3D Secure One year since it became mandatory. Guidelines 6.1 show both fraud control and sales improvement

3D Secure One year after introduction, what is the new standard that balances sales maximization and fraud control?

One year has passed since the "EMV 3-D Secure (hereinafter referred to as "3D Secure" principle became mandatory. According to the data published by the Japan Credit Association, the amount of credit card fraud damage in 2025 will decrease compared to the previous year, and the amount of number theft damage will also decrease. On the other hand, there are still issues directly related to sales, such as "abandoned carts" and "declining authorization approval rates" in the field. Against this background, on March 12, 2026, the latest roadmap, the "Credit Card Security Guidelines [Version 6.1]," was announced. Although there are no new guidelines and measures added in this revision, it suggests that "how to steadily implement the measures that have been indicated so far" is the solution to prevent increasingly sophisticated attacks. In this article, Takuro Zaitsu, a member of the working group of GMO Payment Gateway (GMO-PG) under Credit Transaction Security Council, thoroughly explains the importance of "defense-in-depth" and the newly added supplementary document to thoroughly explain the e-commerce security measures for 2026. We will present concrete measures to elevate security into an investment in business growth rather than ending with cost.

Outline of the Credit Card Security Guidelines Version 6.1 Required of E-commerce Businesses

In version 6.1 of the Credit Card Security Guidelines published on March 12, 2026,no new items are added to the requirements for e-commerce businesses. This means that the following measures that have been shown so far have been redefined as the foundation for ensuring the safety of e-commerce businesses and the correct answer to counter current threats.

Continuing from the previous version 6.0 of the guidelines, the main responses required of e-commerce businesses are summarized in the following two points.

1. Guidelines for Card Information Protection Measures at E-Commerce Merchants
-Implementation of "vulnerability countermeasures" in the systems and websites of e-commerce merchants

2. Guidelines for fraud measures at e-commerce merchants
-Implementing EMV 3-D Secure
-Implement appropriate anti-fraud login measures

Version 6.1 builds on these foundational countermeasures and delves deeper into the concept of "defense-in-depth" to overcome new challenges such as "abandoned carts" and "declining authorization approval rates" after 3D Secure introduction, and to respond to increasingly sophisticated cyberattacks.

3D Secure Evaluation of mandatory - management risks hidden behind the "fraud reduction"

In 2025, the Japanese e-commerce payment scene has reached a major milestone. As stated in the "Credit Card Security Guidelines", which is a practical guideline for the Installment Sales Act, in principle, it was mandatory for all e-commerce merchants to introduce "3D Secure" as an identity authentication. In this version 6.1 of the Credit Card Security Guidelines, it is necessary to reorganize the results and issues at this point, about one year after its introduction.

Numbers Speak for 3D Secure 's Success in Fraud Curbing

According to statistics released by the Japan Credit Association (JCA), the amount of fraud caused by number theft, which has been rapidly increasing since 2021, is showing a clear downward trend from 2025 onwards. This is evidence that e-commerce operators are taking 3D Secure measures and risk-based authentication with 3D Secure is helping to keep fraud in check.

In identity authentication by 3D Secure, the card issuer (issuer) determines whether the transaction is from the genuine person based on device information, card information, and information related to the incoming transaction. If you judge that the card holder is the person = "the risk (other than the person) is low", the transaction will be completed without incurring any hassle for the user.

While the previous 3D Secure (3D Secure 1.0) required a password to be entered each time, frictionless flow allows many users to conduct transactions through identity authentication without entering a password. 3D Secure The standardization of protection by making the introduction of the principle mandatory is contributing to raising the level of safety in Japan's infrastructure of payments.

The dilemma of "basket drop" and "approval rate" that has emerged

Although fraud has been suppressed, some issues have arisen from merchants.

One is "abandoned basket" in the additional authentication (challenge certification) required when it is judged as "medium" in the risk-based judgment. The mistake in entering the one-time password issued at the time of additional authentication and the time lag before the authentication screen is activated are barriers and reduce the desire to purchase, leading to the departure from the payment screen.

In addition, the "stricter fraud determination" on the part of the card issuer (issuer) cannot be ignored. In principle, transactions that have been authenticated by 3D Secure are chargeback risk borne by the card issuer (issuer). chargeback In order to limit risk, fraud judgments have become stricter, and there are also "false positives for risk-based authentication" and "authorization approval rate drops" that reject transactions that should be legitimate users as "suspicious". This also means a lost opportunity for merchants. Strengthening security results in driving away good customers – solutions to this paradox are presented in the 6.1 version of the Credit Card Security Guidelines.

