March 9, 2022
The “8th Meeting of the Credit Transaction Security Council” (secretariat: Japan Consumer Credit Association [JCA]) was held on Tuesday, March 8, 2022, and the “Credit Card Security Guidelines,” which stipulate security measures to be implemented by businesses involved in credit card transactions, have been revised [Version 3.0].
1. Outline of the Credit Card Security Guidelines
- The “Credit Card Security Guidelines” is a compilation of security measures for preventing the leakage and unauthorized use of credit card information. The Guidelines were developed to create a safe and secure credit card usage environment, and must be implemented by credit card companies, affiliated stores, payment agents, and other businesses involved in credit card transactions.
- The Guidelines are also considered to be practical guidelines for the security obligations set forth in the Installment Sales Act. Fulfilling measures set forth in the Guidelines or measures that are of similar or greater efficacy is considered the same as meeting the standards for security measures set forth in the Act.
- In [Version 3.0], the Guidelines provide specific details including examples of businesses that are subject to the security obligations set forth in the Installment Sales Act in order to promote the implementation of appropriate security measures by related businesses.
2. Major revised rules of the “Credit Card Security Guidelines Version [3.0]”
[i] Measures for protecting credit card information
- Encouraging credit card affiliated stores to not retain credit card information, in addition to implementing measures to prevent leakage, including measures against vulnerabilities and viruses, management of administrator rights, and device management
- Requiring credit card companies, payment settlement companies, EC mall companies, QR code payment service providers, EC system providers, etc., to comply with the Payment Card Industry Data Security Standard (PCI DSS)
- Eliminating the ability to skip PIN input at affiliated stores (to be implemented by March 2025)
[ii] Measure against unauthorized use of credit cards by preventing forging of credit cards
- Giving credit cards IC functionalities and making payment terminals compatible with IC transactions
[iii] Measures against unauthorized use of credit cards in EC transactions
- Putting into place multi-faceted and multi-layered measures to address risks of unauthorized use in EC affiliated stores; including user verification protocols (e.g., EMV3-D Secure), security codes, fraud detection systems, and verification using unauthorized recipient databases
- Promoting the establishment and implementation of a system to provide EC affiliated stores with the measures listed above from payment settlement companies
- Introduction of EMV3-D Secure by credit card companies (issuers), transiting from fixed passwords to one-time passwords, introducing device authentication methods (e.g., biometric authentication), strengthening and improving the accuracy of fraud detection systems, and sending card usage notifications to credit card users via e-mail and apps
(In particular, multiple measures against unauthorized use are required when linking credit cards with other payment services such as QR code payment services.) - Providing guidance and sharing information on measures against unauthorized use (including EMV3-D Secure) by card companies (acquirers) to EC affiliated stores