Action Plan 2019

Action Plan 2019

The Credit Transaction Security Council*1 announced the “Action Plan 2019” on March 4, 2019, which aims to enhance the security measures for credit card transactions. It contains revisions to the previous Action Plan 2018 announced on March 1, 2018 and the Action Plan 2017 announced back in March 8, 2017, with the aim to further promote the initiatives from 2020. Under the Act for Partial Revision of the Installment Sales Act (“Amended ISA”) which came into force on June 2018, online merchants (such as EC operators and Mail Order call centers when credit card is used as the payment method) are required to appropriately manage credit card information and to take countermeasures against unauthorized use thereof. Therefore, instituting the Action Plan is required as it serves as the practical guideline of the Amended ISA.
*1 Established in March 2015 with the participation of Ministry of Economy, Trade and Industry as well as a wide range of operators related to credit card transactions.

Action Plan

The 3 main pillars of the Action Plan announced by the Credit Transaction Security Council aimed at strengthening the security measures for credit card transactions, are outlined below.

1.Measures for protecting credit card information 2.Measures against unauthorized use of credit cards by preventing forging of credit cards 3.Measures against unauthorized use of credit cards on EC websites
Block the stealing of credit card information
* Requires the use of non-transmitted payment offered by PCI DSS compliant PSP*2 services.
Block the usage of forged cards Block online spoofing
  • ・Encouragement of credit card affiliated stores to not retain credit card information
  • ・Requiring businesses that retain credit card information to comply with the PCI DSS*3
  • ・Introduction of IC into all credit cards
  • ・Introduction of IC-responsive systems into all payment terminals
  • ・Introduction of multi-lateral or multi-layered measures against unauthorized use in accordance with the level of risks

Highlights of revisions included in Action Plan 2019 for mail-order and EC operators:

1. Stresses the importance of security measures outlined below, in light of recent trends in cases of card data leaks
・To continuously strive for card data protection even after achieving non-retention
・Requires continuous countermeasures of new threats
・Deploy security measures in conjunction with related operators

2. Measures against unauthorized use of credit cards in non-face-to-face transactions
・Requires a risk-based, multi-layered and multi-faceted countermeasures for unauthorized use of credit card. Specific initiatives of countermeasures for unauthorized use is as shown below.
User verification (3D secure method), card verification (security code), customer attributes and activity analysts and, delivery address information
・Implement countermeasures commensurate to the risk and damage level
Measures that cover all physical merchants, high-risk merchants and merchants whose fraudulent activities are surfacing, and all risks and all damage status need to be introduced.

3. Visualization of security measures undertaken by merchants
・EC operators etc., can display (self-proclamation) that they enact the Action Plan on their proprietary EC website if they implement measures against unauthorized credit card use and for protection of credit card information.

*2 Payment service provider
*3 Payment Card Industry Data Security Standard

For Reference

Click here for an Outline on Action Plan 2019; Towards strengthening security for credit card transactions. (Only available in Japanese)
Click here for full version of the Action Plan 2019; Towards strengthening security for credit card transactions. (Only available in Japanese)
Click here for the Ministry of Economy, Trade and Industry

Actions to be taken by E-commerce operators

Based on the above revisions, following two measures are required to be implemented by E-commerce operators (providing offline payment).

1.Protection of card information

Those merchants who have already implemented card payment

If merchants hold card information

Merchants are recommended to migrate to non-passing-over settlements or strongly required to comply with PCI DSS.
It is strongly required to confirm the presence/absence of payment information, including card details in the system log, and delete it immediately in case of presence.

If merchant do not store card information

No actions to be taken

Those merchants who consider opening online shop or implementing card payment.

If merchants consider retaining card information

It is not recommended. However, in case of storing information, it is strongly required to comply with PCI DSS.
In addition, it is required that merchants do not keep any payment information, including card information in the system log.

If merchant do not consider retaining card information

It is recommended that merchants do not retain credit card information.

"Non-pass-over-payment" (recommended) "Pass-over-payment"
Non-pass-over-payment
Pass-over-payment
Card information is sent straight to us.
Merchants, which pass over or store card information, are required to comply with PCI DSS.

Click here to learn more about the non-pass-over payment solution offered by GMO-PG.

2.Measures against fraudulent use of credit cards in E-commerce

Merchants are required to implement following measures to enhance the prevention of the fraudulent use of credit cards.

Personal authentication (3D Secure)
Authentication by card surface (Security code)
Attribute / behavior analysis
Shipping address information