On 14 March 2023, a set of industry guidelines that outline security measures for businesses that conduct card transactions, the "Credit Card Security Guidelines", was revised (Credit Card Security Guidelines Version 4.0, hereinafter referred to as "Credit Card Security Guidelines"). Subsequently, on 14 November, a document entitled "Deployment Roadmap for EMV 3D Secure for Merchants" (the "Roadmap") was released to supplement the Credit Card Security Guidelines.
3D Secure is a mechanism that provides an additional layer of authentication for credit card transactions and protects businesses against liability for fraudulent card payments.
The Credit Card Security Guidelines and Roadmap state that Japanese merchants who conduct online sales (Stripe users) must enable 3D Secure 2 by the end of March 2025 in order to combat fraud.
Merchants have an obligation to adopt certain security measures under the Instalment Sales Act, and they must adopt measures in line with the Credit Card Security Guidelines and Roadmap by the end of March 2025.
Merchants are required to initiate the implementation of 3D Secure 2, in accordance with the Credit Card Security Guidelines and Roadmap, in the following order of priority.
Tier |
Scope |
Expectation |
Tier 1 |
Merchants with over JPY 500,000 in confirmed fraudulent transactions per month over a consecutive three-month period ("fraud exposure merchants") |
Start implementing 3D Secure 2 immediately |
Tier 2 |
Merchants that are not "fraud exposure merchants" but have observed at least five confirmed fraudulent transactions or at least JPY 100,000 in confirmed fraudulent transactions over the last two years |
Plan for 3D Secure 2 implementation and implement quickly |
Tier 3 |
Merchants that sell digital content, electronics, e-money or stored value, ticketing or lodging booking sites |
Plan for 3D Secure 2 implementation and implement quickly |
Tier 4 |
Other merchants |
Plan for 3D Secure 2 implementation and implement quickly |
If you already use Stripe, you may need to check your integration to ensure that 3D Secure 2 is supported.
If you are on the Charges API
The Charges API does not support 3D Secure 2. As a result, if your account uses the Charges API, any payments made through the API that require authentication by the card issuer will fail. To avoid an increase in declined payments on your account, we strongly recommend that you migrate to the Payment Intents API as soon as possible.
If you are on the Payment Intents API
To avoid an increase in declined payments on your account, you'll need to ensure that your integration can handle the `requires_action` state in order to prompt your customers to authenticate their payments. If you have integrated with the basic card integration previously, you will need to update your integration to handle card authentication.
We recommend testing your integration to confirm that you have implemented 3D Secure 2. If you are unsure about how to test your integration, you can find further guidance in our testing documentation.
Stripe offers a fraud prevention product called Radar, which utilises machine learning by analysing payment data from over a million companies worldwide and detects and blocks fraudulent transactions. Radar uses machine learning to conduct risk assessments based on hundreds of signals, including card type, country of use, device and behaviour. Stripe offers three default Radar rules that request 3D Secure 2 dynamically. By setting these rules in the dashboard, additional authentication can be requested from customers when their card-issuing company requires 3D Secure 2.
With Radar for Fraud Teams, which allows for customised rule settings, businesses can tailor their own unique risk management settings for 3D Secure 2. 3D Secure 2 requests can be made based on risk levels or specific metadata, helping to prevent excessive blocking of legitimate payments, reduce the decline rate of transactions and maximise revenue.
Use of Radar may help mitigate loss of conversion while allowing for risk-based anti-fraud measures.
"Payment service providers" like Stripe, and the acquirers we partner with (SMCC, JCB, American Express, etc.), are expected to support users as they implement 3D Secure 2 by the end of March 2025. We are also asked to work with "fraud exposure merchants" to get them to enable 3D Secure 2 promptly.
Stripe will continue to work with our partners to provide relevant information and support to our users. We will provide notice if users need to change their integrations, and will follow up with users as needed to support implementation of 3D Secure 2.
Transactions using internationally branded credit cards are in scope. In practice, merchants will be expected to treat prepaid cards, debit cards, corporate cards and foreign-issued cards the same as Japan-issued personal credit cards. For cards where the issuer is unable to process 3D Secure 2, it is expected that the requested transaction will be approved without 3D Secure 2 occurring.
Transactions where a physical card is used in person are out of scope.
There is no fine, but the regulator is able to request information and conduct on-site inspections of the merchant. Additionally, the issuer may request a merchant investigation through Stripe or the acquirer, who can instruct the merchant to enact necessary security measures if the merchant has not taken appropriate steps to prevent fraudulent use and protect credit card numbers. If, regardless of such instructions, a merchant does not adopt the security measures, they may be offboarded as a merchant.
Exempt and out-of-scope categories are under contemplation. We expect the relevant industry council to publish additional information as it becomes available.