The Credit Transaction Security Council*1 announced the “Action Plan 2019” on March 4, 2019, which aims to enhance the security measures for credit card transactions. It contains revisions to the previous Action Plan 2018 announced on March 1, 2018 and the Action Plan 2017 announced back in March 8, 2017, with the aim to further promote the initiatives from 2020. Under the Act for Partial Revision of the Installment Sales Act (“Amended ISA”) which came into force on June 2018, online merchants (such as EC operators and Mail Order call centers when credit card is used as the payment method) are required to appropriately manage credit card information and to take countermeasures against unauthorized use thereof. Therefore, instituting the Action Plan is required as it serves as the practical guideline of the Amended ISA.
*1 Established in March 2015 with the participation of Ministry of Economy, Trade and Industry as well as a wide range of operators related to credit card transactions.
The 3 main pillars of the Action Plan announced by the Credit Transaction Security Council aimed at strengthening the security measures for credit card transactions, are outlined below.
|1.Measures for protecting credit card information||2.Measures against unauthorized use of credit cards by preventing forging of credit cards||3.Measures against unauthorized use of credit cards on EC websites|
Block the stealing of credit card information
* Requires the use of non-transmitted payment offered by PCI DSS compliant PSP*2 services.
|Block the usage of forged cards||Block online spoofing|
Highlights of revisions included in Action Plan 2019 for mail-order and EC operators:
1. Stresses the importance of security measures outlined below, in light of recent trends in cases of card data leaks
・To continuously strive for card data protection even after achieving non-retention
・Requires continuous countermeasures of new threats
・Deploy security measures in conjunction with related operators
2. Measures against unauthorized use of credit cards in non-face-to-face transactions
・Requires a risk-based, multi-layered and multi-faceted countermeasures for unauthorized use of credit card. Specific initiatives of countermeasures for unauthorized use is as shown below.
User verification (3D secure method), card verification (security code), customer attributes and activity analysts and, delivery address information
・Implement countermeasures commensurate to the risk and damage level
Measures that cover all physical merchants, high-risk merchants and merchants whose fraudulent activities are surfacing, and all risks and all damage status need to be introduced.
3. Visualization of security measures undertaken by merchants
・EC operators etc., can display (self-proclamation) that they enact the Action Plan on their proprietary EC website if they implement measures against unauthorized credit card use and for protection of credit card information.
|*2||Payment service provider|
|*3||Payment Card Industry Data Security Standard|
|・||for an Outline on Action Plan 2019; Towards strengthening security for credit card transactions. (Only available in Japanese)|
|・||for full version of the Action Plan 2019; Towards strengthening security for credit card transactions. (Only available in Japanese)|
|・||for the Ministry of Economy, Trade and Industry|
Based on the above revisions, following two measures are required to be implemented by E-commerce operators (providing offline payment).
If merchants hold card information
Merchants are recommended to migrate to non-passing-over settlements or strongly required to comply with PCI DSS.
It is strongly required to confirm the presence/absence of payment information, including card details in the system log, and delete it immediately in case of presence.
If merchant do not store card information
No actions to be taken
If merchants consider retaining card information
It is not recommended. However, in case of storing information, it is strongly required to comply with PCI DSS.
In addition, it is required that merchants do not keep any payment information, including card information in the system log.
If merchant do not consider retaining card information
It is recommended that merchants do not retain credit card information.
Card information is sent straight to us.
Merchants, which pass over or store card information, are required to comply with PCI DSS.
to learn more about the non-pass-over payment solution offered by GMO-PG.
Merchants are required to implement following measures to enhance the prevention of the fraudulent use of credit cards.
|①||Personal authentication (3D Secure)|
|②||Authentication by card surface (Security code)|
|③||Attribute / behavior analysis|
|④||Shipping address information|