# Japan Security Checklist

Card merchants (Stripe users) in Japan are expected to implement a certain level of security measures under the Installment Sales Act. Due to incidents involving unauthorized use of card data, the [Credit Card Transactions Security Measures Council](https://www.j-credit.or.jp/security/safe/conference.html), an industry body, has published a **Security Checklist** that outlines specific measures that Japan merchants who process online card transactions must implement.
Stripe and other payment service providers are required to collect a declaration from card merchants regarding their adoption of the security measures. The questions will outline the measures required.
To learn more, read the [guidelines](https://www.j-credit.or.jp/security/document/index.html) published by the Credit Card Transactions Security Measures Council (available in Japanese).
In 2026, the scope of the Security Checklist will expand. Merchants who receive an email regarding the declaration of the Security Checklist should read [FAQs for existing users who created accounts before April 1, 2024](#april-1-2024).
## General FAQ
### How do I implement the security measures?
Implementation will differ depending on how you process payments and design your website. If you use plug-ins or outsource your system architecture to a third party, ask them for support in answering the questions. If you will develop the measures on your own, find further details in this [Implementation Guide](https://d37ugbyn3rpeym.cloudfront.net/docs/japan/security-checklist-guide-2024.pdf) circulated by the Credit Card Transactions Security Measures Council (available in Japanese).
### What if I outsource my security measures to a third party?
If you plan to address the security measures through outsourcing, answer based on information from your third-party providers. You're still responsible for answering the questions.
Include information regarding the outsourcing party or the Application Source Provider you use. Outsourcing party information is necessary if a third party is involved in operating your website or in being responsible for security measures you adopt.
### Can I share the questions, Security Checklist, and related materials with the vendors or system providers I use?
Yes, you may share the information with relevant parties.
### Can’t Stripe answer these questions on my behalf?
Stripe and other payment service providers are required to collect answers from every user that will process card payments. While we can't answer the questions for you, we have provided some guidance and suggestions when we think our products can be used to address the security measures.
### Do Stripe’s products address any of the measures required?
Stripe will automatically limit the number of times the validity of a card can be tested, based on a range of factors and data. Therefore, for payments processed by Stripe, you can respond that you implement at least one of the security measures listed to combat malicious card testing (5. Card testing countermeasures). Learn more about [additional measures you can adopt to protect yourself from card testing](https://docs.stripe.com/disputes/prevention/card-testing).
### If I have multiple Stripe accounts, do I have to answer from each account?
Yes answers are necessary from each account where the questions are surfaced.
### I thought Stripe payments were secure. Why do I need to submit a declaration?
Stripe and other payment service providers are required to collect answers from every new user that will process card payments. The Security Checklist and related questions are aimed to ensure online card transactions are kept safe and secure. This is an industry-wide requirement and isn't an initiative specific to Stripe.
### What if I don’t adopt the measures listed but can ensure the same level of security through alternative measures?
In general, we expect users to comply with the Security Checklist requirements by adopting the measures listed. However, we may be able to recognize certain alternative measures if they have at least the same degree of effectiveness. If you rely on an alternative security measure that isn't listed in the response options or the Security Checklist, contact Support with an explanation of what measure you have adopted, why you believe it's an adequate alternative, and which requirement you think it addresses.
## FAQ for new users
### What if I haven’t developed the security measures yet?
You may answer questions based on the measures you intend to have at the time you start processing card payments. However, if you submit the form before completing the adoption of any measures, you're expected to refrain from accepting card transactions until the work is complete.
### What happens after I submit my answers?
You'll be able to proceed to accept online card transactions.
### Do we need to maintain security measures after onboarding?
Yes, we expect you to maintain the measures that you say you have adopted.
### Do I have to answer these questions if I accept payments through Payment Links or a Stripe-hosted invoice?
If you only accept payments through Payment Links or Stripe Invoicing and don't sell your goods and services through an online website (for example, you only sell over email), you're only required to answer some of the questions.
### What happens if I don’t fill out the questions?
If you don't answer the questions, you won't be able to proceed to accept online payments.
### Can I make changes to my answers after submitting them?
We generally don't accept changes once the answers are submitted. If you need time to determine which measures you'll adopt, wait until you have the necessary information to submit your answers. If you submit answers based on the measures you intend to adopt later, don't accept online card payments until you have completed adopting those measures.
## FAQ for existing users who created accounts before April 1, 2024
### What does it mean if I receive an email saying, "Complete security checklist by Dec 22, 2025"? What happens if I don't submit it?
Respond to the declaration by December 22, 2025 based on your current security measures. You can declare even if measures haven't yet been implemented, but future implementation will be mandatory. A specific deadline will be communicated at a later date.
## Glossary
For more information, you refer to the [guidelines](https://www.j-credit.or.jp/security/document/index.html).
* **Basic authentication:** A simple authentication method in the HTTP protocol that restricts access to a website. When introducing basic authentication, use HTTPS (TLS or SSL), a mechanism for encrypting data, for password protection.
* **Vulnerability:** Security defects caused by program errors or design mistakes.
* **Vulnerability diagnosis:** The action of assessing the system for potential risks and vulnerabilities.
* **Penetration testing:** A process that entails simulating specific attacks that malicious hackers might use to verify if they would succeed or not.
* **SQL injection:** An attack method that involves passing a string containing malicious commands to a database to extract data stored in the database or write unauthorized data.
* **Cross-site scripting:** An attack method that embeds malicious scripts (simple programs) into web applications and executes the malicious scripts when users perform actions in the browser.
* **Malware:** Malicious software developed with the intent to harm computers and their users. Viruses are one type of malware.
* **[Card testing](https://docs.stripe.com/disputes/prevention/card-testing):** An attack method that illegitimately generates a large number of card numbers by exploiting rules in card number assignments, or verifies the validity of card numbers obtained through phishing or leaks via online sites, thereby illegitimately obtaining valid card numbers.
* **Throttling:** A process that limits the number of requests that can be sent for a specific operation within a specified period of time.