The Credit Transaction Security Council of Japan announced that all online credit card payments in Japan will require Strong Customer Authentication (SCA), effective April 01, 2025. This means that all transactions that fall under the scope of the regulation must be authenticated with 3D Secure.
The information we provide in this guide can help you prepare for complying with regulations in Japan. However, the information here should not be taken as legal advice. This guide supplements the following sources:
- Regulatory guidance provided by official domestic authorities.
- Card scheme regulations.
- EMVCo specifications for the 3D Secure 2 protocol.
Credit Card Security Guidelines 5.0
The guidelines have implications for online and in-person payments.
Online payments
All merchants that process online credit card payments in Japan must implement 3D Secure 2 authentication for regulation compliance in their online payments flow, according to the Credit Card Security Guidelines 5.0(Japanese).
The regulation aims to reduce card fraud in digital transactions and prevent fraudulent use of credit card information, and applies to payments with credit cards issued in and outside of Japan. According to the guidelines, all online credit card payments require 3D Secure 2 authentication, except out-of-scope transactions.
In-person payments
If you have an in-person payments integration, the following will apply:
- You can no longer bypass PIN entry.
- Obtaining a signature will no longer be a valid cardholder verification method.
In-person payments integrations with Adyen remain compliant, and you do not need to take any action.
In-scope transactions
All online credit card payments that do not meet the out-of-scope criteria are in-scope and require 3D Secure 2 authentication.
If you process recurring payments, some transactions are in-scope. Whether a transaction is in-scope depends on the recurring payment type and moment:
When you implement 3D Secure 2 with Adyen, our Authentication Engine will handle compliance for you. We determine the transactions that fall under the scope of the regulation and trigger 3D Secure 2 for in-scope transactions.
Out-of-scope transactions
The following types of transactions are out-of-scope:
- Transactions made with prepaid and debit cards.
- Transactions initiated from devices that do not support 3D Secure, such as game consoles or smart speakers.
- MOTO transactions.
- A recurring payment that happens under the same shopper agreement with the same card, such as a subscription payment.
- Transactions that occur in separate environments for business to business or internal employee purchases.
- All transactions where the shopper uses Google Pay or Apple Pay to complete the payment.
When you implement 3D Secure 2 with Adyen, we will not trigger 3D Secure for out-of-scope transactions.
Implement 3D Secure 2 with Adyen
To comply with the regulation, we recommend that you implement 3D Secure 2 authentication with Adyen. We determine whether the payment requires 3D Secure authentication, and ensure that you stay compliant by always applying 3D Secure if the transaction falls under the scope of the regulation.
If you do not implement 3D Secure 2 with Adyen, it is your responsibility to ensure that all online credit card payments that you request to process with Adyen are authenticated with 3D Secure 2. Send the third-party authentication data in your payment request to Adyen.
Use one of the following compliant integrations:
| Integration type | Description |
|---|---|
| Drop-in/Components | Pre-built UI elements available for Web, Android, iOS, React Native, and Flutter. |
| Hosted Checkout | Quick-to-integrate Adyen-hosted webpage solution. |
| Plugins | Adyen payments plugins for Adobe Commerce (formerly Magento 2), Salesforce Commerce Cloud, Shopware 5 and 6, Prestashop, SAP Commerce (Hybris), and Oracle Commerce Cloud. |
After you have set up one of the compliant 3D Secure 2 solutions, you can:
- Let Adyen handle compliance by default: Adyen applies 3D Secure 2 when the transaction falls under the scope of the regulation. To mitigate any effects on conversion, we will not trigger 3D Secure for out-of-scope transactions. To make sure Adyen can handle the 3D Secure routing for you, make sure that:
- Your default Dynamic 3D Secure rule is set to Prefer Not.
- You do not override the platform logic and block 3D Secure in your API requests by including:
- Checkout API v69 or later: authenticationData.attemptAuthentication:never
- Checkout API v68 or earlier: executeThreeD: false
- Configure rules using Dynamic 3D Secure: Define additional conditions for transactions that you want to apply 3D Secure authentication on. For more information, refer to Dynamic 3D Secure.
-
Submit your preference for each transaction in your API request: Specify in each payment request whether you want to perform 3D Secure authentication on this transaction, by including:
authenticationData.attemptAuthentication: Set to always if you want to perform 3D Secure authentication on this transaction, never if not. We do not recommend setting it to never.
We recommend to submit preference in API requests only if you have extensive knowledge of the Credit Card Security Guidelines and the 3D Secure protocol, because this overrides our default 3D Secure 2 handling logic and may result in non-compliance and harm overall performance in regulated markets.