credit card

JCA publishes Credit Card Security Guidelines V6.0

Norbert Gehrke

Norbert Gehrke

6 min read
JCA publishes Credit Card Security Guidelines V6.0

The Japan Consumer Credit Association (JCA) has published the final version of, and outlined the key revisions to the Credit Card Security Guidelines, Version 6.0, focusing on enhancements to address evolving fraud risks and emerging technologies in the credit card payment ecosystem.

The revisions are primarily aimed at strengthening security measures for e-commerce (EC) merchants, combating fraudulent activities, and clarifying responsibilities of various stakeholders in the credit card industry. It also details the removal of the "Signature for Identity Verification" and "PIN Bypass" for face-to-face transactions.

The JCA emphasizes the importance of a layered security approach, risk-based measures, and collaboration among stakeholders to ensure a safe and secure credit card environment in Japan. The implementation date for these revised guidelines is March 2025.

1. Introduction and Purpose

  • The revisions document serves as an overview of the significant changes introduced in Version 6.0 of the Credit Card Security Guidelines.
  • The primary objective is to enhance security measures across the credit card payment ecosystem, particularly in response to the increasing prevalence of online fraud and evolving attack vectors.
  • The guidelines aim to provide clear direction and best practices for merchants, card issuers, payment processors, and other stakeholders to mitigate risks and protect cardholder data.

2. Key Revision Areas

The document focuses on the following key areas of revision:

  • EC Merchant Security Enhancements: Strengthening security measures for e-commerce merchants to protect cardholder data and prevent fraudulent transactions.
  • Fraud Prevention Measures: Implementing measures to combat unauthorized use of credit cards, including enhanced authentication methods and fraud detection mechanisms.
  • Clarification of Responsibilities: Defining the roles and responsibilities of various stakeholders in the credit card payment ecosystem, including merchants, card issuers, payment processors, and technology providers.

3. EC Merchant Security Enhancements

This section is the most substantial, outlining specific measures for e-commerce merchants to address security vulnerabilities and protect cardholder data.

Addressing System and Website Vulnerabilities

  • Recognizing that vulnerabilities in EC merchant systems and websites are a significant source of data breaches and fraudulent activity.
  • The guidelines emphasize the importance of robust vulnerability management programs, including regular security assessments, penetration testing, and timely patching of security flaws.
  • Specific measures include:
    • Restricting access to system administration interfaces: Implementing strong authentication and access controls to prevent unauthorized access to critical system components.
    • Securing data directories: Preventing exposure of sensitive data through misconfigured or insecure data directories.
    • Addressing web application vulnerabilities: Implementing security measures to protect against common web application vulnerabilities, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
    • Deploying and maintaining malware protection: Installing and regularly updating anti-virus and anti-malware software to detect and prevent malicious code from compromising the system.
    • Validating user input and preventing credit master attacks: Implementing measures to prevent the use of generated credit card numbers (credit master) and fraudulent card information.

Guidance for EC System Providers and Solution Vendors

  • The guidelines emphasize the responsibility of EC system providers and solution vendors in providing secure and compliant solutions to merchants.
  • These providers should ensure that their systems and services are designed with security in mind and adhere to industry best practices.
  • Providers should offer support and guidance to merchants in implementing and maintaining security measures.

4. Fraud Prevention Measures

This section details revisions related to enhancing fraud prevention measures, primarily focused on EC merchants.

EMV 3-D Secure (3DS) Implementation

  • The guidelines strongly encourage the implementation of EMV 3-D Secure (3DS) as a primary authentication method for online transactions.
  • EMV 3DS adds an extra layer of security by requiring cardholders to authenticate themselves before completing a transaction, reducing the risk of fraudulent use.
  • Key aspects of 3DS implementation include:
    • Transaction Authentication: Cardholders must authenticate each transaction.
    • Risk-Based Authentication (RBA): Improve the risk analysis for a better customer experience.
    • Card Issuer Responsibilities: Card issuers must analyze transaction data to identify and mitigate fraud risks.

Effective Login Security

  • The guidelines highlight the importance of implementing robust measures to prevent unauthorized account access through fraudulent logins.
  • Specific measures include:
    • IP Address Restrictions: Blocking logins from suspicious IP addresses.
    • Multi-Factor Authentication: Implementing multi-factor authentication (MFA) to add an extra layer of security to the login process.
    • Personal Information Verification: Confirming personal information at registration.
    • Login Restrictions: Limiting login attempts and implement throttling.
    • Account Activity Notifications: Sending email or SMS notifications to users when login or changes happen.
    • Attributes and Behavior Analysis: Analyzing attributes and behavior for suspicious logins.
    • Device Fingerprinting: Using device fingerprinting to detect suspicious devices.

5. Revisions to Measures for High-Risk Merchants

This section addresses the enhanced measures for merchants identified as high-risk or those handling specific types of goods.

Enhanced Measures for High-Risk Merchants

    • The guidelines recognize that certain merchants, based on their business model, product offerings, or transaction characteristics, are at higher risk of fraudulent activity.
    • The revised guidelines require these merchants to implement more stringent security measures.

