This impact analysis will examine the latest version of the Japan Consumer Credit Association’s credit card security guidelines, which mandate the use of EMV 3-D Secure, in comparison with the European Union's strong customer authentication (SCA) requirements under the revised Payment Services Directive (PSD2).
It will first lay out the historical background of both these regulatory regimes before comparing three aspects of these regulations:
- Applicability.
- Verification requirements.
- Permitted verification methods.
It will then examine whether these regimes are equivalent to each other and, if not, what additional measures credit card and other payment operators may need to take to comply with both regimes.
(JPY 1000 ~ USD 7.25)
3-D Secure and the JCA
3-D Secure, or EMV 3-D Secure in its current iteration, is a software that uses the exchange of data or messages between the merchant and the issuer to authenticate the consumer making the transaction. It utilises a variety of data, including the transaction itself, the payment method and a customer’s device to allow the issuer to identify and prevent fraudulent card transactions quickly and accurately, without adding unnecessary friction to the payment process.
The Japanese Consumer Credit Association (JCA) originally introduced credit card security guidelines in 2020. The JCA is a voluntary industry association with members consisting of licensed Japanese entities that provide consumer credit through various means, including credit cards, instalment sales and hire-purchase agreements.
The credit card security guidelines were originally a response to rising credit card fraud rates, especially during online transactions. A JCA survey predicted that the amount of damage caused by unauthorised credit card use alone would be approximately JPY33bn, with 2022 figures expected to surpass this.
At first, 3-D Secure required customers to enter a password to confirm their identity every time they made an online credit card purchase. In early 2023, however, these guidelines were revised to mandate credit card operators within the JCA to implement EMV 3-D Secure by March 2025.
Under this latest version of EMV 3-D Secure, credit card firms are able to adopt a risk-based approach to credit card verification, by requiring merchants to supply credit card acquirers with data on the risk levels of different purchases from their stores and using information such as the customer’s device. This allows low-risk transactions to be carried out without any additional verification while requiring higher-risk transactions to be verified by a variety of permissible methods, including passwords, one-time passwords and app-based biometric verification.
Strong Customer Authentication
The EU strong customer authentication (SCA) requirements are a security protocol developed to protect consumers against fraudulent online transactions. They were presented as part of the revised Payment Services Directive (PSD2) in 2015.
Online payment fraud has been a persistent problem in Europe, with Europol reporting that card-not-present (CNP) fraud accounted for 66 percent of all card-based fraud in the Single Euro Payments Area (SEPA) in 2013. This figure subsequently rose to 80 percent of transactions in 2019, according to the European Central Bank (ECB). Reducing these fraudulent transactions while still maintaining user-friendliness was a key focus for the European Banking Authority when drafting the SCA standards.
All online transactions conducted by account information service providers (AISPs) and payment initiation service providers (PISPs) within the European Economic Area (EEA), where both the merchant and the consumer are located in the EEA, must adhere to the SCA standards.
The SCA requirements came into effect on September 14, 2019, with a deadline for compliance set for December 31, 2020. This was subsequently extended in the UK to March 14, 2022.
Applicability
The applicability of the JCA’s guidelines mandates all merchants that conduct non-face-to-face credit card transactions must implement EMV 3-D Secure by the end of March 2025 (see p. 38, para. 2, Credit Card Security Guidelines).
However, the JCA is an industry association, not a regulator. As such, the guidelines, although comprehensive, do not have any legal force aside from potentially rescinding a merchant’s membership.
The list of JCA members reveals that every major credit card issuer in the country is a member. This means any merchant wishing to avail themselves of the services of these card issuers and acquirers must comply with these guidelines.
On the other hand, Article 97(1) of PSD2 mandates that payment service providers (PSPs) carry out SCA when a payer:
- Accesses its payment account online.
- Initiates an electronic payment transaction.
- Carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.
Furthermore, Article 97(4) clarifies that this requirement also applies when the above actions are made through a third-party provider (TPP) such as an AISP.
