Complying with the Revised Installment Sales Act

A guide for Stripe users in Japan

The Installment Sales Act is one of the major Japanese consumer protection laws that applies to all internet businesses in Japan that accept credit card payments. In 2018, the Japanese government revised the Installment Sales Act to ensure online businesses securely manage consumer data and to reduce online fraud.

This guide introduces the key requirements of the new regulation and how Stripe businesses in Japan can remain compliant.

Background

A March 2018 report (Japanese) commissioned by the Japan Consumer Credit Association (JCA) identifies 2017 as the year with the highest industry-wide fraud losses to date. More than 23.6B JPY (over 200M USD) in financial losses were attributed to online fraud—a 65% increase from the previous year.

In response, the Credit Transaction Security Council of the JCA announced its 2018 Implementation Plan (Japanese), which aims to improve security and fraud prevention policies for businesses accepting card payments online. With the Revised Installment Sales Act (改正割賦販売法) in effect, online businesses are now required to handle credit card data appropriately and implement fraud prevention measures.

Handling credit card data appropriately

PCI-DSS (Payment Card Industry Data Security Standard) is the global information security standard for businesses accepting credit card payments. The JCA’s 2018 Implementation Plan references this global standard in its approach. That is, being PCI compliant is the primary way that businesses can ensure that they meet the requirements of the Revised Installment Sales Act.

Online transactions present an increased risk to the security of cardholder data, so the JCA Implementation Plan strongly encourages business to avoid handling raw card information. Specifically, businesses should not transmit, store, or process cardholder data on computers, servers, or other devices on their network.

To meet this requirement, businesses can tokenize card data. With tokenization, your business can collect sensitive card details from your customers in a secure manner. Sensitive data doesn’t hit your servers and, instead, a token representing this information is returned to your server to use. Using a PCI-compliant payment processor like Stripe also means that your business is not processing payment details directly with card networks.

What this means for Stripe users

Stripe users should use Stripe Elements, Stripe Checkout, or one of the mobile SDKs to accept payments. By using these products and ensuring good business practices around data security, businesses don’t need to handle raw card data to accept payments online.

When you have a business requirement for handling raw data

The new regulations require that businesses that handle raw card data are PCI-DSS certified. If your business needs necessitate handling raw card data, please note that the process of becoming certified can be expensive and time-consuming. Support is available via a guided flow in your Stripe Dashboard and you can find more details in our PCI-DSS compliance guide.

JCA requirement Possible approach Cost
No transmission, storage, or processing of card details or PCI-DSS certification Stripe Elements, Stripe Checkout, or mobile SDKs for all payments Free
Attain PCI-DSS certification and report your certification status via the Stripe dashboard. (See our guide to PCI compliance.) Varies according to business size and complexity. (See PCI Security Standards Council website.)

Implementing fraud prevention measures

The JCA’s Implementation Plan recommends the following methods of fraud prevention for online businesses:

  1. Personal authentication The cardholder authenticates a transaction by entering a password that has been registered with their credit card issuer (e.g. 3D Secure).
  2. Security codes The cardholder enters a three- or four-digit number present on the back of the card during online transaction (e.g. CVC checks).
  3. Attribute and behavior pattern analysis Potentially fraudulent transactions can be identified by matching attributes of the transaction and behavioral patterns with those collected from historical fraudulent transactions. Additional data such as IP address and customer activity can improve accuracy of results.
  4. Shipping address information Fraudulent payments can sometimes be identified by checking the shipping addresses against a list of addresses known to have been used in past fraudulent transactions. These databases are provided by third parties or directly maintained by the businesses themselves.

* Source (Japanese)

What this means for Stripe users

Stripe offers ways for businesses to quickly and easily implement all four of these methods, as shown below:

JCA recommendation Stripe recommendation
Personal authentication 3D Secure
Security codes CVC checks via Radar
Attribute and behavior analysis Stripe Radar
Shipping address information Stripe Radar lists

Conclusion

Stripe’s platform is designed to help our users stay up-to-date with new features or changing regulations. We hope this guide has helped you to understand the new requirements introduced by the Revised Installment Sales Act (and the JCA’s implementation plan) and how Stripe users can stay compliant. If you have any questions, please let us know.

References