Creating a safe and secure payment infrastructure for credit card transactions

Japan has a mountain of issues that we must address as we head towards the 2020 Olympic and Paralympic Games in Tokyo, but one challenge that we absolutely must overcome is that of creating a safe and secure environment for credit card transactions.

Credit cards have taken an extremely important place in our payment infrastructure. Making reliable cashless transactions possible is the key to absorbing the flood of inbound demand—particularly in the form of overseas visitors—that will accompany the Tokyo Olympics.

However, despite Japan’s high-tech image, our country lags behind when it comes to security measures for credit card transactions. The US, which was also considered underdeveloped in terms of security, has drastically overhauled its security measures in recent years following a number of major incidents involving credit card information leaks. As a result, there is a greater risk that global credit card abuses will quickly flow into Japan. Our country is gradually becoming a security hole.

Unauthorized credit card use represents a major threat to society on two levels. It negatively affects the parties involved in the transaction, but the lost money is then also used to fund anti-social forces. In 2014, this amount reached some 11.4 billion yen in Japan alone. A good part of the damages come from unauthorized, identity theft–driven transactions that target e-commerce sites with insufficient security measures and from the use of counterfeit cards in face-to-face transactions. In both cases, the perpetrator is using credit card information that was stolen in some way.

If we simply ignore the situation, it will become a major hindrance to enlivening Japan’s payment environment. Moving towards a cashless society is now a hot issue even within the government’s Japan Revitalization Strategy, requiring that the numerous key players that make up credit card payment systems (credit card companies, member retailers, payment agencies, international brands, and so on) create a soundly functioning institutional payment infrastructure as they work together to maintain a high level of security. The Credit Transaction Security Council (administered by the Japan Consumer Credit Association) was established last year as a way to push towards that aim. The council is made up of a diverse group of members from the credit card industry including the Ministry of Economy, Trade and Industry, and is working to implement action plans that will enhance security.

Actions we must take

So what is the first thing we need to do in order to prevent unauthorized transactions? Our current plans are structured with a two-part approach.

(1) Keep credit card information safe

There is no risk of unauthorized credit card information use if the information never gets leaked in the first place. Our first goal is to get individual consumers to keep their credit card information protected. In the majority of cases, information is leaked from member retailers, and best way to prevent this is to ensure that they do not keep customer card information when they handle transactions (non-holding policy). For example, when a credit card reader is installed in the point-of-sale system at the register in brick-and-mortar stores, it means that credit card information is stored there. One way to address this is by introducing new systems that separate point-of-sale functions from credit card payment functions. When it comes to online stores, an effective strategy is to reorganize them so that they use a non-holding payment system where credit card information does not pass through the member retailer.

Credit card companies, payment service providers (PSPs), member retailers, and others are also working on initiatives to address situations where member retailers have no choice but to keep track of consumer credit card information (as part of customer management, for example). These include ensuring that operations conform to international PCIDSS data security standards.

We are aiming to resolve the majority of these issues by 2018.

(2) Prevent unauthorized use after credit card information is stolen

Even with these security measures in place, credit card information can still be stolen. In most cases, the cardholder has no idea that it has happened—so we need to take that into consideration as we take steps to prevent the stolen data from being misused. Typical unauthorized uses of leaked credit card information are counterfeit cards and identity theft in e-commerce transactions.

• (a) Stop counterfeit cards made with leaked card information

When it comes to preventing the use of counterfeit cards, nothing works like embedding an IC chip in the card. We have been making progress with adding these chips for some time, although we are still 60% finished. In comparison, countries in Europe and Southeast Asia have already reached 100%. Japan needs to hit that 100% mark by 2020 as well. At the same time, we must upgrade point-of-sale terminals and related systems so that they can accept IC card payments.

• (b) Stop identity theft powered by leaked card information

We are already looking at utilizing a variety of more sophisticated authentication technologies in order to modify conventional simplistic payment systems that only ask for a card number and expiration date—which will allow us to better detect and stop unauthorized e-commerce transactions involving identity theft. Examples of effective strategies are 3D Secure (the international agency EMVCo is looking at a new version now) and introducing linked risk-based authentication services. Using security codes printed on the back of cards for authentication is another strategy. We are also in the process of developing new methods that use characteristic and behavioral analysis to determine whether a transaction is unauthorized by assigning a risk assessment score based on past transaction information and other data. The layered application of these methods is helping us make progress in our efforts to achieve precision authentication.

Preparing for 2020

There is no time to waste in these efforts. Member retailers, credit card companies, payment agencies, international brands, device manufacturers, government agencies, business organizations, and others must secure the understanding and cooperation of consumers in reforms that bring Japan’s credit card transaction security up to international standards. And we must act swiftly. Today, one of our key benchmarks in moving forward with these reforms is the year of the Tokyo Olympic Games.

Implementing plans like these comes with a heavy price tag. But if we ignore the situation because we are unwilling to spend the money, our country is likely to be saddled with damages that are thousands of times greater.

Osamu Kasai
Professor, Chuo Law School, Chuo University
Areas of Specialization: Contract Law, International Transaction, Sports Law

Professor Osamu Kasai graduated from the Faculty of Law, Chuo University in 1979 and received his doctorate in law from Hitotsubashi University.
He worked as an associate professor at Seijo University and a professor at the University of Tsukuba before taking up his current position at Chuo Law School. He is the chairman of the Credit Transaction Security Council. Dr. Kasai’s principal works include Guarantees and Contract Law Theory [Hosho sekinin to keiyakuho riron] (Koubundou), Modern American Contract Law[Gendai Amerika keiyakuho] (with Robert A. Hillman, Koubundou), An Outline of the Law of Contract [Hajimete no keiyakuho] (joint author, Yuhikaku), and Risk Allocation in Construction Contracts [Kensaku ukeoi keiyaku no risuku to kiseki] (Nippon Hyoron Sha).