10 Questions Answered About EMV 3-D Secure! Explanation of how it works and its benefits

With a deadline of March 2025, all e-commerce merchants are required to introduce the identity authentication service "EMV 3-D Secure". GMO Payment Gateway (hereinafter referred to as "GMO-PG") held several seminars for the secure introduction of EMV 3-D for merchants who are considering introducing it. We will pick up and introduce many questions from among them.
Takuro Zaitsu of GMO-PG, who is also a member of the EMV 3-D Secure Implementation Promotion Working Group, will answer.
(Updated on July 12, 2024)

(1) What are the advantages and disadvantages of EMV 3-D Secure?

Advantages

• Effective in suppressing fraud (Reference: Security measures to reduce fraud to 1/100)
• chargeback Disclaimer

Disadvantages (Challenges)

We believe that there are no disadvantages for merchants due to the above advantages, but we recognize that there are still issues with the accuracy of judgments.

We look forward to improving the accuracy of risk-based authentication in the future.

(2) What is mandatory?

In the version 4.0 of the Credit Card Security Guidelines published in March 2023, it was clearly stated that "in principle, all e-commerce merchants are required to implement EMV3-D Secure by the end of March 2025."
(What are credit card security guidelines?)

Taking the measures listed in the Guidelines is considered to meet the security standards set forth in the Installment Sales Act.

Therefore, in principle, all merchants using Credit card payment are required to implement EMV 3-D securely.

In addition, even if the merchant does not retain personal information including credit card information or is redirect type payment, it is necessary to implement EMV 3-D Secure.

Japan the amount of fraud damage in the country continues to rise, which is also a form of support for the implementation of EMV 3-D Secure.
EMV 3-D secure has already become mandatory in Europe and the United States, and fraud damage has been reduced.

(3) Is my shop not eligible for introduction?

Since the introduction target is stated as "in principle, all e-commerce merchants", isn't your own shop not applicable? We often receive inquiries such as.
There are some cases where it is not covered, but it is a case under limited requirements, so it is basically better ​to think of it as something that should be introduced by your company first.​

Since EMV 3-D Secure authentication involves the operation of the card holder, it is recommended to set up authentication for transactions with "customer touchpoints*".
*Customer contact points here refer to situations where end users can directly manipulate transactions

Here is an example:

◆Transactions on EC and service sites where membership registration is required (payment each time)

EMV 3-D secure deployment is required.
Please set up EMV 3-D Secure authentication when registering your credit card information and at payment every time.

◆Continuation of subscription types, etc. payment ・Recurring transactions

EMV 3-D secure deployment is required.
Please set EMV 3-D Secure authentication to be included when registering your membership and card information for the first time or at the first payment.
At the second and subsequent payment, authentication does not occur because the "customer touchpoint" does not occur.
Continuation payment ・Transactions in which the end user does not notify the card number = transactions without customer contact are called transactions attributed to merchants, such as recurring transactions, and transactions that cannot be authenticated are exceptions to authentication.
However, if an event that occurs at the second or subsequent payment time is chargeback, it is not exempt and a chargeback occurs.

◆If you are using Credit card payment online for payment of membership fees and usage fees

EMV 3-D secure deployment is required.
EMV 3-D Secure does not determine whether or not to be introduced depending on the product being handled.
In addition to individual development and the use of the cart system, please set up authentication in the case of redirect type payment * as well.
However, there are restrictions on communication from the outside due to the intranet environment, IP address, etc., such as transactions on the employee-only site and transactions on the sales agent-only site, and the site is designed so that an unspecified number of people cannot use it by identifying the user (measures are taken by the system to allow transactions only with specific people, The probability of fraud due to spoofing is extremely low), EMV 3-D Secure is not introduced.
In addition, even if it is not introduced, if it becomes a member store that has been exposed to fraud (more than 500,000 yen for 3 consecutive months), or if the card company (acquirer) or PSP determines that the countermeasures are highly urgent due to the occurrence of fraud, it is necessary to introduce EMV 3-D Secure.

