In April 2025, the introduction of "EMV 3-D Secure (hereinafter referred to as 3D Secure)" became mandatory in EC credit card payment. However, according to Japan Credit Card Association data (Actual 2024), fraud damage remains at an all-time high of approximately 55.5 billion yen. This is because attacks are shifting to "pre-payment" and "post-payment" authentication, where authentication is poor.
In this article, we will explain the latest trends and new methods after the 3D Secure mandatory, the framework of "line measures" that e-commerce businesses should take now to defend the entire site, and the "strongest combination" that reduces costs and maximizes safety.

At the end of the article, you can download useful materials that are unique to this place, such as the "Security Checklist", "Recommended Countermeasure Plan for Cost Emphasis vs. Robustness", and "Specific Attack Methods and Countermeasure Flow" that can be checked by e-commerce businesses themselves.

The current state of e-commerce security in January 2026

In April 2025, there was a major turning point for the e-commerce industry in Japan. The principle of "3D Secure" is mandatory. Many e-commerce businesses must have been concerned about the risk of abandoned carts (abandonment rate) and completed the response by the deadline.

As of January 2026, about a year has passed since then.

"Now that the mandatory response is over, you should no longer be a victim of fraud." Contrary to that expectation, credit card fraud damage reports have changed their form and methods, and they are still going on.

Looking back at Japan Credit Card Association 's released data (Actual 2024), fraud damage had reached a record low ofabout 55.5 billion yen. Considering that the amount of damage in 2023 was approximately 54.1 billion yen, the fact that the amount of damage was on the rise even during the period when countermeasures were supposed to be in progress has shocked many e-commerce personnel.

* Ministry of Economy, Trade and Industry Created by GMO-PG from "Trends in the amount and ratio of cashless payment in Japan (2024)" and the Japan Credit Association's "Credit Card fraud Damage Occurrence Status" (September 2025).

Why can't we get out of the "weasel game"?

In this article, we will unravel what is happening in the post-mandatory world of 3D Secure, the root causes of it, and thoroughly explain the specific mechanisms and solutions for the "line measures" that e-commerce businesses should take in 2026.

1.The achievements and limitations of "3D Secure" told by data

First, let's correctly recognize the current situation from objective data. 3D Secure Adoption was never in vain. Correctly understanding the "effect" and "limit" is the first step to the next move.

1-1. "Clear effects" seen in the trend of number theft damage

The overwhelming majority of fraud methods on e-commerce sites are "number theft". This is a method of payment using other people's card information obtained through phishing or information leakage, accounting for more than 90% of all damages.

The effect of 3D Secure introduction was evident in the evolution of these numbers. The amount of number theft damage from 18.29 billion yen in January-March 2025, just before the mandate, drew a clear downward trend to 11.33 billion yen from April to June, immediately after the response progressed.

This proves that the process of 3D Secure identity verification in payment moments has served as a powerful brake on spoofing purchases.

1-2. Factors that do not reduce the total amount of damage and the need for future measures

But here one question arises. "If number theft has decreased, why has the total amount of damage remained high?"

The phenomenon happening here is likened to the balloon effect, in which when one part of the balloon is pressed, another place is inflated.

Avoiding the "payment" when security is strong, attackers are shifting their attack targets to "before" and "payment payment" when security is weak.

3D Secure is a tool that verifies your identity at payment time.

• The stage of stealing the card number itself (information leakage, credit master)
• The stage of hijacking IDs and passwords to impersonate legitimate users (account takeover)
• payment Transfer and resell the product after completion

Against these, 3D Secure alone cannot provide defense. This is considered to be the fundamental reason why the damage does not disappear even after the 3D Secure response is completed.

2.The latest methods to slip through the threat dissection and "countermeasures against dots" in 2026

We will break down the main attack methods currently attacking e-commerce sites by phase of "payment, payment, and payment" and explain their methods in detail.

2-1. [payment Ago] Threat: Preparations for Riding the Legitimate payment Route

The attacker will set up a game before the payment reaches the screen. If you fail to prevent attacks at this stage, your defenses on the payment screen may also be neutralized.

(1) Credit Master (Mass Attack)

"Credit master" is a method of exploiting the regularity of card numbers to calculate the valid card number of others. The attacker uses a bot (automated program) to mechanically brute force the generated card number and expiration date combination into the e-commerce site's payment form or membership registration screen.

• Attack Mechanism:

1. Create a fictitious number list with a card number generator.
2. The bot accesses the payment page of the e-commerce site.
3. Use "1 yen authorization" and "validity check at the time of membership registration" to identify the card number that does not return an error (= valid).
   