Unlike Japan’s credit card security guidelines, the SCA has legal effect, as regulators, rather than an industry association, mandated its implementation.
Verification Requirements
The JCA mandates the use of EMV 3-D Secure in its Credit Card Security Guidelines 4.0. However, detailed procedures for its implementation are laid out in a separate document known as JCA’s Guidelines on 3-D Secure Implementation rather than the JCA’s general credit card security guidelines.
Although the JCA requires members that offer credit card services to use 3-D Secure for all transactions, it does not specify when members must conduct additional verification using methods such as passwords or biometrics. Under Section 6 of its 3-D Secure implementation guidelines, for instance, the JCA recommends that member stores provide as much data as they can on the risk levels of all transactions, but does not specify which transaction types or industries would be considered high risk, leaving merchants and their choice of 3-D Secure provider to decide.
Unlike Japan’s credit card security guidelines, the SCA contains a number of exceptions for when authentication does not need to occur. For example, Articles 11 to18 of the regulation include exemptions for low-value transactions, trusted beneficiaries, contactless payments and recurring transactions. Article 18 also allows exemptions for risk-based transactions in a similar manner to the JCA’s guidelines.
The availability of these exemptions is where the similarity between these two regulatory regimes end. The SCA regulation contains a number of requirements and criteria that PSPs must implement when carrying out risk-based exemptions. For example, Article 18(2)-(3) requires PSPs to conduct a real-time risk analysis of a consumer’s behaviour, including their location and type of transaction before declaring a transaction low risk.
The JCA, in contrast, leaves merchants and 3-D Secure providers to decide whether a transaction poses a high or low risk. Although the JCA guidelines share some similarities with the SCA requirements in terms of verification, the SCA is a much more comprehensive regulatory regime.
Permitted Verification Methods
The JCA’s credit card security guidelines and Guidelines for the Smooth Implementation of 3-D Secure do not expressly state what verification methods are permitted but rather merely require JCA members to implement EMV 3-D Secure. This means that all verification methods approved by 3-D Secure providers are in compliance with these guidelines.
The JCA emphasises the benefits of EMV 3-D Secure(p.39), stating it allows a greater variety of verification methods, including biometric and app-based identity verification. However, once again, what form this verification takes is left to 3-D Secure providers to specify themselves.
However, the SCA regulation has a set framework on what it requires for verification. Under Articles 6-8 of the regulation, PSPs must conduct two-factor authentication through one of the following methods:
- Knowledge (something the consumer knows, such as a password).
- Possession (something the consumer owns, such as a specific device).
- Inherence (something that is part of the consumer, such as biometrics).
Given that existing verification through EMV 3-D Secure makes use of passwords, biometrics and app-based authentication, it would seem both regulatory regimes are similar in this regard, despite the JCA leaving this aspect to private agreement.
Bringing It All Together
Although it can be tempting to see both regimes as similar given that they both implement two-factor authentication, in reality they could not be more different. Given that the SCA requirements are mandated by the European Commission and local regulators, it is clear that their remit extends much further than the JCA guidelines that only apply to JCA members who only comprise one section of Japan’s payment market.
In addition, the JCA’s decision to leave the verification methods and risk assessment entirely to the 3-D Secure providers and merchants means it cannot provide the same certainty that the SCA regime can with its set of consideration points.
What This Means For Payments Firms
For payments firms in Japan, the implementation of 3-D Secure from global providers, such as Mastercard’s Identity Check and American Express’ SafeKey, would likely mean that they are compliant with the SCA requirements, given that these are widely accepted as SCA-compliant. That being said, the fact that the JCA’s guidelines only apply to credit card transactions means that Japanese firms will have to either expand the use of 3-D Secure or implement other verification methods if they wish to accept non-credit card payments from Europe.
The situation for European payments firms is much more straightforward: given that the JCA’s guidelines apply only to its members, European firms will be largely unaffected. They will, however, have to implement 3-D Secure if they wish to establish a business that accepts credit cards as a method of payment in Japan.