* redirect type payment is a method that transitions to the payment dedicated screen during the payment procedure. Merchants can achieve secure payment without touching sensitive information such as card numbers. This applies to the link type Plus in GMO payment gateways.

◆Transactions using BtoB e-commerce sites or BtoB carts

With some exceptions, EMV 3-D secure deployment is required.
BtoB transactions on sites where sole proprietorships or corporations are limited to credit cards with contract entities are allowed to not implement EMV 3-D Secure (the system has taken measures to only transact with specific people, and the probability of fraud due to spoofing is extremely low).
Examples include a limited number of credit cards used, a dedicated site for business owners, a dedicated site for corporate transactions, and accommodation payment settlement transactions that only accept corporate contract cards.
However, if you are using a general cart system for corporations, or if credit cards are not limited to businesses and corporations, or if there is a mixture of BtoB and BtoC transactions, you will need to implement EMV 3-D Secure because there is a risk of fraud due to spoofing.

In addition, since the introduction of EMV 3-D Secure will be implemented on a shop-by-shop basis, it is desirable to include authentication in closed transactions as well as in cases where a part of the same shop is operated closed.

(4) Are there any exceptions to chargeback immunity?

One of the biggest advantages of the merchant's introduction is the chargeback exemption.
In the event of a fraud in a transaction that has been authenticated by EMV 3-D Secure, the chargeback will be borne by the credit card company (issuer) in principle.

However, even if EMV 3-D Secure is introduced, fraud occurring when EMV 3-D Secure authentication is not performed on the merchant-attributed transaction will still be chargeback to the merchant.

◆ chargeback Examples that do not exempt from liability

• fraud that occurred during a recurring charge (after the second time) on recurring payment
• Transactions that do not take authorization when viewed in transaction units
• Re-authorization on the merchant's side due to a change in amount, etc. (a transaction completed authorization without any action by the end user)
• chargeback by a third party for reasons other than fraud, such as non-contract failure to provide the product;
• If you do not cooperate with the usage survey, etc.

In addition, from November 2023,
fraud Merchants whose amount is "over 500,000 yen for 3 consecutive months" will be introduced immediately.
Merchants and merchants handling high-risk products that have had 5 or more frauds in the past two years or a cumulative total of 100,000 yen or more are required to introduce it as soon as possible.

(5) The customer is concerned about the deterioration of usability, such as stumbling over the operation

There may be concerns about cases where end users are not familiar with EMV 3-D Secure and cannot respond to the payment, such as stumbling over additional authentication screens or not being able to complete the due to unknown passwords.
What merchants can do is to use the purchase guide on the EC site.

• How to Respond to Additional Authentication Screens in Credit card payment
• Instructions on the displayed screen

etc. are recommended.
Each credit card company has a page with examples of screens at the time of additional authentication.
It would be a good idea to refer to it.

At the same time, credit card companies (issuers) are also obligated to make efforts, and if the understanding and enlightenment of customers (card members) is promoted, the awareness of how to use it will be improved.

(6) I am worried about falling out of the basket and cannot take the initiative to introduce it.

The introduction of EMV 3-D Secure is a measure specified in the "Credit Card Security Guidelines", which is a practical guideline for security measures stipulated in the Installment Sales Act, and will be supported by all merchants in principle.
If you are unsure whether your business is eligible for EMV 3-D Secure, please contact your GMO-PG sales representative or credit card company (issuer).

Legacy 3D Secure, which ran until 2022, always had additional authentication every time payment. This is considered a major factor in abandoned carts, and EMV 3-D Secure has significantly improved this with risk-based authentication.
In addition, merchants can further improve the accuracy of risk-based authentication by setting additional parameters.

