Action Plan 2017 for the Consolidation of Security Measures for Credit Card Transactions Formulated (“Action Plan 2017”) To advance the development of the international-level environment for credit-card settlement
On March 8, 2017, the Credit Transaction Security Council (secretariat: Japan Consumer Credit Association (JCA)) held a meeting and formulated Action Plan 2017 by revising Action Plan 2016 formulated in February 2016, a compilation of measures that entities involved in credit card transactions, e.g., credit card companies (issuers and acquirers) and credit-card merchants, should take. Action Plan 2017 aims to develop an international-level security environment for credit card transactions by 2020.
An environment where secured credit-cart shopping is available is expected to contribute to the expansion of purchase opportunities for consumers and enable smooth credit card transactions, playing an important role in modern consumer lifestyles.
Meanwhile, in recent years, Japan has been facing an increase in the number of incidents involving leaks of personal credit card information by unauthorized access targeting the computers of credit-card merchants with insufficient security measures. These leaks also trigger an increase in the number of victims involved in unauthorized use of credit cards, including transactions by forged credit cards and spoofing online transactions.
Looking overseas, the United States, like Japan, had lagged behind in terms of introducing IC (EMV) card payment systems and saw a concentration of damage due to unauthorized use of credit cards from around the world, but the country has been dramatically advancing the introduction of IC (EMV) card payment systems. As this trend in the introduction of IC (EMV) card payment system continues, Japan is facing the growing risk of becoming a credit card security hole among global society and a country prone to the concentration of international crime. In May 2016, an incident of unauthorized cash withdrawal transactions occurred in Japan using forged cards originally issued by a bank in South Africa. In just three hours or so, over 1.8 billion yen in total was simultaneously withdrawn from ATMs in convenience stores nationwide, causing huge damage.
To prevent further damage due to unauthorized credit-card transactions, in March 2015, the JCA and the Ministry of Economy, Trade and Industry (METI) proactively established the Credit Transaction Security Council, aiming to develop an international-level security environment for credit-card transactions with an eye on 2020. In February 2016, the council formulated Action Plan 2016, a compilation of measures that entities involved in credit card transactions, e.g., credit card companies and credit-card merchants, should take. Action Plan 2017 is a result of revisions to Action Plan 2016, made in line with the progress in discussions by the council, the partial revision of the Installment Sales Act established in December 2016, and other information.
2. Outline of the Action Plan (*Items with a dash (-) at the beginning describe major revisions)
1) Adequate protection of credit-card information
- Encouragement of credit-card merchants not to retain credit-card information
- The revised plan explicitly defines a “non-retaining” state as a state in which credit-card merchants do not store, process or pass over credit-card information in or through machines or on the network owned by the merchants.
- The revised plan describes a “state equivalent to a non-retaining state” as a state in which merchants have introduced a system whereby encrypted credit-card information will not be unencrypted in the merchants.
- Encouragement of credit-card and other companies and merchants retaining any credit-card information to adequately manage such information (to comply with PCI DSS (Payment Card Industry Data Security Standard), the international standards for the data security concerning credit-card information)
- The revised plan describes a compilation of leading examples concerning credit card companies and merchants that have complied with the above international standards, and aims to raise awareness among stakeholders.
2) Prevention of unauthorized use of credit cards
- Advancement of introducing new systems for settlement terminals into face-to-face merchants to address IC (EMV) technologies as a countermeasure against forged credit cards
- The revised plan stipulates the awareness raising of the guidelines concerning the specifications and designs of IC (EMV)-responsive POS systems , which are formulated for POS-system vendors.
- Encouragement of non-face-to-face merchants, e.g., merchants operating E-commerce, to take measures for multilateral and multilevel prevention of unauthorized use, e.g., requesting credit-card users to input their passwords for authorization and introducing new systems to detect unauthorized use by the analysis of shopping history data and accumulation of information on product shipment destinations
- The revised plan stipulates the promotion of introducing new authorization methods, e.g., one-time (dynamic) passwords or biometric authentication, bearing in mind potential risks of a leak of reusable passwords.
- The revised plan positions an e-mail delivery service responding to the use of credit cards as an effective measure for the prevention of unauthorized use.
3) Information conveyance to consumers and other credit-card users
- The revised plan stipulates the promotion of efforts for making progress in security measures taken by credit-card merchants visible.
- The revised plan stipulates efforts for raising public awareness of ascertaining monthly usage details for the early discovery of unauthorized use.
For the text and a summary of Action Plan 2017, visit the JCA website below.
- Action Plan 2017 for the Consolidation of Security Measures for Credit-Cart Transactions [released version] (in Japanese)（PDF：1,777KB）
March 8, 2017
Division in Charge
Commerce Supervisory Division, Distribution and Industrial Safety Policy Group