Japan’s 3DS2 mandate: Trends, impact, and how to respond

Credit card fraud in Japan has been increasing year by year. According to the Japan Credit Association, the total amount of fraud-related losses in 2024 reached ¥55.5 billion, a 2.6% increase compared to the previous year. The situation is especially serious in the ecommerce sector, where 92.5% of fraudulent losses were due to card number theft in online transactions.

To combat this, in the spring of 2024, the Credit Card Security Guidelines, as developed by the Council for Security of Credit Transaction, stated a compliance deadline of March 2025, whereby virtually all ecommerce merchants in Japan would be required to implement 3D Secure (3DS).

Let us take a moment to explain what we mean by 3D Secure 2.0 (3DS2) in the context of this article. Firstly, the term refers to EMV 3-D Secure. This is an authentication protocol developed by EMVCo, which is a global technical body jointly owned by major international card brands including Visa, Mastercard, and JCB. It is widely supported across the payments industry. For more details on how it works, please refer to this article.

Implementation status Since the initial announcement of the Credit Card Security Guidelines, the uptake of 3DS2 in Japan has seen considerable growth. Looking at the beginning of 2023 until today, we’ve seen a 15% increase in overall success for transactions being sent to 3DS, as well as a steady uptick in volumes. 

This increase can largely be attributed to higher issuer adoption of 3DS2 as well as better shopper education. We are also seeing improvements when it comes to authentication methods. There is higher acceptance of frictionless authentications, as well as an increase in challenge completion rates. 

When it comes to our merchants, all have adopted 3DS ahead of the April 1st deadline. This is largely thanks to the fact that our merchants are using Adyen Authentication Engine, which automatically handles 3DS2 and compliance for regulated markets. 

Additionally, we have enhanced our Authentication Engine with specific optimizations for the Japanese market to ensure higher authentication success rates, resulting in an increase of success up to 3%.

The philosophy for our Authentication Engine is to handle the complexities of local and regional strong customer authentication (SCA) regulations on behalf of our customers. Our experience in other regulated markets like Europe shows how vital it is to balance security, convenience, and compliance. With the Credit Card Security Guidelines in Japan, we ensure that all our merchants are compliant with no additional effort.

After the introduction of PDS2 in Europe, fraud rates for transactions with SCA were 70% to 80% lower than those without.  

3DS2 also comes with the benefits of liability shift, which reduces the financial exposure to chargebacks for merchants.

3DS can also increase the conversion success rate of a payment because issuers can be certain of the identity of the shopper when the authorization is successful.

In markets like Europe, where 3DS2 adoption is high, successfully authenticated transactions (whether frictionless or challenged) are up to 3% more likely to be authorized than those which are not authenticated.

Nevertheless, there are some important trade-offs that come with 3DS2. For example, it adds a level of friction for shoppers when checking out, which inherently increases the chance of cart abandonment. 

This cart abandonment can be attributed to a variety of factors, including:

• Issuer rejections due to shoppers not activating their cards for 3DS2 with their issuers.

  • Before shoppers can use their cards to pay online, issuers will require them to complete a setup process to confirm their identity. This might include verifying a phone number through an SMS OTP, or providing biometrics. If a cardholder doesn’t do this before using their card online, issuers will reject the transactions, as the authentication cannot be performed.

• Drop-offs when shoppers are presented with a 3DS2 challenge they cannot overcome. This is the most common reason for 3DS2 failures and has a variety of causes:

  • The shopper is a fraudster and cannot complete the challenge. Here 3DS is working as intended to stop fraudulent transactions.

  • The shopper is the rightful owner of the card but is unable to complete the challenge. This can be because of their unwillingness or inability to complete the verification step at the time it is presented to them.

  • Technical errors due to the integration of 3DS. This occurs because of errors between the merchant environment and issuer environment, resulting in shoppers being unable to complete their identity verification.

Additionally, using 3DS2 allows more shopper data to be shared with issuers, giving them greater insight into the risk level of each transaction. However, if the data contains “red flags”, it may also increase the chance of rejection.

Since the introduction of the Credit Card Security Guidelines on 1st April 2025, we have observed a slight decrease in conversion rates in the Japanese market. This decrease is a direct effect of the increased application of 3DS.

Since 1st April, we've noticed more initial declines on customer-initiated credit card transactions in Japan. Specifically, the success rate for each individual transaction attempt (gross success rate) has dropped by roughly 1.6 percentage points. However, because many shoppers retry with the same card and succeed, the overall impact is smaller: the final success rate for the entire purchase order (net success rate) has only declined by about 0.8 percentage points.

Regarding the main contributors to lower conversion rates from the 3DS2 mandate, we have three key observations:

1. Shoppers have not completed the 3DS2 setup for their cards

Around 3% of all initiated 3DS transactions fail due issuers rejecting cards not set up for online use.

In Japan, issuers primarily use SMS OTP for identity verification. Some issuers  automatically enroll the card into 3DS if they have a phone number available, but others require cardholders to confirm their phone number in the banking environment before allowing them to complete 3DS2 identity verification. 

2. Issuers are very risk averse and reject transactions at high levels

In Japan, we have observed that issuers are more risk averse than in other markets. The impact is evident: fraud-related issuer rejections now represent over 4% of all initiated 3DS2 transactions.