EMV 3-D Secure reduces the additional authentication that was 100% in the conventional model to about 1/3 by interspersing risk judgment through risk-based authentication.
Generally speaking, we think that abandoned carts are parts that are repelled from a series of flows before approval, so it can be said that the abandoned cart rate of EMV 3-D Secure is about 6%.

Reference: Approval rate of GMO-PG merchants on a single day in June 2023

Furthermore, we believe that if a market is formed where the implementation of precision tuning and one-time passwords by issuers and the learning of end users have progressed due to the increase in their introduction, the concept of "cart drop due to EMV 3-D secure" will disappear.

(7) What happens if I don't implement it by the deadline?

The deadline for implementing EMV 3-D Secure is the end of March 2025. There is a two-year preparation period after the mandatory is specified.
In addition, in November 2023, "merchants who have had 5 or more cases of fraud or a cumulative total of 100,000 yen or more or those that handle high-risk products will be required to introduce it as soon as possible," and we are actively providing support.
If the introduction is not made within the deadline, the following risks may be mentioned.

• chargeback You may be charged a penalty in addition to the occurrence (currently the VISA brand is already eligible)
• Suspension of credit card use at merchants = Credit card payment not available on the end user's side
• Unsupported shops tend to be targeted, so the damage of fraud in your company is increasing

(8) How long is the estimated preparation and development period for implementation?

The schedule varies depending on the system and cart you are using.
Most of the cart systems that can be linked with PG Multi-Payment Service are EMV 3-D secure, making it possible to introduce them while keeping development costs low.
However, EC-CUBE 2 series and below do not support EMV 3-D Secure standard modules. When using the standard module, it is necessary to upgrade to 3 series or higher.

In the past, when credit card information non-retention became mandatory, similar development requests were concentrated on vendors, and there were cases where the response was not completed by the deadline even though it had been prepared for six months.
In addition to confirming whether the system you are using is compatible with it, we recommend that you consult with the development vendor and our company as soon as possible if you consider setting parameters.

(9) I heard that it is necessary to obtain consent for the provision of personal information

The parameters we recommend to improve the accuracy of EMV 3-D Secure risk-based authentication include personally identifiable information.
Therefore, when EMV 3-D Secure is in operation, it is necessary to notify the user that it will collect your personal information according to the parameters and provide it to a third party (credit card company, etc.) and obtain their consent.
If the personal information protection policy on the merchant's website states that only Google is the third party that provides information, it is necessary to amend it.
Please consult with your Legal Department and revise and publish it before the start of operation.

(10) How much is the initial cost, monthly usage fee, etc.?

GMO-PG does not charge an initial cost for EMV 3-D secure implementation.
We only charge the monthly usage fee from the billing start month set by the merchant.

As mentioned in (8), the initial development cost varies for each franchisee, such as cases where the process from implementation to operation is completed in-house, and cases where the cart system is used and the vendor is requested to develop it.
If there is a change in the cart system itself, there will be costs other than EMV 3-D secure introduction and development, so please consult with us as soon as possible and request a quote.

Conclusion

Security measures to realize safe and secure transactions for both merchants and end users EMV 3-D Secure.
I think that each member store is considering various things.
GMO-PG provides advice and support from sales representatives and customer support to ensure that merchants can smoothly implement EMV 3-D Secure.
Please contact us once.

We accept consultations and quotation requests for EMV 3-D Secure from the following.

PG Multi-Payment Service Click here for merchants in your contract

payment Click here for businesses considering service.

What are credit card security guidelines?

This is a practical guideline for the obligation to take security measures stipulated in the Installment Sales Act (under the jurisdiction of Ministry of Economy, Trade and Industry). If the security measures to be implemented by the business operator related to Credit card payment are stipulated, and the measures listed or equivalent or higher are appropriately taken, it is recognized that the security measures stipulated in the Installment Sales Act are met.

Reference article: Thorough explanation of the "Credit Card Security Guidelines" that e-commerce businesses should know