fo Japan’s 3DS Mandate: One Year In
Posted: Fri May 15, 2026 2:00 pm
On April 1st, 2025, Japan’s 3DS mandate went into effect. In the year that has followed its roll-out, the impact has been widespread across the payments landscape. In this article, we discuss how things look a year into the mandate for transactions, customer friction, and fraud. We also explore how merchants can make sure that they’re well positioned to meet the challenges and opportunities of Japan’s 3DS reality. Japan’s 3DS Mandate In response to rising fraud, Japan’s Ministry of Economy, Trade and Industry (METI), and the Japan Credit Association (JCA) made EMVCo’s 3D Secure protocol mandatory for eCommerce credit card transactions processed in Japan. This applied to both domestic and cross-border transactions, and the stated goal was to get 100% of registered merchants using dynamic authentication such as biometrics or one time passwords in place of static passwords. To minimize friction and help the shift away from static passwords, there was an additional goal of having credit card issuers encourage their cardholders to enroll in 3DS. The mandate aimed to have 80% of cardholders enrolled. Japanese merchants and issuers worked hard to achieve this shift successfully. The question now is – what impact has the mandate had? 3DS Exemptions To understand the context of the impact, it’s important to note that Japan’s 3DS mandate doesn’t insist that 3DS be applied to every single transaction. As Forter has explained, there are exemptions for certain types of cards, devices, and payment methods. Merchants can also take advantage of certain limitations within the 3DS mandate. For example, while a customer does need to go through 3DS to sign up for a subscription, the merchant doesn’t need to use 3DS every time they take the monthly payment after that. Using a solution like Forter can also help merchants to both meet the high standards outlined by the JCA, and ensure that good customers experience as little friction as possible. Fraud Continues to Rise METI and the JCA introduced the 3DS mandate because of rising online fraud. Forter’s data suggests that stolen credit card fraud (the primary fraud type 3DS is designed to stop) as a share of fraud risk dropped by roughly ~40% from May 2025 to Nov 2025 and has stayed at around that lower level. That’s significant. At the same time, however, Forter’s data shows that account takeover attacks (ATO) doubled by October 2025, compared to before the rollout. And they’ve stayed at that elevated level. 2025 also saw record amounts lost in online banking fraud. Companies, in particular, experienced far more loss — more than quadruple the previous year. Numbers of fake websites reported increased significantly. It seems that the introduction of 3DS in Japan is following a pattern familiar from other countries. What’s happening is that the fraud pressure on stolen credit card fraud has reduced, but instead of disappearing, it’s moving elsewhere. Fraud is Like the Air in a Balloon The “balloon explanation” for online fraud illustrates what’s happening with the move to 3DS and fraud. Essentially, fraud is like the air in a balloon. When you squeeze part of the balloon — making it harder to commit third-party credit card fraud — the air shifts to another part of the balloon. Fraudsters have responded to 3DS by leaning into social engineering, phishing, account takeover, and so on. Some, of course, find more sophisticated ways to commit third-party credit card fraud that can outwit 3DS. This is similar to what many merchants reported in Europe when PSD2 came in. For merchants, that means that understanding the impact of 3DS on their business is not just a matter of payments analysis. It’s equally important to examine forms of fraud that 3DS doesn’t combat, such as account takeover, and ensure you and your customers are protected. Extra Restrictions for “Fraud-Exposed” Merchants The rise in fraud is particularly challenging for eCommerce merchants because the 3DS mandate came with some additional details. Any merchant that experiences three consecutive months with fraudulent chargebacks of 500,000 JPY or above in each month, becomes a “fraud-exposed” merchant. Fraud-exposed merchants need to use 3DS, with far less flexibility on exempting certain transactions. As well, they need to use an additional authentication method for their transactions. This could be:
Source: https://www.forter.com/blog/japan-3ds-m ... e-year-in/
- Requiring customers to provide their CVV or similar code
- Using a mechanism to match billing and shipping addresses
- Working with some fraud detection systems
- Transactions that don’t use 3DS have a completion rate of about 94%.
- In the first ~6 months of the rollout, transactions that used 3DS had a completion rate of ~75%.
- One airline saw fraudsters learn to pass 3DS challenges, so chargebacks continued to rise even on authenticated transactions; issuers then pushed them to add further countermeasures.
- A major rail-ticketing platform reported that sending every transaction through 3DS still allowed sophisticated fraud through, which drove them to look for higher-precision fraud controls in addition to 3DS.
- A large sportswear brand combined a legacy tool, partial 3DS, and manual review, but found this created too much mental strain and motivation impact for staff who had to review “suspicious” 3DS traffic every day.
- A hobby/e-commerce retailer similarly explained that acquirer queries on “suspicious” transactions created constant manual review work, which they struggled to scale.
- A large media / online retail group said that if they apply 3DS to all transactions on popular items, lost revenue from cart abandonment reaches tens of millions of yen.
- A major tax-donation marketplace found that after moving to 3DS on all transactions their payment success rate dropped by roughly 17%-18%.
- Fraudulent transactions are caught and rejected pre-auth, so 3DS never comes into play and the bank does not come to assume that your 3DS transactions are risky
- Low-risk legitimate transactions go through without the need for 3DS, due to the confidence provided by Forter’s global identity network
- Borderline transactions are sent to 3DS. If they pass 3DS, that’s both a strong signal of legitimacy and a way to shift liability to the issuer (assuming that the transaction was successfully authenticated, and chargebacks are fraud-based).
Source: https://www.forter.com/blog/japan-3ds-m ... e-year-in/