The popularity of cashless payments has led to increasing credit card fraud in Japan. For businesses operating e-commerce sites and using online payments, security measures are an obligation, not just an option. In this article, we provide an explanation of the Credit Card Security Guidelines in Japan, including their purpose, background and steps for compliance.
What's in this article?
- What are the Credit Card Security Guidelines?
- Why are the Credit Card Security Guidelines necessary?
- What are the differences between Versions 5.0 and 6.0 of the Credit Card Security Guidelines?
- Steps to comply with the Credit Card Security Guidelines
- What are the consequences for non-compliance with the Credit Card Security Guidelines?
- Why should businesses have continuous security measures?
What are the Credit Card Security Guidelines?
The Credit Card Security Guidelines are a set of policies that regulate security measures for credit card use. All businesses in Japan must follow these guidelines. They are based on a plan by the Ministry of Economy, Trade and Industry (METI) to reduce the risk of information leaks and fraud and create a secure environment for transactions. The Japan Consumer Credit Association (JCA) also works to raise security awareness and ensure businesses take thorough measures across the industry.
Version 6.0 – the latest version of the guidelines – requires stricter security standards than previous versions. It is important for businesses to stay up-to-date with the latest developments and respond accordingly. These developments include appropriate management of credit card information, early detection and response to fraudulent or unauthorised use, security training for employees and measures to address systemic vulnerabilities.
Compliance with the guidelines can help businesses gain customer trust and remain sustainable. All businesses must understand the details of the latest guidelines and take appropriate measures to comply with them.
Why are the Credit Card Security Guidelines necessary?
According to a JCA survey that focused on businesses issuing international brand credit cards in Japan, the amount of loss from credit card fraud in 2024 was projected to reach about ¥55.5 billion. This is a significant increase from 2014, when it was just over ¥11 billion. Losses caused by number theft accounted for nearly 60% of the total in 2014. This percentage exceeded 90% by 2024, highlighting the vulnerability of online transactions, such as those on e-commerce sites.
These figures indicate why it is important for businesses to comply with the latest Credit Card Security Guidelines. The guidelines can help businesses protect customers, comply with the law and maintain their brands' trustworthiness. In the unlikely event of a data leak or unauthorised access, the consequences could include loss of customers, chargeback losses, administrative penalties or paying for damages.
What are the differences between Versions 5.0 and 6.0 of the Credit Card Security Guidelines?
The Credit Card Security Guidelines have been revised several times since the initial release in 2020. The measures are divided into two categories: non-face-to-face transactions (i.e. e-commerce transactions) and face-to-face transactions. It's important for businesses to follow the guidelines that regulate their business type. For example, Version 6.0 contains new measures for e-commerce businesses, so it's important for businesses of this type to comply with these new guidelines.
The Credit Card Security Guidelines are very detailed. Understanding the key points can help a business get started and respond to each measure. In the table below, we compare Versions 5.0 and 6.0 to help indicate measures that have been added to each of the guidelines.
|
Measures |
Version 5.0 |
Version 6.0 |
|---|---|---|
|
Card information protection |
E-commerce and face-to-face businesses
|
E-commerce businesses
|
|
Fraud protection |
E-commerce businesses
Face-to-face businesses
|
E-commerce businesses
|
|
Frequent occurrence of fraud / high-risk businesses |
E-commerce businesses
|
E-commerce businesses
|
|
Businesses handling mail order / telephone order (MO/TO) transactions |
Businesses handling MO/TO transactions
|
Businesses handling MO/TO transactions
|
|
Business support |
– |
E-commerce businesses
|
|
Input personal identification number (PIN) during card payment |
– |
Face-to-face businesses
|
Measures to prevent theft of credit card information
In Version 5.0, the JCA implemented card information protection measures, such as non-retention and PCI DSS compliance. These measures have been somewhat effective in preventing incidents where large volumes of card data are stolen in a short period of time.
