo, which is a global technical body jointly owned by major international card issuers including Visa, Mastercard, and JCB. It is widely supported across the payment industry.

3D Secure: How to minimise fraud while maximising conversion

Improve customer experience, increase security, and reduce fraud with 3D Secure.

Learn more

Implementation status Since the initial announcement of the Credit Card Security Guidelines, the uptake of 3DS2 in Japan has seen considerable growth. Looking at the beginning of 2023 until today, we’ve seen a 15% increase in overall success for transactions being sent to 3DS, as well as a steady uptick in volumes. 

This increase can largely be attributed to higher issuer adoption of 3DS2 as well as better shopper education. We are also seeing improvements when it comes to authentication methods. There is higher acceptance of frictionless authentications, as well as an increase in challenge completion rates. 

When it comes to our customers, all of them have adopted 3DS ahead of the deadline. This is largely thanks to the fact that our customers are using Authenticate, which automatically handles 3DS2 and compliance for regulated markets. 

Additionally, we have enhanced Authenticate with specific optimisations for the Japanese market to ensure higher authentication rates, resulting in an increase of authentication rate by up to 3%.

Authenticate handles the complexities of local and regional strong customer authentication (SCA) regulations on behalf of our customers. Our experience in other regulated markets like Europe shows how vital it is to balance security, convenience, and compliance. With the Credit Card Security Guidelines in Japan, we ensure that all our customers are compliant with no additional effort on their part.

After the introduction of PDS2 in Europe, fraud rates for transactions with SCA were 70% to 80% lower than those without.  

3DS2 also comes with the benefits of liability shift, which reduces the financial exposure to chargebacks for merchants.

3DS can also increase the authorisation rate of each payment transaction because issuers can authenticate the identity of the shopper when the authorisation is successful.

In markets like Europe, where 3DS2 adoption is high, successfully authenticated transactions are up to 3% more likely to be authorised than those which are not authenticated.

Nevertheless, there are some important trade-offs that come with 3DS2. For example, it adds a level of friction for shoppers when checking out, which inherently increases the chance of cart abandonment. 

This cart abandonment can be attributed to a variety of factors, including:

• Rejections due to shoppers not activating their cards for 3DS2 with their issuers.

Before shoppers can use their cards to pay online, issuers will require them to complete a setup process to confirm their identity. This might include verifying a phone number through an SMS OTP, or providing biometrics. If a cardholder doesn’t do this before using their card online, issuers will reject the transactions, as the authentication cannot be performed.

• Drop-offs when shoppers are presented with a 3DS2 challenge they cannot complete. This is the most common reason for 3DS2 failures and has a variety of causes:

  • The shopper is a fraudster and cannot complete the challenge. Here, 3DS is working as intended to stop fraudulent transactions.

  • The shopper is the rightful owner of the card but is unable to complete the challenge. This can be because of their unwillingness or inability to complete the verification step at the time it is presented to them.

  • Technical errors due to the integration of 3DS. This occurs because of errors between the business environment and issuer environment, resulting in shoppers being unable to complete their identity verification.

Additionally, using 3DS2 allows more shopper data to be shared with issuers, giving them greater insight into the risk level of each transaction. However, if the data contains “red flags”, it may also increase the chance of rejection.

Since the introduction of the Credit Card Security Guidelines on 1 April 2025, we have observed a slight decrease in conversion rates in the Japanese market. This decrease is a direct effect of the increased application of 3DS.

Since 1 April, we've also noticed more initial declines on customer-initiated credit card transactions in Japan. Specifically, the success rate for each individual transaction attempt (gross success rate) has dropped by roughly 1.6 percentage points. However, because many shoppers retry with the same card and succeed, the overall impact is smaller. The final success rate for the entire purchase order (net success rate) has only declined by about 0.8 percentage points.

There are three factors leading to lower conversion rates from the 3DS2 mandate:

1. Shoppers have not completed the 3DS2 setup for their cards

Around 3% of all initiated 3DS transactions fail because of issuers rejecting cards not set up for online use.

In Japan, issuers primarily use SMS OTP for identity verification. Some issuers automatically enroll the card into 3DS if they have a phone number available, but others require cardholders to confirm their phone number in the banking environment before allowing them to complete 3DS2 identity verification. 

2. Issuers are very risk averse and reject transactions at high levels

In Japan, we have observed that issuers are more risk averse than in other markets. The impact is evident: fraud-related issuer rejections now represent over 4% of all initiated 3DS2 transactions.

