3D Secure Mandates by Country: Which Markets Require 3DS in 2026?

3D Secure started as a European compliance requirement. It is now a global infrastructure expectation. Japan mandated it from April 2025. India deprecated 3DS 1 in late 2023. France tightened issuer-side restrictions in March 2025. For payment teams with cross-border flows, this is not a regional question anymore.

This article provides a current overview of the regulatory and scheme landscape by region.

Europe: PSD2 and the SCA mandate

The European Economic Area remains the most comprehensive 3DS regulatory environment. Under PSD2's Regulatory Technical Standards on SCA, all customer-initiated electronic payments where both the acquirer and issuer are based within the EEA require Strong Customer Authentication. 3DS 2 is the primary mechanism for satisfying this requirement for online card payments.

SCA enforcement was phased in across EU member states between 2019 and 2021. The UK applied equivalent rules under FCA guidance, with full enforcement from September 2021. France introduced additional issuer-side restrictions in early 2025: as of March 2025, French issuers are required to soft-decline non-3DS authorisation exemptions above 100 euros per cardholder per day, effectively removing a major workaround that some merchants had been relying on.

PSD3 is in legislative progress. While the regulation is not expected to substantially dismantle the SCA framework, it will likely clarify and tighten several grey areas including MOTO transaction scope and delegated authentication rules.

If you want to learn more about SCA exemptions under PSD2, read https://www.pci-proxy.com/blog-posts/sca-exemptions-under-psd2-a-practical-guide-for-payment-teams

Japan: the April 2025 mandate

Japan's Ministry of Economy, Trade and Industry (METI) published Credit Card Security Guidelines 5.0 in 2023, mandating EMV 3DS 2.0 for all e-commerce credit card transactions from April 1, 2025. The mandate applies to both domestic and cross-border transactions, across all card types, and regardless of any other fraud prevention measures already in place.

The commercial context is significant: Japan Credit Association data showed fraudulent credit card losses in 2024 reached a record 55.5 billion yen (approximately $370 million USD), with 92.5% of those losses originating from card-not-present fraud. The mandate is a direct regulatory response to a measurable fraud crisis.

JCB, the Japan-headquartered scheme, operates its own Directory Server, and any 3DS Server supporting Japanese merchants must be certified for JCB as well as Visa and Mastercard. Merchants on platforms that had not completed JCB certification by April 2025 face compliance gaps in one of their highest-value markets.

Certain transactions are exempt from the Japanese mandate, including recurring merchant-initiated transactions after the initial authenticated setup, and internal B2B transactions on dedicated corporate card environments.

India and Bangladesh: RBI mandate and scheme deprecations

The Reserve Bank of India (RBI) has mandated authentication for all domestic online card transactions. Visa and Mastercard both deprecated 3DS 1 for India in November 2023, making 3DS 2 the required protocol for all Indian transactions. American Express followed in October 2023.

India's authentication requirement has a longer history than most markets. The RBI introduced an additional factor of authentication requirement for online transactions in 2009, predating PSD2. The transition to EMV 3DS 2 standardises this on the global protocol.

Mastercard and Visa extended their 3DS 1 deprecation to Bangladesh simultaneously in November 2023, making 3DS 2 the required protocol for domestic Bangladeshi transactions as well. Bangladesh has no standalone central bank mandate equivalent to the RBI requirement, but the scheme-level deprecation has the same practical effect for merchants processing scheme-enrolled domestic cards. Issuer readiness and 3DS penetration across the market are less uniform than in India, so authorisation rate outcomes may vary.

Australia: risk-based framework

AusPayNet introduced the Card Not Present Fraud Mitigation Framework in 2019, requiring merchants above defined fraud rate thresholds to implement 3DS. Unlike the European mandate, Australia's framework is not a universal requirement. It applies specifically to merchants who have exceeded a fraud rate trigger for the previous quarter. Merchants below the threshold are not mandated to use 3DS, though card scheme incentives encourage adoption.

The regulatory direction in Australia is toward broader adoption over time, though no universal mandate is currently in place.

Singapore and Southeast Asia

Singapore's major banks have historically required OTP authentication for all browser-based card transactions, a functional equivalent to SCA. As of July 2024, Singapore's banks announced a shift away from OTPs in favour of tokenisation, to reduce exposure to social engineering and phishing attacks. Malaysia's issuing banks may require authentication on their BINs, making 3DS effectively mandatory for acceptable authorisation rates even without a formal regulatory mandate.

United States: voluntary but accelerating

The US has no SCA mandate equivalent to PSD2. Consumer attitudes toward additional authentication friction are more negative than in Europe, and merchants have historically pushed back strongly against mandated 3DS adoption. However, both Visa and Mastercard have been actively incentivising 3DS adoption through fraud liability structures, and there is significant industry speculation about whether a mandate will emerge.

For US merchants, 3DS adoption remains a commercial decision: the protection from fraud chargebacks and the potential for higher authorisation rates from issuer-trusted transactions versus the conversion risk of introducing a new step for customers who have not encountered it before.

Beyond the mandates

Regulatory mandates are not the only force driving 3DS adoption. In a growing number of markets, issuers and acquirers have implemented 3DS as a direct response to card-not-present fraud losses, without any formal regulatory requirement in place.

Brazil leads Latin America on this front, where the card industry association ABECS has coordinated issuer-side 3DS 2.0 rollout and adoption among top-tier merchants is high.

Mexico, by contrast, has historically lagged on 3DS 2.0 migration, with slower issuer upgrades from 3DS 1.0 infrastructure. The pace of migration may have progressed since, but payment teams processing Mexican transactions should verify current 3DS 2.0 issuer coverage with their provider before relying on frictionless flow performance assumptions.

South Africa introduced a 3DS requirement for e-commerce merchants from 2014 under guidance from the Payment Association of South Africa (PASA), making it one of the earliest non-European markets to move on authentication.

Malaysia operates without a formal central bank mandate, but issuer-side BIN configurations make 3DS effectively necessary for acceptable authorisation rates on domestic transactions.

Nigeria is moving in a similar direction, though card market maturity and issuer 3DS readiness vary more widely, and merchants should validate coverage with their acquirer before assuming consistent authentication rates.

For payment teams managing cross-border flows, the commercial reality is the same whether a market is mandate-driven or fraud-driven: 3DS coverage gaps show up in declined transactions.

If you want to learn more 3D Secure in general, contact us or read our complete guide to 3D Secure Authentication.