Issuers in Japan have strict classifications on what they see as “high fraud levels” originating from a merchant. These can be as low as a sustained JPY¥ 500,000 worth of fraudulent transactions per month over a three month period. If a merchant operates in a high value segment like luxury or travel, a breach can easily occur through just a single fraudulent transaction. This may lead to lower risk tolerance and higher levels of rejections for these merchants.

We’ve also observed that issuers are rejecting successfully authenticated transactions that are sent to authorization with “Suspected Fraud” declines. This paradoxical behavior could be explained by:

• Issuers having disconnected Authentication and Authorization platforms.

• The suspected fraud declines are often mapped to the G12 Japanese issuer error code which can signal issues with the credit line or fraud detection.

3. Merchants have technical difficulties

Despite virtually all merchants having successfully implemented 3DS2 in Japan, there are still cases where technical errors occur when handling during the 3DS2 flow.

The 3DS2 flow has multiple steps where connectivity is established between the merchant environment and the issuer environment, such as during the device fingerprinting step or during the challenge flow. We have observed that technical errors here add up to 2% of the total 3DS2 initiated transactions.

Combating fraud among ecommerce merchants was the primary objective of the new regulations. So, a key metric to track are the fraud rates following the enforcement of the Credit Card Security Guidelines. 

In our preliminary assessment on incoming notifications of fraud, we see a decrease of up to 75% for transactions in scope of the 3DS2 Mandate. This dramatic reduction in notifications of fraud is close to what was observed in Europe following the enforcement of PSD2 regulations. 

This is largely thanks to the higher use of 3DS2. Note that these results may change over time, as it is still too early to draw any final conclusion. Fraud and chargeback data tend to lag behind by up to 3 months.

While Credit Card Security Guidelines mandate 3DS2 for most transactions, they also make it optional for low-risk transactions involving previously authenticated stored credentials (known as Pattern 2 exemptions). That’s where risk-based authentication (RBA) proves useful.

What is RBA?

RBA is a mechanism that triggers authentication only for high-risk transactions.

Thanks to Adyen’s single platform and our Adyen Uplift solution, there is no need to apply 3DS uniformly across all transactions in the Japanese market. Instead, merchants can take a more flexible approach by leveraging RBA.

How does it work?

For transactions that fall under “Pattern 2” mentioned earlier, namely, subsequent transactions made using the same card, 3DS2 is selectively applied based on a risk assessment.

Thanks to the billions of data points available to us on our platform, we can make informed decisions about the risk level of a transaction to determine whether we should send it to 3DS2 or whether it can proceed directly to authorization. 

What are the benefits?

Our experience with PSD2 in Europe taught us that exemptions play a powerful role in balancing security and convenience. Using exemptions will minimize friction for shoppers and ensure a smooth checkout experience. The use of exemptions need to be balanced against the risks of a chargeback.

Thanks to RBA we allow merchants to benefit from increased conversion, due to reduced customer friction all while staying compliant and keeping fraud levels low.

A prime example of RBA’s effectiveness is Wolt, a local commerce platform for food, groceries, and other goods rapidly expanding in Japan. By leveraging RBA and smartly applying 3DS2, Wolt has significantly increased conversion rates for returning shoppers by over 5%. This smart approach minimizes friction for loyal customers, allowing them to complete orders effortlessly.

With the new guidelines in place for online payments in Japan and with the increased use of 3DS2, we would encourage merchants to do the following to ensure their success rates stay high:

Leverage RBA

If a merchant is processing card-on-file transactions and using the Uplift components Tokenize and Authenticate, it can automatically unlock the RBA capabilities. This is thanks to our single platform and our control over the full funnel of transactions.

We’ve also observed that there are numerous merchants who would be able to benefit from RBA in Japan, but are not yet doing so because of their existing 3DS2 strategy to always request 3DS2. For card-on-file traffic in Japan, we encourage merchants to rely on our risk-based decision-making to manage both compliance and the balance between security and a seamless shopper experience.

Implement domestic shopper advice

Error codes from Japanese issuers often provide more insights than acquirer responses. Adyen shares the domestic Japanese issuer error codes with merchants along with advice that can be shown to the shopper to reduce the declines they are facing. 

These error codes have been updated to include 3DS2 declines. By encouraging shoppers to contact their issuers, we can increase the chance that they successfully activate their cards for 3DS2 or ensure their issuers will accept a second attempt from the shopper.

Integration review

We have built our Japan 3DS2 mandate logic to work out of the box for merchants using our Authentication Engine, minimizing any additional integration effort. 

However, we do encourage our merchants to check their integrations for two important things:

1. Technical errors: ensure that any integrations can handle all 3DS2 related responses to successfully complete each step of the authentication journey.

2. Data quality: 3DS2 is a data rich message and issuers use certain key fields (e.g.  shipping address, email address, device information, etc.) as risk indicators. Ensure that you are sending accurate, unique and complete data according to the required fields found in our documentation.

While mandates are still very fresh and their full impact on fraud remains to be seen, Adyen remains committed to engaging key players in the ecosystem, like major issuers, card networks and the regulator. We aim to provide constant feedback and point out areas for improvement to ensure that security can be balanced with convenience, all while staying compliant.