Financial Crime World

Japan’s Online Banking Security Measures Tighten Up

In response to recent incidents involving unauthorized use of card data, Japan’s payment industry has introduced stricter security measures for online transactions. Starting now, Stripe users in the country are required to implement certain level of security measures under the Installment Sales Act.

New Security Requirements

The Credit Card Transactions Security Measures Council, an industry body, has published a “Security Checklist” outlining specific measures that Japanese merchants who process online card transactions must take. These measures include:

  • Basic authentication
  • Vulnerability diagnosis
  • Penetration testing
  • And others

Stripe and other payment service providers (PSPs) are now collecting declarations from new card merchants regarding their adoption of these security measures. Existing users will be required to answer the same questions before they can continue processing card payments.

Security Checklist Measures

The Security Checklist is available in Japanese and outlines measures such as:

  • Implementing basic authentication and HTTPS for password protection
  • Conducting vulnerability diagnosis and penetration testing
  • Protecting against SQL injection, cross-site scripting, and malware attacks
  • Preventing card testing and limiting the number of requests within a specified period

Compliance Requirements

Merchants who have not yet implemented these security measures are advised to refrain from accepting card transactions until they do so. Those who outsource their security measures to third-party providers must provide information about the outsourcing party.

The requirements apply to all merchants, including those who only accept payments through Payment Links or Stripe Invoicing. However, some questions may not be applicable to these merchants.

Frequently Asked Questions

  • What if I haven’t developed the security measures yet?
    • You can answer based on the measures you intend to adopt.
  • Do we need to maintain security measures after onboarding?
    • Yes, you are expected to maintain the adopted measures.
  • Can I share the questions and related materials with vendors or system providers?
    • Yes, you may share the information.

For more information, merchants can refer to the “Security Checklist - Basic Security Measures for Online Merchants” published by the Credit Card Transactions Security Measures Council.