Seller Merchant onboarding
Register a Seller Merchant account for your seller (Platform Use Case)
Get started
As a "Platform Merchant (Platform Business)" merchant, you'll need to register a "Seller Merchant" account for each seller/user via our APIs to adopt Platform Use Case.
To register a Seller Merchant account, you should check the following prerequisites:
- We only accept Japanese entities (both Corporation and Sole Proprietorship) to register a Seller Merchant account.
- Seller Merchant must have a Japanese Bank Account to receive payouts in JPY from KOMOJU.
1. Create a Seller Merchant account
Request Merchant: Create API to create a Seller Merchant account with platform_role set to seller.
curl -X POST https://komoju.com/api/v1/merchants \
-u <platform merchant secret key>: \
-d name='New Seller Merchant 1' \
-d platform_role="seller"
| Request Attribute | Type | Description |
|---|---|---|
name | string | Seller Merchant's name |
platform_role | dropdown | The role of sub-merchant account. Please specify it as sellerhere. |
2. Query the seller merchant’s live_application for required fields
Request Liveapplication: Show API with seller merchant's uuid you received from the previous step.
curl -X GET https://komoju.com/api/v1/live_application/{id}?locale=en \
-u platform_merchant_secret_key:
Response example
{
"merchant_id": "5td723eoi9txn8sj545ww2mv1",
"status": "incomplete",
"payments_enabled": false,
"payouts_enabled": false,
"required_fields": [
{
"field": "company_information.company_phone",
"field_name": "Company Phone",
"field_type": "phone_number",
"field_properties": {
"minLength": 1,
"pattern": "^([() \\-_+]*[0-9]){10}[() \\-_+0-9]*$"
}
},
...
],
"newly_required_fields": [],
"errored_fields": []
}
Within required_fieldsarray, you'll able to see what kinds of information are required to proceed Seller Merchant registration. Following is the breakdown of each field property.
"field": "company_information.company_phone",
"field_name": "Company Phone",
"field_type": "phone_number",
"field_properties": {
"minLength": 1,
"pattern": "^([() \\-_+]*[0-9]){10}[() \\-_+0-9]*$"
}
fieldis the property name that should be used when submitting information for that field.field_nameis the localized name for the field that should be shown to the user.field_typeis the type of component that should be displayed.field_propertiesincludes information about restrictions on the value of the field.
(1) field_types
Different field_types are meant to help direct the types of form components shown to the user to help differentiate and format expected values.
| Type | Description |
|---|---|
| string | A string |
| dropdown | A dropdown of values. field_properties['enum'] will contain the translation ↔ value pairings |
| radio | A radio selection. field_properties['enum'] will contain the translation ↔ value pairings |
| checkbox | A true/false checkbox field. |
| url | a URL |
| text | a text box intended for longer values (ex: descriptions) than string |
| an email | |
| date | Datepicker that formats the date as “YYYY-MM-DD” |
| integer | a non-negative integer field |
| file_upload | A field that allows multiple files to be uploaded. The file should be uploaded to the merchant file upload endpoint. The value of the field should then be a list of the ids of the files uploaded. |
| single_file_upload | A field that allows one file to be uploaded. The file should be uploaded to the merchant file upload endpoint. The value of the field should then be the id of the file uploaded. |
| service_agreement | Should be represented as a checkbox, but will also have an extra external_links field property that links to the actual service agreement(s) |
(2) field_properties
field_properties provide information on the properties of the field.
| Property | Description | Example |
|---|---|---|
| enum | A dictionary of option ↔ value mapping. The option is localized based on locale | "enum": { "Sole Proprietor": "sole_proprietor", "Corporation": "corporation" } |
| minLength | minimum length of the string/text | "minLength": 1 |
| minimum | minimum value for fields of integer field_type | "minimum": 0 |
| maximum | maximum value for fields of integer field_type | "maximum": 2147483647 |
| format | Follows the possible built-in formats as specified by https://json-schema.org/understanding-json-schema/reference/string.html#built-in-formats Currently only date or email | "format": "email" |
| pattern | Regex pattern for formatting values | "pattern": "^([() \-_+]_[0-9]){10}\[() \-_+0-9]\_$" |
| external_links | a list of URLs linking to hosted service agreements | "external_links": ["https://example.com"] |
3. Uploading files for merchants
Some field_types (single_file_upload, file_upload) require that files be uploaded via our merchant file API first, then the UUID(s) submitted as the value for the live_application.
Request File: Create API to upload the files for Seller Merchant onboarding.
We only accept jpg, png, and pdf formats. Besides, each file size should be smaller than 10MB.
curl -X POST https://komoju.com/api/v1/merchants/{id}/files \
-u platform_merchant_secret_key: \
-F "paper=/path/to/file"
The response will look like:
{
"id": "6ssx1zxovw3fgmdsdd1zuzr5u",
"resource": "file",
"filename": "blank.png",
"size": 998,
"mime_type": "image/png",
"created_at": "2023-01-10T12:16:00.819+09:00",
"updated_at": "2023-01-10T12:16:01.085+09:00"
}
4. Submitting fields
Based on the required_fields received in step 2, information can now be submitted for the Seller Merchant via Live Application: Update API.