   

• Impact of Damage:
  It not only identifies a real and valid card number. Secondary damage such as the server of the e-commerce site being down due to a large number of accesses and the increase in transaction processing fees (data processing fees) due to the increase in Transaction volume will also occur. In addition, if the site is misused as a "card number sorting ground", it will lead to a loss of brand image.

(2) Phishing and account takeover

"Account takeover" is a method of illegally obtaining the ID and password of a legitimate user and impersonating the person himself to log in. Information is stolen by directing users to fake sites through emails (phishing emails) or SMS (smishing) pretending to be real companies, and then entering them by the user himself.

• Attack Mechanism (Two-Stage Attack):

1. Targeting accommodations and service providers: Delivering malware-laden files posing as booking guests to gain access to your Shopify admin.
   
   
2. Targeting end users: Send messages to legitimate users from hijacked admin screens under the guise of "payment errors" and direct them to phishing sites to steal card information.
   
   

• Relationship with 3D Secure:
  In recent years, "real-time phishing" in which 3D Secure authentication codes (one-time passwords, etc.) are entered on phishing sites along with IDs and passwords, and methods of hijacking smartphones themselves are rampant, and there is no way to prevent authentication if it is breached.

(3) Information leakage (SQL injection / web skimming)

This is a case where the e-commerce site itself is attacked and customer information is uprooted and stolen.

• SQL Injection:
  It exploits vulnerabilities in the site's search window and input form and sends instructions (SQL) that manipulate the database fraudulently. This will leak your stored member ID, password, and personal information.
• Web Skimming (Formjacking):
  payment Embedding a malicious program (JavaScript) on the screen and sending the card information entered by the user to the attacker's server behind the scenes.
  The site looks normal, and the payment process itself completes successfully, which is a frightening feature that both users and administrators are late in noticing the damage (only noticeable by looking at the card statement).

2-2. The threat of [payment time]: Evading risk judgment

3D Secure employs risk-based authentication, meaning that transactions deemed low-risk pass without authentication (frictionless).

Attackers try to bypass the risk judgment of the card company by spoofing the user's device information (device fingerprint) and IP address in order to act as if they are a "good user".

2-3. The threat of [payment after]: products will not return, sales will disappear

After the payment is completed, the attack continues. If an e-commerce business has shipped a product, "fraudulent transaction" is established at that point.

(1) Unauthorized delivery and resale

Items purchased with stolen cards are mainly highly convertible (game consoles, branded products, home appliances, cosmetics, etc.). These are quickly resold and cashed out through flea market apps and buyers.

The delivery destination is designated as an empty house or the address of the "recipient (dark part-timer)" recruited as a "cargo receiving agent" on SNS, and it is crafted so that it does not get stuck.

(2) Triangle fraud (malicious resale)

It is a very clever trick that exploits the characteristics of the platform.

1. Attackers list legitimate accommodation plans and products on fake travel agency and auction sites at "cheap" prices.
2. An unaware traveler (Mr. B) orders it and pays the attacker payment
3. The attacker uses the stolen card information of another person (Mr. A's card) to order products from legitimate e-commerce sites or OTAs (online travel agents) and arrange them in Mr. B's name.
4. The legitimate site provides services to Mr. B.
5. Later, the cardholder A noticed fraud and a chargeback occurred. The legitimate site will have its sales canceled, leaving only the cost of providing the service as a loss.

3. From dot to line – security design for 2026

As mentioned above, attacks are carried out in all phases. To combat this, we must shift from "dots" that only protect the payment moment to "line measures" that protect the entire flow from the time a user visits the site to the arrival of the product.

Here, we will unravel specific solutions based on the payment "before, payment, and payment" countermeasure framework recommended by the Credit Card Security Guidelines.

3-1. [payment Front] Barriers that prevent intrusion

First of all, the top priority is to "not let attackers enter the site" or "not log in".

• Anti-unauthorized logins:
  From April 2025, measures against unauthorized login on e-commerce sites will also become mandatory.

• Bot detection and blocking: It is necessary to implement authentication tools such as "reCAPTCHA" and services that detect and block bot-specific access patterns.
• Multi-factor authentication (MFA):Prevent list-based attacks by adding authentication other than passwords (SMS authentication and app authentication) when logging in to the admin screen or members. GMO-PG also offers its own SMS authentication "Verify Service".

• Credit Master Measures:
  This feature automatically blocks access if an abnormal number of card entries or payment attempts are made from the same IP address or the same member ID within a certain period of time. GMO-PG provides it as a "mass attack blocking service" to reduce the risk of server downtime.
• System Hardening:
  To prevent SQL injection and web skimming, it is essential to implement a WAF (Web Application Firewall) and conduct regular vulnerability assessments.

