# Japan Security Checklist for Connect Platforms

Stripe and other payment service providers are required to collect a a declaration of security checklist from card merchants regarding their adoption of the security measures.
Many of the checklists pertain to infrastructure and application security, which are owned by the platform rather than the connected accounts. Therefore, the platform needs to submit the declaration on behalf of the connected accounts. If the connected accounts have [full access to the Stripe Dashboard](https://docs.stripe.com/connect/stripe-dashboard), they can obtain their API keys and create transactions themselves, the platform does not need to submit the declaration on their behalf.
# How to Respond
To learn more, see the [guidelines](https://www.j-credit.or.jp/security/document/index.html) published by the Credit Card Transactions Security Measures Council (available in Japanese). For each question, consider whether you can respond "yes" on behalf of the connected accounts.
1. Access restriction and password management issues for administrator accounts.
   * This refers to the admin page provided to connected accounts. If you do not currently require 2FA for logging in, consider implementing it in the future and how to encourage existing connected accounts to use it.
1. Configuration issues resulting in exposure of data directories
   * If connected accounts can upload files such as product images, ensure that they meet the requirements of the checklist.
1. Web application vulnerabilities
   * This is not directly related to individual connected accounts, but is common across the platform's entire service.
1. Introduction and operation of virus protection software as malware countermeasures
   * This is not directly related to individual connected accounts, but is common across the platform's entire service.
1. Card testing countermeasures
   * This is not directly related to individual connected accounts, but is common across the platform's entire service.
1. Provide details about your login security measures
   * This refers to measures regarding the accounts of customers of the connected accounts. You may need to consider changes to how these customers log in.
# FAQ
### What should I do if I have Standard connected accounts?
The connected account itself must submit the declaration. However, they will not be able to answer questions related to the platform service, so you need to prepare support articles or similar resources to help the connected accounts respond. Even if connected accounts depend on the platform system, they are responsible for implementing security measures as card merchants.
### What should I do if security measures have not yet been established?
Respond to the declaration based on your current security measures by December 22. You can submit the declaration even if measures have not been installed; however, the establishment of measures may become mandatory in the future. We will contact you again if additional measures are deemed necessary.
### Can’t Stripe answer these questions on my behalf?
Stripe and other PSPs are required to collect answers from every new user that will process card payments. While we cannot answer the questions for you, we have provided some guidance and suggestions when we think our products can be used to address the security measures.
### Can I make changes to my answers after submitting them?
We generally do not accept changes once the answers are submitted. If you need time to determine which measures you will adopt, wait until you have the necessary information to submit your answers. If you submit answers based on the measures you intend to adopt later, don't accept online card payments until you have completed adopting those measures.
### What should I do if I have implemented alternative measures instead of those listed?
In general, we expect users to comply with the Security Checklist requirements by adopting the measures listed. However, we may be able to recognize certain alternative measures if they have at least the same degree of effectiveness. If you rely on an alternative security measure that is not listed in the response options and/or the Security Checklist, [contact support](/contact) with an explanation of what measure you have adopted, why you believe it is an adequate alternative, and which requirement you think it addresses.