The "current location" of increasingly sophisticated cyberattacks - why 3D Secure is not enough

One of the reasons behind the release of the Credit Card Security Guidelines version 6.1 is the evolution and sophistication of attack methods. List attacks and simple information theft are a thing of the past, and today's attackers are organized and using the latest technology to attack. Here, we will introduce the latest fraud cases based on the newly released "Case Collection of Merchants Achieving fraud Deterrence".

1. The impact of "real-time phishing"

Currently, "real-time phishing" is widely vigilant. Attackers direct users to elaborately crafted fake e-commerce sites and login screens. Up to this point, it is the same as before, but what is surprising is the speed after that.

The moment a user enters their card information or one-time password into a fake site, an attack program lurking behind the scenes pours that information into a legitimate payment screen in "real time." In other words, the "key" called 3D Secure is allowed to be opened by the user himself. In the face of this method, even the most robust authentication system will be disabled.

3D Secure has shown that hybrid operation with the "attribute behavior analysis (fraud detection system)" introduced in the annex to this guideline, rather than a standalone one, continues to be a strong shield against real-time phishing.

2. "Account Theft (ATO)" that bypasses authentication

Another threat is account takeover (ATO). With an ID and password obtained through phishing or virus infection, you will pretend to be a legitimate member and log in to the e-commerce site.

Since payment is performed using the "saved card" registered in the membership information, it is easy for the card company to consider it as a "transaction of the person who logged in as usual", and the possibility of passing the 3D Secure check without additional authentication (frictionless) is increased. payment is extremely difficult to prevent such spoofing.

The essence of the latest version of the guidelines: Promoting multi-layered defense protected by "lines"

Version 6.1 of the Credit Card Security Guidelines, published in March 2026, provides a "defense-in-depth(Multi-layer Defense)" to the next level. The newly added Annex Annex provides examples of real-life operators who have successfully contained fraud with multiple countermeasures, including 3D Secure, against sophisticated attacks.

1. "Attribute behavior analysis" performed in the "front" of the payment

One of the key points of the Credit Card Security Guidelines version 6.1 is the use of "attribute behavior analysis (fraud detection service)" before the payment is executed.

While 3D Secure is a means of confirming whether the card belongs to the person, attribute behavior analysis determines whether the transaction itself is suspicious from a large number of data points from multiple angles.

As an example, the following "behavior" is determined by the logic of each fraud detection system.

• Device fingerprinting: Isn't it the same device that has been cheated on other sites in the past?
• Network information: Is the access unnatural through a proxy server or VPN?
• Typing scrolling behavior: Is it not operated by an automated bot rather than a human?
• Intra-site navigation: Are you only adding high-priced products to your cart without looking at any product pages?

How accurately you can capture the user in the flow from site visit to payment completion is the form of defense that is required today.

2. "Hybrid operation" of fraud detection systems and 3D Secure

It's important to note that fraud detection services and 3D Secure are not binary choices. Hybrid operations are also recommended to use fraud detection services and 3D Secure to make more accurate decisions for each transaction and pass the results to the card issuer (issuer).

An example of operation when used together is to perform attribute behavior analysis and perform 3D Secure authentication according to the results. Transactions determined to be transactions made by the cardholder himself or herself by attribute behavior analysis will be completed smoothly up to payment (authorization). If it is grayed by attribute behavior analysis, it will proceed to 3D Secure, and if it is determined by risk-based authentication, it will stop payment itself.

In this way, by setting optimal hurdles at multiple stages, it is possible to achieve both "ensuring safety" and "preventing departure".

Why you need a payment processing company company (PSP) as your partner for a safe and secure payment environment

The response provided by Credit Card Security Guidelines version 6.1 is not of a one-size-fits-all nature. Rather, the "operation" after introduction is the difference between victory and defeat.