However, incidents have occurred in which card information was leaked as a result of unauthorised external access, viruses or system tampering. These were due to insufficient vulnerability countermeasures, such as antivirus measures on e-commerce business systems and websites, management of administrator privileges and device management. Therefore, Version 6.0 requires e-commerce businesses to implement the following system and website vulnerability countermeasures to prevent leaks of card information:
- Restrictions on access to system administration screens and ID/password management for administrators
- Measures to address configuration errors and insufficiencies associated with data directory exposure
- Vulnerability countermeasures for web apps
- Introduction and operation of antivirus software as a measure against malware
- Countermeasures against malicious validity checks and credit masters
When outsourcing the creation, configuration and operation of e-commerce systems or websites, the outsourcing contractor must follow the vulnerability countermeasures that e-commerce businesses are required to implement.
Fraud protection measures to prevent use of card information
In 2023, fraudulent card use in Japan reached over ¥54 billion. Of that amount, 93% was through identity theft at e-commerce businesses. Therefore, measures have been added with the aim of preventing fraud before and during card payments.
Here is how fraud can occur before, during and after a card is used:
- Before a card payment: Fraudulent actors might register a fraudulent account or use fraudulent logins by impersonating the customer.
- During a card payment: There have been cases of unauthorised use of card numbers and card information generated by the credit master. In addition, phishing scams have been used to steal card information, accounts, passwords and attribute information.
- After a card payment: Goods can be fraudulently delivered or resold, so it is necessary to check the order details and delivery address.
Because of the possibility of fraud, it's necessary to implement measures that regulate the flow of card transactions. Examples include preventing unauthorised logins before card payments and introducing EMV 3D Secure during the card payment process.
Measures to prevent unauthorised logins
In Version 6.0, the following measures are recommended to prevent unauthorised logins:
- Restrictions on access from suspicious internet protocol (IP) addresses
- Identification using two-step verification or multifactor authentication
- Confirmation of personal information during member registration
- Stronger restrictions on the number of login attempts
- Emails and short message service (SMS) notifications when members log in or change their attributes
- Attribute and behaviour analysis
- Device fingerprinting
Adoption of EMV 3D Secure
Version 6.0 includes measures related to the introduction of EMV 3D Secure. E-commerce businesses must do the following:
- Integrate EMV 3D Secure and perform authentication to ensure that they can properly verify the identity of the cardholder
- Improve the accuracy of risk-based authentication (RBA)
Frequent occurrence of fraud and high-risk businesses
Businesses are deemed to have a frequent occurrence of fraud when they have incurred multiple fraudulent charges on an ongoing basis. For the purposes of these guidelines, businesses are considered to have frequent occurrences of fraud when their fraudulent charges exceed ¥500,000 across three consecutive months.
High-risk businesses are any businesses that mainly handle digital products, such as online games, home appliances, electronic money, tickets and accommodation reservation services. High-risk businesses and those with a high occurrence of fraud must enact additional measures.
Up to Version 5.0, businesses with a history of fraud were required to implement at least two of the four measures outlined in the Credit Card Security Guidelines. High-risk businesses had to enact at least one. These measures include authentication of the cardholder, card verification, attribute and behavioural analysis and verification of the delivery address.
However, starting with Version 6.0, businesses are now required to implement additional and appropriate measures or enhanced measures based on a layered approach. This approach should be customised for the actual damage caused by the fraud and the specific methods employed. This change to the guidelines is due to the various products and services businesses can offer and the multiple methods fraudulent actors can use to create or take over accounts.
Businesses handling mail/telephone order (MO/TO) transactions
"MO/TO" is a term often used in Japan to refer to mail order (MO) and telephone order (TO) sales. In other words, MO/TO businesses process card payments by telephone or mail.
