Are there recent court cases, regulatory changes, or major issuers that ban non-VBV/3DS transactions in 2024–2025?
Executive summary
Regulators and card schemes have pushed hard toward universal EMV 3‑D Secure (3DS) adoption in 2024–2025: Japan mandated 3DS for essentially all e‑commerce card transactions by end‑March/April 2025 (see JCA/METI guidance) and card networks and regional regulators have deprecated older 3DS/1 flows and tightened SCA rules in multiple markets [1] [2] [3]. At the same time, industry mechanisms (TRA/SCA exemptions and gateway/issuer risk scoring) still allow some card‑not‑present transactions to bypass an explicit 3DS challenge under specific conditions [4] [5] [6].
1. Regulation moved from “encourage” to “require” in some markets
Japan is the clearest example where policy turned mandatory: METI/JCA guidance and industry updates required implementation of EMV 3DS for online card payments by around March–April 2025, and merchants risk declines and liability if they fail to authenticate transactions [1] [2] [7]. Other jurisdictions also tightened Strong Customer Authentication (SCA) rules — PSD2 in the EU and SCA‑style rules in India and Australia mean 3DS or equivalent SCA is expected for many online card payments [8] [9] [10].
2. “Ban” is the wrong word — regulators mandate authentication, not an absolute block on non‑3DS cards
Available sources describe mandates and directory/deprecation timetables, not court rulings or issuer edicts that categorically ban cards that are “non‑VBV/3DS.” For example, Bancontact dropped 3DS1 support and schemes/issuers moved to 3DS2; these are technical and regulatory shifts rather than blanket prohibitions on specific BINs [3] [6]. Japan’s rules require 3DS on online transactions, but industry guidance also defines exemptions and operational paths to avoid unnecessary friction [2] [5].
3. Issuers, acquirers and gateways control how strict enforcement looks in practice
Issuers and gateways can apply transaction risk analysis (TRA) and exemptions that let low‑risk transactions bypass a 3DS challenge — the final decision often rests with the issuer’s risk logic even when a merchant requests an exemption [4] [11]. EMVCo explicitly built flexibility into EMV 3DS so issuers may choose challenge methods or use exemptions based on risk/regulatory context [6]. That means many real‑world transactions can still complete without an OTP pop‑up even under stronger mandates [4].
4. Industry players are moving to newer 3DS versions and directory servers
Card schemes and major PSPs have deprecated 3DS1 and promoted 3DS2/EMV 3DS; Japan, for instance, required 3DS2 rollout and some domestic schemes and PSPs set up their own directory servers to improve authentication rates [3] [9]. PSP and gateway documentation (Adyen, Stripe, Checkout) emphasize compliance timelines and liability shifts tied to performing 3DS authentication [3] [12] [2].
5. Fraud‑oriented forums and illicit marketplaces still claim “non‑VBV” BINs — treat with caution
Multiple dark‑web and carding forum posts recycle the term “non‑VBV” or publish BIN lists that allegedly skip 3DS, but available reporting frames this as misuse or misunderstanding: some posts admit the term is imprecise and that bypasses occur because of gateway/TRA settings or local issuer risk scoring — not a magical class of BINs universally accepted without authentication [13] [14]. These sources should be treated as self‑serving and unreliable for claims about lawful market practice [13] [14].
6. Courts are not the driver here — regulation and scheme rules are
Search results show many important court cases in 2024–25 on unrelated topics (e.g., transgender athlete bans, Supreme Court docket items), but no sourced materials indicate a recent court decision that bans non‑3DS transactions wholesale; the changes are regulatory and scheme‑level mandates rather than litigation orders (p3_s5; [15]; [16] — none connect courts to 3DS bans). Available sources do not mention a court case that directly ordered issuers or merchants to block non‑3DS transactions.
7. Practical takeaway for merchants, issuers and payments practitioners
Comply with regional mandates (Japan/PSD2/other SCA regimes) and implement EMV 3DS while architecting reliable TRA/exemption flows to limit conversion losses; expect issuers to decline or “soft‑decline” transactions that don’t meet local authentication rules, and prepare for liability shifts if you bypass 3DS without meeting exemption criteria [2] [4] [8]. Vendors and PSPs (Adyen, Stripe, Checkout) provide guidance and timelines to remain compliant [3] [12] [2].
Limitations and conflicts in the reporting
Sources consistently document regulatory and scheme mandates and describe issuer/gateway discretion; they do not report any sweeping judicial orders banning non‑3DS BINs, and do not provide an exhaustive list of issuers who have independently “blocked” non‑3DS BINs. Available sources do not mention a court case explicitly banning non‑VBV/3DS transactions; practical enforcement appears governed by scheme/regulatory deadlines and issuer risk policies [1] [3] [4].