Purpose of the revision
In recent years, the number of victims involved in credit card fraud has grown, including leaked credit card numbers or related information and their unauthorized use, due to merchants who improperly handle credit cards. In addition, a new business model, in which the credit card issuer is different from the Acquirer: the company that concludes a contract with the seller (4 party model), is becoming popular in the credit card industry. Along with this trend, some Acquirers are not able to appropriately manage merchants who handle customers’ credit cards.
In light of this situation, METI will take necessary measures under the revised Act to realize an environment in which consumers are able to use credit cards in a safe and secure manner, while taking into account a new trend under which companies providing innovative financial services in the field of financial technology (FinTech) will enter the substitute service industry concerning payment transaction. Furthermore, these measures will also contribute to attracting inbound demand in light of the forthcoming 2020 Tokyo Olympic and Paralympic Games.
The revised Installment Sales Act will come into effect as of the day specified by Cabinet Order within a period not exceeding 18 months from promulgation (9th December, 2016).
Outline of the revision
(1) Appropriate management and control of credit card information and preventing unauthorized use by third party
- The revised Act will require merchants to appropriately manage and control credit card information.
ex.) Not storing credit card information, satisfying the PCIDSS requirements
- The revised Act will require merchants to prevent unauthorized use by third parties.
ex.) Introducing IC (EMV) terminals, and preventing fraud at internet transactions
(2) Registration of Acquirer and others
- The revised Act will implement a registration system for Acquirers enabling merchants to accept credit card payments. Also, it will require registration of those Payment Service Providers acting as Acquirer. Payment Service Providers simply acting as a subcontractor of an Acquirer and not having the business capability of an Acquirer are not required to register.
(3) Inspection of merchants
- The revised Act will require registered Acquirers and Payment Service Providers to inspect merchants* and to take necessary measures against them in line with inspection results.
* “Inspecting merchants” includes rectifying / excluding malicious merchants and inspecting whether merchants appropriately manage credit card information and prevent unauthorized use by third parties.
(4) Improvement order and rescission of registration for registered Acquirers and others
- If a registered Acquirer or Payment Service Provider is found to be in violation of the requirement for inspecting of merchants, the Minister of Economy, Trade and Industry may rescind their registration.
Registration and Acquirer and Payment Service Provider
** 6 months will be given until the registration system will be applied from the day on which the Act comes into effect. Details will be prescribed in ministry ordinances or other notifications.
- Acquirer of a Japanese merchant must be registered. (In cases that fall under the category (A) described below where an Acquirer subcontracts to the Payment Service Provider, the Acquirer is not required to register.)
- A foreign acquirer, which conducts a business that concludes a contract to enable credit card acquiring of a merchant in Japan, must either perform registration itself or entrust the work to a registered Payment Service Provider.
- The revised Act will require foreign acquirers, when being registered, to have a business office in Japan.
Payment Service Provider
A : A company authorized by an Acquirer and in practical terms in a position to make decisions regarding merchant-acquiring must be registered. In this case, the registered Payment Service Provider will have the obligation of inspecting merchants.
B : A company subcontracted by an Acquirer and not in the position to make any final decisions (only act as Acquirer for part of the acquiring business under the Acquirer’s responsibility) regarding merchant-acquiring does not need to be registered.
** Which company must be registered will be judged based on the contract, between an Acquirer and a Payment Service Provider. The company, under the contact, shown to be in the position to make decisions regarding merchant-acquiring is required to register.
** Penalties apply to sales of acquiring services to merchants by unregistered Acquirers or Payment Service Providers to such companies.
Duty of Inspecting Merchants
*The details will be prescribed in ministry ordinances or other notifications so the following should be considered tentative plans.
Inspection of merchants
- Factors of initial inspection; when concluding a contract
- The location of the merchant, representative, merchandise, sales means
- Information security measures
- Factors of interim inspection; after concluding a contract
- Operation situation of information security measures
(Occurrence of information leakage and unauthorized use by third parties)
- Whether having a malicious transaction (Occurrence of complaints by consumers)
- Operation situation of information security measures
- Necessary measures in line with inspection results
- To rectify the merchants or, if necessary, withdraw the contract when a merchant has the problem.
Mechanism of collaboration for eliminating malicious merchants
For realizing a safe and secure cashless society, to eliminate domestic/overseas merchants that cause damage to consumers in Japan through illegal transactions, etc., international brands and the Ministry of Economy, Trade and Industry shall collaborate and take necessary actions such as give guidance and/or take corrective actions against overseas acquirers signed with such malicious merchants, etc.
January 31, 2017
Division in Charge
Commerce Supervisory Division, Commerce, Distribution and Industrial Safety Policy Group