Many businesses that handle MO/TO transactions also engage in e-commerce. Therefore, the four measures for MO/TO businesses that were included in the guidelines up to Version 5.0 have been revised. The following measures continue to be required for MO/TO businesses in Version 6.0:
- Establishment of an authorisation processing system
- Duty of care as a qualified manager, as stipulated in the business agreement
- Integration of non-face-to-face measures against fraudulent use, according to the risk and damage incurred
Business support
Credit card companies and PSPs are required to provide information and support regarding the vulnerability countermeasures that e-commerce businesses should implement.
In addition, system providers and other businesses must follow vulnerability countermeasures when handling the creation and configuration of e-commerce sites. When operating and maintaining the sites, they also have to provide advice and support to e-commerce businesses.
PIN input for card payments
Since April 2025, businesses that conduct in-person transactions are no longer required to verify customer identities with signatures during card payments. Instead, they are required to ask customers to enter their PINs.
Steps to comply with the Credit Card Security Guidelines
Different measures are required to prevent card information from being stolen and used. Below, we provide the sequence of events leading up to the theft and fraudulent use of card information. Then, we outline the measures that should be taken at each stage.
To comply with Version 6.0, businesses are required to implement multifaceted measures customised for their industry type and transaction patterns. They must also establish an appropriate internal organisational structure.
Below are some specific examples of how businesses can remain compliant with the guidelines:
Assess current status and compliance gaps
The first step is for the business to assess its security level and how it compares to the guidelines in Version 6.0. This assessment can help businesses identify gaps between their actual practices and the regulations. Here are a few questions businesses can use to confirm the current status of their card information and fraud protection measures:
Measures to prevent card information theft
- Are there restrictions to accessing management screens?
- Are administrator IDs and passwords properly managed?
- Are important files kept out of public directories?
- Are there any vulnerabilities in web apps?
- Are antimalware measures in place?
- Has antivirus software been deployed?
- Are there credit master protection measures in place?
Measures to prevent use of card information
- Has EMV 3D Secure been implemented?
- Are restrictions for access from suspicious IP addresses in place?
- Has two-factor or multifactor authentication been implemented to verify customer identity?
- Has a limit on the number of login attempts been implemented? Do customer accounts get locked out after a certain number of failed login attempts?
- Are changes to member information (e.g. email addresses, home addresses, telephone number) checked?
- Are fraudulent transactions identified based on risk assessments using past transaction information (i.e. a fraud detection system)?
- Is it possible to identify devices using fingerprint technology?
Determine priorities
Security measures should be more than a combination of multiple measures. Instead, they should be determined according to the business and its situation. Businesses can analyse their degree of risk to determine which individual measures must be implemented from the list above. This can help businesses enact a multilayered approach to following the measures.
Regular review and staff training
Fraud is becoming increasingly sophisticated. As businesses introduce new security measures, fraud methods evolve to counter them. That is why technical measures organisational initiatives and employee training are necessary. In addition, initial review of fraud risk should be supported by ongoing review.
What are the consequences for noncompliance with the Credit Card Security Guidelines?
Failure to comply with the guidelines can have serious impacts on a business' operations. The following are the main risks of non-compliance:
Data leaks and loss of trust
Leaks of personal information can undermine a business' trustworthiness, leading to loss of customers and damage to the brand through media coverage.
Financial losses and chargebacks
Chargebacks and compensation payments due to fraud can be a significant burden, especially for small and medium-sized businesses.
Administrative sanctions or suspension of business
If the administrative agency finds a violation of the guidelines, a business could receive an improvement order or suspension.
Why should businesses have continuous security measures?
The Credit Card Security Guidelines are practical guidelines for preparing for ever-evolving fraud risks. Version 6.0 of the guidelines requires compliance with non-retention and PCI DSS, as well as the implementation of vulnerability countermeasures customised for each business. These countermeasures are based on a line-of-business approach.
Businesses who delay or avoid implementing these measures could risk the trust of their customers. They also face a threat to the future of the business. It's a good idea to use a comprehensive payment platform that complies with PCI DSS, such as Stripe Payments. This way, your business can gradually build an environment that complies with the newest version of the guidelines.
The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.