Issuers in Japan have strict classifications on what they see as “high fraud levels” originating from a business. These can be as low as a sustained JPY¥ 500,000 worth of fraudulent transactions per month over a three month period. If a merchant operates in a high value segment like luxury or travel, a breach can easily occur through just a single fraudulent transaction. This may lead to lower risk tolerance and higher levels of rejections for these brands.

We’ve also observed that issuers are rejecting successfully authenticated transactions that are sent to authorisation with “Suspected Fraud” declines. This paradoxical behavior could be explained by:

• Issuers having disconnected Authentication and Authorisation platforms.

• The suspected fraud declines are often mapped to the G12 Japanese issuer error code which can signal issues with the credit line or fraud detection.

3. Merchants have technical difficulties

Despite our customers having successfully implemented 3DS2 in Japan, there are still cases where technical errors occur when handling during the 3DS2 flow.

The 3DS2 flow has multiple steps where connectivity is established between the business environment and the issuer environment, such as during the device fingerprinting step or during the challenge flow. We have observed that technical errors here add up to 2% of the total 3DS2 initiated transactions.

Combating fraud among ecommerce businesses was the primary objective of the new regulations. So, a key metric to track are the fraud rates following the enforcement of the Credit Card Security Guidelines. 

In our preliminary assessment on incoming notifications of fraud, we see a decrease of up to 75% for transactions in scope of the 3DS2 Mandate. This dramatic reduction in notifications of fraud is close to what was observed in Europe following the enforcement of PSD2 regulations. 

This is largely thanks to the increased use of 3DS2. Note that these results may change over time, and it is still too early to draw any final conclusion. Fraud and chargeback data tend to lag behind by up to three months.

While Credit Card Security Guidelines mandate 3DS2 for most transactions, they also make it optional for low-risk transactions involving previously authenticated stored credentials (known as Pattern 2 exemptions). That’s where risk-based authentication (RBA) proves useful.

What is RBA?

RBA is a mechanism that triggers authentication only for high-risk transactions.

Thanks to Adyen’s single platform and Adyen Uplift, there is no need to apply 3DS uniformly across all transactions in the Japanese market. Instead, businesses can take a more flexible approach by leveraging RBA.

How does it work?

For transactions that fall under “Pattern 2” mentioned earlier – subsequent transactions made using the same card, 3DS2 is selectively applied based on a risk assessment.

Thanks to the billions of data points available to us on our platform, we can make informed decisions about the risk level of a transaction to determine whether we should send it to 3DS2 or whether it can proceed directly to authorisation. 

What are the benefits?

Our experience with PSD2 in Europe taught us that exemptions play a powerful role in balancing security and convenience. Using exemptions will minimise friction for shoppers and ensure a smooth checkout experience. The use of exemptions need to be balanced against the risks of a chargeback.

Thanks to RBA, we enable customers to benefit from increased conversion, due to reduced friction, all while staying compliant and keeping fraud levels low.

With the new guidelines in place for online payments in Japan and the increased use of 3DS2, we encourage businesses to:

Leverage RBA

If a merchant is processing card-on-file transactions and using Tokenise and Authenticate, it can automatically unlock RBA capabilities. This is thanks to our single platform and our control over the full payment funnel.

We’ve also observed that there are numerous merchants who would be able to benefit from RBA in Japan, but are not yet doing so because of their current 3DS2 strategy. For card-on-file traffic in Japan, we encourage businesses to rely on Adyen Uplift to manage both compliance and the balance between security and a seamless shopper experience.

Implement domestic shopper advice

Error codes from Japanese issuers often provide more insights than acquirer responses. Adyen shares the domestic Japanese issuer error codes with customers along with helpful advice for shoppers to reduce the declines they are facing.

These error codes have been updated to include 3DS2 declines. By encouraging shoppers to contact their issuers, we can increase the chance that they successfully activate their cards for 3DS2 or ensure their issuers will accept a second attempt from the shopper.

Integration review

We have built our Japan 3DS2 mandate logic to work out of the box for customers via Authenticate, minimising any additional integration effort. 

However, we do encourage our customers to check their integrations for:

1. Technical errors: Ensure that any integrations can handle all 3DS2 related responses to successfully complete each step of the authentication journey.

2. Data quality: 3DS2 is a data rich message and issuers use certain key fields (e.g. shipping address, email address, device information, etc.) as risk indicators. Ensure that you are sending accurate, unique, and complete data according to the required fields found in our documentation.

While the 3DS mandate is still very fresh and its full impact on fraud remains to be seen, Adyen remains committed to engaging key players in the ecosystem, like major issuers, card networks, and the regulator. We aim to provide constant feedback to ensure that security can be balanced with convenience, all while staying compliant.