Card merchants (Stripe users) in Japan are expected to implement a certain level of security measures under the Installment Sales Act. Due to incidents involving unauthorized use of card data, the Credit Card Transactions Security Measures Council, an industry body, has published a “Security Checklist” that outlines specific measures that Japan merchants who process online card transactions must implement.

Stripe and other payment service providers (PSPs) are now required to collect a declaration from new card merchants regarding their adoption of the security measures. Subject users will see this surfaced as questions before they complete onboarding. The questions will outline the measures required, and if users are deemed to have insufficient security measures in accordance with the questions, they will not be able to process card payments.

To learn more, please refer to the "Security Checklist - Basic Security Measures for Online Merchants" published by the Credit Card Transactions Security Measures Council (available in Japanese). Thank you for your understanding as we implement this industry requirement to protect card transactions in Japan.

FAQ

What if I haven’t developed the security measures yet?

You may answer questions based on the measures you intend to have at the time you start processing card payments. However, if you submit the form before completing the adoption of any measures, you are expected to refrain from accepting card transactions until the work is complete.

Do we need to maintain security measures after onboarding?

Yes, we expect you to maintain the measures that you say you have adopted.

Do I have to answer these questions if I accept payments through Payment Links or a Stripe-hosted invoice?

If you only accept payments through Payment Links or Stripe Invoicing and do not sell your goods and services through an online website, you are only required to answer some of the questions.

How do I implement the security measures?

Implementation will differ depending on how you process payments and design your website. If you use plug-ins or outsource your system architecture to a third party, please ask them for support in answering the questions. If you will develop the measures on your own, you can find further details in this Implementation Guide circulated by the Credit Card Transactions Security Measures Council (available in Japanese).

What if I outsource my security measures to a third party?

If you plan to address the security measures through outsourcing, please answer based on information from your third party providers. You are still responsible for answering the questions.

Please make sure to include information regarding the outsourcing party and/or the Application Source Provider you use. Outsourcing party information is necessary if a third party is involved in operating your website and/or in being responsible for security measures you adopt.

Can I share the questions, Security Checklist, and related materials with the vendors or system providers I use?

Yes, you may share the information with relevant parties.

Do I need to answer the questions?

Yes, answers are required to begin processing online credit card payments.

Can’t Stripe answer these questions on my behalf?

Stripe and other PSPs are required to collect answers from every new user that will process card payments. While we cannot answer the questions for you, we have provided some guidance and suggestions when we think our products can be used to address the security measures.

Does Stripe’s products address any of the measures required?

Stripe will automatically limit the number of times the validity of a card can be tested, based on a range of factors and data. Therefore, for payments processed by Stripe, you can respond that you implement at least one of the security measures listed to combat malicious card testing (5. Card testing countermeasures). Learn more about additional measures you can adopt to protect yourself from card testing here.

If I have multiple Stripe accounts, do I have to answer from each account?

Yes answers are necessary from each account where the questions are surfaced.

Does this impact existing Stripe accounts?

We are not collecting responses from existing Stripe accounts now. However, it has been announced that the security measures questions must be asked of all merchants, including already-onboarding merchants, as of April 2025. We are monitoring developments and will provide updates if and when responses become necessary from existing accounts.

I thought Stripe payments were secure. Why do I need to submit a declaration?

Stripe and other PSPs are required to collect answers from every new user that will process card payments. The Security Checklist and related questions are aimed to ensure online card transactions are kept safe and secure. This is an industry-wide requirement and is not an initiative specific to Stripe.

What happens if I don’t fill out the questions?

If you do not answer the questions, you will not be able to proceed to accept online payments.

Can I make changes to my answers after submitting them?

We generally do not accept changes once the answers are submitted. If you need time to determine which measures you will adopt, please wait until you have the necessary information to submit your answers. If you submit answers based on the measures you intend to adopt later, please not accept online card payments until you have completed adopting those measures.

What happens after I submit my answers?

You will be able to proceed to accept online card transactions.

What if I don’t adopt the measures listed but can ensure the same level of security through alternative measures?

In general, we expect users to comply with the Security Checklist requirements by adopting the measures listed. However, we may be able to recognize certain alternative measures if they have at least the same degree of effectiveness. If you rely on an alternative security measure that is not listed in the response options and/or the Security Checklist, please contact support with an explanation of what measure you have adopted, why you believe it is an adequate alternative, and which requirement you think it addresses.

Glossary

For more information, you may also refer to the "Security Checklist - Basic Security Measures for Online Merchants".

• Basic authentication: A simple authentication method in the HTTP protocol that restricts access to a website. When introducing basic authentication, please also use HTTPS (TLS or SSL), a mechanism for encrypting data, for password protection.
• Vulnerability: This refers to security defects caused by program errors or design mistakes.
• Vulnerability diagnosis: The action of assessing the system for potential risks and vulnerabilities.
• Penetration testing: A process that entails simulating specific attacks that malicious hackers might use to verify if they would succeed or not.
• SQL injection: An attack method that involves passing a string containing malicious commands to a database to extract data stored in the database or write unauthorized data.
• Cross-site scripting: An attack method that embeds malicious scripts (simple programs) into web applications and executes the malicious scripts when users perform actions in the browser.
• Malware: This refers to malicious software developed with the intent to harm computers and their users. Viruses are one type of malware.
• Card testing: An attack method that illegitimately generates a large number of card numbers by exploiting rules in card number assignments, or verifies the validity of card numbers obtained through phishing or leaks via online sites, thereby illegitimately obtaining valid card numbers.
• Throttling: A process that limits the number of requests that can be sent for a specific operation within a specified period of time.