Complying with the Revised Installment Sales Act

A guide for Stripe users in Japan

  1. はじめに
  2. Background
  3. Handling credit card data appropriately
    1. What this means for Stripe users
  4. When you have a business requirement for handling raw data
  5. Implementing fraud prevention measures
    1. What this means for Stripe users
  6. Conclusion
  7. References

The Installment Sales Act is one of the major Japanese consumer protection laws that applies to all internet businesses in Japan that accept credit card payments. In 2018, the Japanese government revised the Installment Sales Act to ensure online businesses securely manage consumer data and to reduce online fraud.

This guide introduces the key requirements of the new regulation and how Stripe businesses in Japan can remain compliant.

Background

A March 2018 report (Japanese) commissioned by the Japan Consumer Credit Association (JCA) identifies 2017 as the year with the highest industry-wide fraud losses to date. More than 23.6B JPY (over 200M USD) in financial losses were attributed to online fraud—a 65% increase from the previous year.

In response, the Credit Transaction Security Council of the JCA announced its 2018 Implementation Plan (Japanese), which aims to improve security and fraud prevention policies for businesses accepting card payments online. With the Revised Installment Sales Act (改正割賦販売法) in effect, online businesses are now required to handle credit card data appropriately and implement fraud prevention measures.

Handling credit card data appropriately

PCI-DSS (Payment Card Industry Data Security Standard) is the global information security standard for businesses accepting credit card payments. The JCA’s 2018 Implementation Plan references this global standard in its approach. That is, being PCI compliant is the primary way that businesses can ensure that they meet the requirements of the Revised Installment Sales Act.

Online transactions present an increased risk to the security of cardholder data, so the JCA Implementation Plan strongly encourages business to avoid handling raw card information. Specifically, businesses should not transmit, store, or process cardholder data on computers, servers, or other devices on their network.

To meet this requirement, businesses can tokenize card data. With tokenization, your business can collect sensitive card details from your customers in a secure manner. Sensitive data doesn’t hit your servers, and instead a token representing this information is returned to your server to use. Using a PCI-compliant payment processor like Stripe also means that your business is not processing payment details directly with card networks.

What this means for Stripe users

Stripe users should use Stripe ElementsStripe Checkout, or one of the mobile SDKs to accept payments. By using these products and ensuring good business practices around data security, businesses don’t need to handle raw card data to accept payments online.

When you have a business requirement for handling raw data

The new regulations require that businesses that handle raw card data are PCI-DSS certified. If your business needs necessitate handling raw card data, please note that the process of becoming certified can be expensive and time-consuming. Support is available via a guided flow in your Stripe Dashboard, and you can find more details in our PCI-DSS compliance guide.

JCA 要件
可能なアプローチ
費用

カード詳細および PCI-DSS 認定の送信、保管、処理を行わない

Stripe ElementsStripe Checkout、またはモバイル SDK をすべての決済に使用 無料
PCI-DSS 認定を取得し、Stripe ダッシュボードを使って認定状態を報告します (PCI 準拠のためのガイドをご覧ください)。 ビジネスの規模と複雑さに応じて異なります (PCI Security Standards Council のウェブサイトを参照)。

Implementing fraud prevention measures

The JCA’s Implementation Plan recommends the following methods of fraud prevention for online businesses:

1. Personal authentication: The cardholder authenticates a transaction by entering a password that has been registered with their credit card issuer (e.g., 3D Secure).

2. Security codes: The cardholder enters a three- or four-digit number present on the back of the card during online transaction (e.g., CVC checks).

3. Attribute and behavior pattern analysis: Potentially fraudulent transactions can be identified by matching attributes of the transaction and behavioral patterns with those collected from historical fraudulent transactions. Additional data, such as IP address and customer activity, can improve accuracy of results.

4. Shipping address information: Fraudulent payments can sometimes be identified by checking the shipping addresses against a list of addresses known to have been used in past fraudulent transactions. These databases are provided by third parties or directly maintained by the businesses themselves.

Source (Japanese)

What this means for Stripe users

Stripe offers ways for businesses to quickly and easily implement all four of these methods, as shown below:

JCA の推奨事項
Stripe の推奨事項
個人認証 3D セキュア
セキュリティコード Radar によるセキュリティコードの確認
属性と動作の分析 Stripe Radar
配送先住所の情報 Stripe Radar リスト

Conclusion

The Stripe platform is designed to help our users stay up-to-date with new features or changing regulations. We hope this guide has helped you to understand the new requirements introduced by the Revised Installment Sales Act (and the JCA’s implementation plan) and how Stripe users can stay compliant. If you have any questions, please let us know.

今すぐ始めましょう。アカウントを作成するか、お問い合わせください。

アカウントを作成し、支払いの受け付けを開始しましょう。契約や銀行情報は不要です。ビジネスに合わせたカスタムパッケージの設計については、お問い合わせください。