3-2. [payment Time] Proof of Authenticity

This is an area where the already introduced "3D Secure" will play a leading role.

• Proper operation of 3D Secure:
  Risk-based authentication ensures that genuine users are not required to enter a password (frictionless), but only for suspicious transactions, providing both security and convenience. It doesn't end with implementation, but monitors the authentication success rate (cart abandonment rate) and fraud occurrence, and adjusts settings as needed.
• Security Code (Face Authentication):
  It is the basic of the basics, but by making it mandatory to enter the Security Code (CVC/CVV) on the back of the card, it prevents the use of card information (not including Security Code) that has been leaked through magnetic information skimming.

3-3. [ After payment] The Last Fortress

payment It is the last bastion to stop "clever fraud" that has passed through the system before it is shipped.

• Attribute and behavior analysis (fraud detection solutions):
  payment Attribute and behavior analysis, which is an effective measure before. payment Analyze andscore order data, shipping information, device information, IP address, past transaction history, etc. after completion using AI and machine learning.

An example of an attribute and behavior analysis tool

• Forter:A highly accurate and real-time fraud detection solution based on massive transaction data
• Sift: A global fraud detection solution powered by AI and machine learning
• ASUKA: Fraud detection solution based on a unique model that learns from fraud trends in Japan
  
  

• Exploitation of fraudulent shipping information:
  Provides a database of addresses and phone numbers used in the past for fraud. You can build a mechanism to match the order information and, if applicable, put the shipment on hold.

4. The best combination is "3D Secure × fraud detection solution"

One of the concerns that many e-commerce businesses have is "cost". It can be difficult to implement all measures at full specification.

However, the most rewarding return on investment (ROI) in a limited budget is the combination of a 3D Secure and a fraud detection solution.

Why is "combination" recommended?

3D Secure is a tool to check whether you are who you are or not. However, if your credentials are stolen through phishing, etc., 3D Secure will mistakenly believe that you are the person you are (this is the limitation of 3D Secure).

That's where "fraud detection solutions" come in.

Fraud detection solutions determine risk on a different axis than identity verification.

• "This device has a history of being used fraudulently in the past."
• "At 2 a.m., I buy highly convertible products in a short period of time."
• "The shipping address matches the address where there was a problem in the past"

In this way, even if the credentials are correct, it is possible to detect and block anomalies such as "strange behavior" or "unnatural context".

By combining the "strong gate" of 3D Secure with the "excellent surveillance camera" of a fraud detection solution, "line countermeasures" without blind spots are completed for the first time.

5. [Free DL] Is your site okay? Overhaul your security

There is no end to security measures. The response to the 3D Secure principle mandatory in April 2025 was only the "starting line".

Now in 2026, it is necessary to rethink your company's security posture.

"I want to reconfirm whether there were any omissions in last year's response."

"I don't know which specific tools can be combined to improve safety while keeping costs down."

For such e-commerce businesses, we have prepared a document titled "Credit Card fraud Current Status and Countermeasures".

This document covers the following information to immediately implement the "line countermeasures" explained in the article.

• Security Checklist
  We have compiled a list of more than 20 essential items that e-commerce businesses should review now, such as access restrictions on the management screen (IP restrictions, two-factor authentication) and measures against data directory settings that are not configured.
• Recommended measures for cost-oriented vs. robust-oriented measures
  Illustrated examples of the composition of the "Minimum Necessary Essential Security Measures Plan" and the "Comprehensive Robust Security Measures Plan" are presented.
• Specific attack methods and countermeasure flow
  In the unlikely event of an information leak or fraud, a time-series flowchart from "initial response" to "investigation" and "publication and recurrence prevention".

Attackers are always looking for "gaps" in their countermeasures. After being harmed, it takes many times more cost and time to regain lost trust.

First of all, please use this document as a first step to understand the current status of your company's "protection" and take necessary measures.

■ fraud If it's a countermeasure, PG Multi-Payment Service

The "PG Multi-Payment Service" of GMO payment gateways is more than just payment processing company;

In addition to support the introduction of 3D Secure, we can provide one-stop security measures tailored to your company's challenges, including fraud detection solutions such as "Forter" and "sift" introduced in the article, and "mass attack blocking service" to prevent credit mastering.

We also accept consultations such as "I want to reduce fraud without increasing the number of cart drops" and "I want to know the best combination of tools for my company". Please feel free to contact us.