1. System "tuning" affects sales

Although we have introduced a fraud detection system, we have heard cases of failure where "fraud stopped, but sales decreased at the same time." This may occur because the criterion for fraud detection systems is "too rigid (over-detection)". Conversely, "too loose" also leads to an increase in chargeback (reverse sales due to fraud), in turn. Depending on the timing of events such as products, customer base, and sales on your e-commerce site, the optimal judgment criteria will change from moment to moment. Performing this fine tuning in-house by hand requires expertise and a huge amount of time. That's why you need the knowledge of a payment processing company company like GMO-PG. We have tens of thousands of transaction data and can provide you with the best advice from a macro perspective of what attacks are being carried out and from individual merchant data.

2. Support for "system" to overcome human resource constraints

The Credit Card Security Guidelines 6.1 Annex lists "ensuring the right human resources" and "continuous review" as common denominators of successful fraud curbing companies. However, for many merchants, it is realistically difficult to have a dedicated security person. Therefore, we offer a variety of solutions that can act as an external security organization. By collaborating with external organizations and systems to strengthen their organizational and structured aspects, merchants can focus on "wisdom and ingenuity (selection and concentration)" to improve fraud incidence and authorization approval rates while compensating for the lack of human resources. We will not aim for simple introduction, but will accompany you as a partner who shares the "high motivation" of maximizing sales.

3. Dialogue with the card issuer (issuer)

authorization Understanding card issuers (issuers) is also essential to improve approval rates. For example, if a particular card company temporarily strengthens its security settings, no matter how much the merchant takes, the authorization approval rate will not increase. GMO-PG works closely with card companies as a PSP to provide support in authorization the consulting area, such as identifying whether the cause of the decline in approval rates is the "merchant's setting" or "the card issuer's judgment logic", and urging the card issuer to make improvements as necessary.

GMO-PG Takuro Zaitsu

"E-commerce Security Roadmap" to Work on Tomorrow

The highlight of this revision of the Credit Card Security Guidelines version 6.1 is the enhancement of the "Supplementary Document" that allows merchants to objectively grasp the status of their own countermeasures. This is an opportunity to leverage these technologies to move from simply complying with laws and regulations to an "autonomous security system" that controls risks on its own. We recommend that you first revisit your security strategy in the following three steps:

Step 1: Conduct a current "health checkup"

Before professional log analysis, use your usual Google Analytics 4 (GA4) or cart management screen to visualize what is happening now.

• Metric (1): payment method Completion rate by purchase (CVR by payment method)Is the completion rate of users who choose Credit card payment extremely low compared to other payment method (e.g., Pay systems)? If there is an extreme difference, it is evidence that there is "some kind of wall" in the payment process.
• Metric (2): Percentage of users who reached the final confirmation screen with a "Confirm order" button but did not complete it. The departure here directly suggests friction in 3D Secure authentication and rejection by card companies.

These poor numbers mean that there is not just a security issue, but a significant lost opportunity. For more in-depth figures such as the authentication success rate of 3D Secure, please contact the PSP (payment processing company company) to understand the users who visited your site with high resolution.

Step 2: Update your organization's security awareness

Share the "churn" data you saw in step 1 with not only e-commerce personnel but also internal marketers and management.

Currently, the idea that "security is a cost" cannot be expected to lead to significant growth in the e-commerce business. Security measures to prevent cart abandonment and increase approval rates are excellent "CVR (Conversion Rate) Improvement Measures".

Executives need to position security not just as an issue for IT, but as part of Management Strategy to maximize sales.

Step 3: Choose a scalable security solution

Credit card security guidelines will continue to be updated in response to attacks. Selecting scalable solutions that can respond to future threat changes, rather than temporary measures, and building a medium- to long-term operation system with reliable partners will ensure the sustainability of the e-commerce business.

Conclusion

Credit Card Security Guidelines version 6.1 is not a restriction on the business of e-commerce businesses. Rather, in an opaque digital society, it can be a powerful weapon to provide customers with the brand of peace of mind and differentiate themselves from competitors.

Prevent fraud before they happen and provide a smooth shopping experience for good customers. This "offensive security" is the winning formula for the e-commerce industry in 2026 and beyond.

GMO-PG is more than just a provider of payment method. We want to be a partner that creates an environment where e-commerce businesses' businesses can be freed from security concerns and focus on growth.

If you feel even a little uneasy about your company's "current location", please feel free to contact GMO-PG. Based on the data, we will consult with you to organize and improve the current situation.

For more information about this article and support for the selection and implementation of specific fraud detection tools, please feel free to contact us below.

Click here for the Credit Card Security Guidelines version 6.1*You will be redirected to the JCA website.