Clarification of High-Risk Categories

    • The guidelines provide a more specific definition of "relatively high-risk goods" like digital content, electronics, and event tickets.

6. Revisions to MO/TO Transaction Security

This section covers revisions related to Mail Order/Telephone Order (MO/TO) transactions.

Strengthening MO/TO Security Measures

  • The guidelines recognize that MO/TO transactions are particularly vulnerable to fraud due to the lack of physical card presence.
  • The revised guidelines emphasize the need for MO/TO merchants to implement security measures such as:
  • Authorization and Compliance Checks
  • Appropriate Management System
  • Countermeasures based on risk and fraud status

7. Other Notable Revisions

This section covers other notable changes in the guidelines.

Support for EC Merchants

  • The guidelines emphasize the importance of providing adequate support to EC merchants in implementing and maintaining security measures.
  • This support can come from various stakeholders, including card issuers, payment processors, technology providers, and industry associations.

Eliminating Signature and PIN Bypass

  • The guidelines strongly recommend eliminating the practice of requiring signatures for transactions and deprecating PIN bypass functionality.
  • Signatures are no longer considered an effective means of cardholder authentication.
  • The new policy will apply from April 2025.

8. Appendices

The document also references a number of appendices that provide detailed guidance on specific aspects of credit card security. Key appendices include:

  • EMV 3-D Secure Implementation Guide: Provides detailed instructions on implementing EMV 3-D Secure for online transactions.
  • EC Merchant Security Implementation Guide: Offers comprehensive guidance on implementing security measures for e-commerce merchants.
  • Fraud Prevention and Detection Best Practices: Provides guidance on implementing fraud prevention and detection mechanisms, including risk-based authentication, transaction monitoring, and fraud scoring.

9. Roles and Responsibilities

The document clearly articulates the roles and responsibilities of various stakeholders in implementing the revised guidelines:

  • Merchants: Responsible for implementing and maintaining appropriate security measures to protect cardholder data and prevent fraudulent transactions.
  • Card Issuers: Responsible for providing secure cards, implementing fraud detection and prevention mechanisms, and supporting merchants in implementing security measures.
  • Payment Processors: Responsible for processing transactions securely, providing fraud prevention services, and ensuring compliance with industry standards.
  • Technology Providers: Responsible for developing and providing secure payment systems and technologies.
  • Industry Associations: Responsible for promoting security best practices, providing guidance and training to stakeholders, and coordinating industry-wide initiatives.

10. Summary of Revisions to Annexes

The document provides a summary of key revisions to the annexes that support the security guidelines. These changes include:

  • Integration and Consolidation: Integrating and consolidating several annexes to streamline the information and improve usability.
  • Updated Guidance: Providing updated guidance on specific topics, such as EMV 3-D Secure implementation, fraud prevention best practices, and security assessment procedures.
  • New Annexes: Introducing new annexes to address emerging security challenges, such as mobile payment security and cloud security.

Here's a breakdown of what the changes in the appendices include:

  • Revised EMV 3-D Secure Implementation Guide (Version 2.0): Provides updated guidelines for implementing EMV 3-D Secure for online transactions, including requirements for risk-based authentication and integration with mobile wallets.
  • Updated EC Merchant Security Implementation Guide (Version 2.0): Provides more comprehensive guidance on securing e-commerce websites and systems, including vulnerability management, access control, and data protection.
  • Retiring Annex 13: Annex 13 had details of specific standards, and this will be retired.
  • Inclusion of Annex 19: Details of risk analysis and behavior analysis will now be in Annex 20.

11. The Credit Transaction Security Measures Council

The document provides background information on the Credit Transaction Security Measures Council, the organization responsible for developing and maintaining the credit card security guidelines.

  • Membership: The council includes representatives from various stakeholders in the credit card industry, including card issuers, merchants, payment processors, technology providers, and government agencies.
  • Purpose: The council's mission is to promote a safe and secure credit card payment environment in Japan by developing and implementing effective security measures.
  • Activities: The council conducts research, develops guidelines, provides training, and coordinates industry-wide initiatives to enhance credit card security.

12. Basic Thoughts Regarding the Guideline

  • The basic theme behind these guidelines is to have security systems in place against fraudulent activity.
  • The guideline should be based on the "Installment Sales Act".
  • Parties involved in following the guidelines are "Vendor", "Card Company", "Settlement Agency", and "Code Settlement Business".

Please follow us to read more about Finance & FinTech in Japan, like hundreds of readers do every day. We invite you to also register for our short weekly digest, the “Japan FinTech Observer”, on LinkedIn, or directly here on the platform.

We also provide a daily short-form Japan FinTech Observer news podcast, available via its Podcast Page. Our global Finance & FinTech Podcast, “eXponential Finance” is available through its own LinkedIn newsletter, or via its Podcast Page.

Should you live in Tokyo, or just pass through, please also join our meetup. In any case, our YouTube channel and LinkedIn page are there for you as well.

Read more