Unauthorized credit card use is becoming a serious problem in Japan lately. According to statistics from the Japan Consumer Credit Association, credit card fraud loss amounted to 54.1 billion in 2023, a 23.9% year-on-year increase. As this issue becomes increasingly severe, what types of countermeasures should business operators implement? We spoke with Takayuki Seki of Scudetto Corporation, which has helped Japanese companies prevent online fraud for the past decade.
Director, Scudetto Corporation
Takayuki Seki
Was employed by a credit card company in an online financial conglomerate group, followed by a marketing software as a service (SaaS) provider for e-commerce. Became director of Scudetto Corporation in 2019, where he works in management and business operations as a fraud prevention specialist.
Is EMV 3DS enough?
Credit card fraud has been viewed as a problem for a long time. Past fraud often relied on counterfeit cards, but today more criminals are utilizing stolen numbers. According to Seki, rather than making fake cards to use at physical stores, more fraud is being committed by selling stolen card data on the dark web for unauthorized online use. There is no way to curb these losses from increasingly advanced technologies and diversifying methods.
Based on this sense of danger, the national government established its Credit Card Security Guidelines for businesses involved in credit card transactions in March 2020. They have been revised four times, and the current edition is Version 5.0. The government is making earnest efforts to prevent fraudulent use. For instance, e-commerce business operators are required to implement the EMV 3-D Secure (EMV 3DS) system by March 30, 2025.
Annual loss from fraud using credit cards issued in Japan (produced by Digital Garage, based on the Ministry of Economy, Trade and Industry’s Credit Card Security Measures [METI Initiatives])
EMV 3DS, an authentication system utilized by card issuers, requires the user to enter a password when making online purchases. However, Seki said this is not a sufficient measure by itself: “The guidelines clearly state that companies must implement EMV 3DS, which is the bare minimum to prevent fraud. It is effective to some degree, but it doesn’t provide total peace of mind. I don’t think EMV 3DS can fully handle technologies used by criminal organizations, which are becoming more sophisticated every day.”
Even if credit card fraud measures are neglected, e-commerce business operators are not responsible for losses if the transaction took place through the EMV 3DS system. However, this can harm authorization rates and prevent transactions by regular users. Additionally, brand value might decline if the company’s products are resold at low prices. Users might be discouraged from using the website if the company gains a reputation for not sufficiently preventing credit card fraud.
Fraud detection services provide a higher level of security. “Traditional services identify risks according to pre-set rules, using information from the time of purchase. They can detect suspicious attributes and activities, such as when a user suddenly pays for something in another country or makes multiple purchases in a short amount of time. These services would be more effective if you could adjust the rules as necessary, but fraud technologies are evolving and there are tools that can trick these systems. An example is location spoofing, which is difficult to detect.”
AI fraud detection: Emerging as a breakthrough solution to the problem of fraud prevention
Some detection services utilize artificial intelligence (AI) to cope with new types of fraud. Rather than relying only on purchase information, they collect and analyze all user actions from arriving at the website until completing the payment.
“Detection precision can be improved by using data from user registration and log-in. But because this extensive volume of data cannot be analyzed by humans alone, AI can identify potential fraud trends.”
“Most new fraud detection services in other countries employ AI, which is drawing a great deal of attention in this industry. Some major online shopping websites are developing their own AI fraud detection technologies, which I’m sure will become the e-commerce industry standard in the future.”
Sift, an AI-powered fraud detection service, collects and analyzes data about all user actions on the website to display a risk score (image produced by Digital Garage, based on information from Scudetto)
While some businesses are drawn to the concept of AI, others assume their industries are not at risk. However, technological progress means that more industries will be targeted, even those that have not suffered much loss in the past.
For example, there have been almost no cases of fraud on Japanese websites that take public utility payments or donations. But in recent years, programs, software, and other technologies are being used for so-called “Credit Master Attacks,” in which fraudsters automatically generate and attempt to authorize credit card numbers.
“Credit card numbers are not totally random. Criminals carry out concentrated attacks by mechanically generating numbers and testing them with security codes and expiration dates to see if they are genuine. Because the fraudster accesses the website frequently in a short amount of time, anti-fraud measures are able to detect and block these attacks. As a result, more attacks are targeting websites with no anti-fraud systems.”
“No company is safe from credit card fraud today. There are many cases of sudden attacks using new technologies and methods in previously ‘safe’ industries. I hope all businesses that accept online payments will implement measures to prevent fraud.”
Tools are useful, but humans must make the final decisions
Credit card fraud is also becoming an increasingly serious problem outside of Japan. This issue has drawn attention at an earlier stage in other countries whose e-commerce markets grew more quickly. Of course, there are many anti-fraud services in nations with more unauthorized use. Across the world, there is a wide range of fraud detection services, although few have been used in Japan so far. There are two main detection methods: rules or AI (machine learning models). There are also two ways in which the services are operated after installation, namely, whether they are manually operated or fully automated.
Even if they are powered by AI, non-automated services must be updated with rules based on fraud status and the company’s information about trends in unauthorized use. Humans must make decisions about “gray” transactions that the system cannot fully identify, which helps maintain and improve detection quality. Fully automated, AI-based services automatically examine all transactions to see if they are fraudulent, which Seki said is an advantage.
“Fully automated services require no human labor, which makes them easier to use. However, there is the risk that regular users will be mistakenly flagged as fraudulent. AI decides whether or not to approve gray transactions, a task that should be completed by humans. There is a relatively higher possibility that regular transactions will be erroneously identified as fraud. The website will not provide good experiences if regular users are identified as fraudsters and are not allowed to make purchases, which can severely harm the brand. Japanese e-commerce businesses are particularly concerned about brand value, which is why we don’t carry any fully automated services.”
Scudetto offers fraud detection services that were developed overseas to Japanese companies. Many have introduced “ReD Shield,” a rule-based fraud detection service that comes standard with services from two of Japan’s largest payment service providers. More customers are also using “Sift,” a fraud detection service equipped with the latest AI technology. Scudetto did not develop these services on its own, but is the Japanese sales agent for both. When asked how Scudetto differentiates itself from other companies in this industry, Seki replied, “Our track record and expertise goes back more than a decade.”
Tools are just tools; humans are the key to maximizing performance, even for highly precise tools with large amounts of data. In other words, high-quality tools are only useful if a company utilizes them skillfully. Scudetto stands out because its employees have expert knowledge—it does not solely depend on high-performance tools from other countries.
“We set rules for traditional rule-based and AI-powered services. Sometimes we help customers visually confirm gray transactions. These operations are a key part of fraud detection, and are a way that we leverage our expertise. It’s not enough to simply install a fraud detection service; you must make improvements while operating it, which takes time and effort. We perform these tasks for companies to minimize their burden because we want them to focus on growth while spending less time worrying about fraud.”
Scudetto helps e-commerce businesses, payment service providers, and financial institutions take steps against online fraud. It offers “ReD Shield,” “Sift,” and “iovation (fraud detection services developed outside of Japan),” along with support and consulting from installation to operation. Scudetto helps companies reduce losses caused by fraud and optimize anti-fraud operations to increase profits.