The Credit Transaction Security Council*1 announced the “Action Plan 2019” on March 4, 2019, which aims to enhance the security measures for credit card transactions. It contains revisions to the previous Action Plan 2018 announced on March 1, 2018 and the Action Plan 2017 announced back in March 8, 2017, with the aim to further promote the initiatives from 2020. Under the Act for Partial Revision of the Installment Sales Act (“Amended ISA”) which came into force on June 2018, online merchants (such as EC operators and Mail Order call centers when credit card is used as the payment method) are required to appropriately manage credit card information and to take countermeasures against unauthorized use thereof. Therefore, instituting the Action Plan is required as it serves as the practical guideline of the Amended ISA.
*1 Established in March 2015 with the participation of Ministry of Economy, Trade and Industry as well as a wide range of operators related to credit card transactions.
The 3 main pillars of the Action Plan announced by the Credit Transaction Security Council aimed at strengthening the security measures for credit card transactions, are outlined below.
1.Measures for protecting credit card information | 2.Measures against unauthorized use of credit cards by preventing forging of credit cards | 3.Measures against unauthorized use of credit cards on EC websites |
---|---|---|
Block the stealing of credit card information * Requires the use of non-transmitted payment offered by PCI DSS compliant PSP*2 services. |
Block the usage of forged cards | Block online spoofing |
|
|
|
Highlights of revisions included in Action Plan 2019 for mail-order and EC operators:
1. Stresses the importance of security measures outlined below, in light of recent trends in cases of card data leaks
・To continuously strive for card data protection even after achieving non-retention
・Requires continuous countermeasures of new threats
・Deploy security measures in conjunction with related operators
2. Measures against unauthorized use of credit cards in non-face-to-face transactions
・Requires a risk-based, multi-layered and multi-faceted countermeasures for unauthorized use of credit card. Specific initiatives of countermeasures for unauthorized use is as shown below.
User verification (3D secure method), card verification (security code), customer attributes and activity analysts and, delivery address information
・Implement countermeasures commensurate to the risk and damage level
Measures that cover all physical merchants, high-risk merchants and merchants whose fraudulent activities are surfacing, and all risks and all damage status need to be introduced.
3. Visualization of security measures undertaken by merchants
・EC operators etc., can display (self-proclamation) that they enact the Action Plan on their proprietary EC website if they implement measures against unauthorized credit card use and for protection of credit card information.
*2 | Payment service provider |
*3 | Payment Card Industry Data Security Standard |
For Reference
・ | Click here for an Outline on Action Plan 2019; Towards strengthening security for credit card transactions. (Only available in Japanese) |
・ | Click here for full version of the Action Plan 2019; Towards strengthening security for credit card transactions. (Only available in Japanese) |
・ | Click here for the Ministry of Economy, Trade and Industry |
Based on the above revisions, following two measures are required to be implemented by E-commerce operators (providing offline payment).
If merchants hold card information
Merchants are recommended to migrate to non-passing-over settlements or strongly required to comply with PCI DSS.
It is strongly required to confirm the presence/absence of payment information, including card details in the system log, and delete it immediately in case of presence.
If merchant do not store card information
No actions to be taken
If merchants consider retaining card information
It is not recommended. However, in case of storing information, it is strongly required to comply with PCI DSS.
In addition, it is required that merchants do not keep any payment information, including card information in the system log.
If merchant do not consider retaining card information
It is recommended that merchants do not retain credit card information.
"Non-pass-over-payment" (recommended) | "Pass-over-payment" |
---|---|
![]() |
![]() |
Card information is sent straight to us.
|
Merchants, which pass over or store card information, are required to comply with PCI DSS.
|
Click here to learn more about the non-pass-over payment solution offered by GMO-PG.
Merchants are required to implement following measures to enhance the prevention of the fraudulent use of credit cards.
① | Personal authentication (3D Secure) |
② | Authentication by card surface (Security code) |
③ | Attribute / behavior analysis |
④ | Shipping address information |
▼ 導入ECが法人の方
▼ 導入ECが個人の方
▼ 実店舗のみの方
カテゴリー | 商品・サービス例 |
---|---|
違法商材、犯罪誘発物 | ワシントン条約指定品(象牙、パイソン、オーストリッチ、クロコダイル等)、犯罪を誘発する物(催涙スプレー、モデルガン、スタンガン、銃、刀類、手錠、盗聴・盗撮用品等)、業法違反・無免許販売に該当する商品・サービス |
知的財産権侵害商材 | 違法コピー商品、海賊版、違法コピー商品を助長させる機器または関連商品 |
ファイル共有サービス | ファイル共有用ソフト・サービス |
偽ブランド | 偽ブランド品 |
アダルト商材 | ポルノ、ブルセラショップ、アダルトコンテンツ |
風俗、出会い系 | 性風俗、出会い系サイト、結婚情報サイト |
違法医薬品、麻薬 | 薬事法・健康増進法・麻薬取締法に抵触する薬品 |
タバコ、電子タバコ | タバコ、電子タバコ |
金券類、現金化、銀行口座、RMT、有価証券 | 商品券、プリペイドカード、印紙、切手、回数券、ディスカウント航空券、現金化、RMT(リアルマネートレード)、株式、有価証券 |
カジノ、ギャンブル | 違法なオンラインカジノ、賭博、海外宝くじ、ペニーオークション |
財テク、情報商材 | 財テク情報、馬券予想、情報商材 |
霊感商法、占い | パワーストーン、お守り、効果を強調する印鑑、占い |
無限連鎖講、マルチ商法 | 無限連鎖講、マルチ商法 |
スパム | スパム、フィッシングサイト |
誇大広告、景表法違反 | 誇大広告、景表法違反 |
カード手数料徴求 | クレジットカード支払いの決済手数料を別途徴収するもの |