Here’s an example of submitting company_information.company_name
curl -X PATCH https://komoju.com/api/v1/live_application/{id} \
-u platform_merchant_secret_key: \
-d "company_information.company_name=My Company"
If successful, the response will include any additional required fields based on what was just submitted. In the case of company_name, newly_required_fields will be blank as no additional fields rely on the value company_name.
An example of newly_required_fields
If you submit sole_proprietor as the company_information.corporation_type
curl -X PATCH https://komoju.com/api/v1/live_application/{id} \
-u platform_merchant_secret_key: \
-d "company_information.corporation_type=sole_proprietor"
In the response, see that newly_required_fields now includes sole_proprietor_proofs.
"newly_required_fields": [
{
"field": "company_information.sole_proprietor_proofs",
"field_name": "Sole proprietor proofs",
"field_type": "file_upload",
"field_properties": {}
}
]
newly_required_fields are only shown upon update and return new fields that should be added to the form as a result of the last update to live_application.
5. Completing the live_application
Since the required information can be different based on your user's conditions (eg: corporation, sole proprietorship...etc), our API responses will guide you through the entire onboarding flow step-by-step by providing further fields under required_fields and newly_required_fields arrays.
The live_application fields should continue to be filled out until required_fields, newly_required_fields, and errored_fields are all empty. At that point, the application is considered complete.
Overall, there are mainly five categories of the required information, you can check the comprehensive items under each category.
(1) KOMOJU service agreements acceptance
To provide Platform Model services to your sellers, KOMOJU must establish a direct contractual relationship with them. It requires each Seller Merchant to consent to KOMOJU Merchant Services Terms of Use and Privacy Policy. It’s your responsibility to make sure your sellers consent to the above agreements when registering a Seller Merchant account on KOMOJU via your interfaces.
Referencing KOMOJU's service agreement
As a minimum requirement, you must present your sellers with the links to the correct terms and they must expressly consent to those terms when starting the onboarding process. Below are the recommended steps:
- Requesting Liveapplication: Show API to retrieve the URLs of KOMOJU Merchant Services Terms of Use and Privacy Policy from
service_agreement.agreed_to_tosfield. - Presenting those terms to your sellers on your platform when they start to opt in the service.
- Passing your seller's consent back to KOMOJU via
service_agreement.agreed_to_tosfield in Live Application: Update API.
Here's an example of how you can present our terms to your users via your interface.
(2) Company information
Below is the comprehensive list of required company-related information.
| Field | Type | Description |
|---|---|---|
| company_information.company_country | dropdown | Country of company's entity. - Since only a Japanese entity is allowed to use our service at this moment, you must select JP. |
| company_information.corporation_type | radio | The type of company, eithercorporation or sole_proprietor |
| company_information.company_phone | phone_number | Company's phone number |
| company_information.share_capital_amount | integer | Company's share capital. - This field is required when the company type is corporation. |
| company_information.share_capital_currency | dropdown | The currency of the company's share capital. - This field is required when the company type is corporation. |
| company_information.registration_number | string | The corporate number is a 13-digit unique identifier for every Japanese corporation. (reference) - This field is required when the company type is corporation. |
| company_information.company_name | string | Company's name |
| company_information.company_name_kana | string | Company's Katakana name |
| company_information.company_name_alphabet | string | Company's Alphabet name |
| company_information.company_postal_code | string | Postal code of company's address |
| company_information.company_prefecture_state | string | Prefecture of company's address |
| company_information.company_prefecture_state_kana | string | Prefecture of company's address in Katakana |
| company_information.company_city | string | City of company's address |
| company_information.company_city_kana | string | City of company's address in Katakana |
| company_information.company_address | string | Company's address |
| company_information.company_address_kana | string | Company's address in Katakana |
| company_information.company_url (*) | url | The URL of the company's official site. - If Seller Merchant doesn't have a company site, it's fine to leave it as null. |
| company_information.industry_description | text | Description of the industry that the company belongs to |
| company_information.business_description | text | Description of the company's business |
| company_information.employee_number | integer | Number of employees |
| company_information.establishment_date | date | The date of the company's establishment |
| company_information.office_name | string | Name of the company's Customer Support Department. (Please provide information that can be disclosed to Seller Merchant's customers.) |
| company_information.contact_email | Email to contact the company's Customer Support (Please provide information that can be disclosed to Seller Merchant's customers.) | |
| company_information.contact_phone | phone_number | Phone number to contact the company's Customer Support (Please provide information that can be disclosed to your user's customers.) |
| company_information.sole_proprietor_proofs | file_upload | Provide proof of registration of sole proprietorship. - This field is required when the company type is sole_proprietor. |
(3) Personal Information
Below is the comprehensive list of required Representative Director and Applicant information.
In the case of a corporation:
- It's fine if the Representative Director and Applicant are the same person.
- The Applicant must be the person who has the authority to make decisions on corporate contracts.
In the case of a sole proprietorship:
- Since the Representative Director and the Applicant should be the same person, you only need to fill out
representative_directorrelated fields.
| Field | Type | Description |
|---|---|---|
| representative_director_information.first_name | string | Representative Director's first name |
| representative_director_information.first_name_kana | string | Representative Director's first name in Katakana |
| representative_director_information.last_name | string | Representative Director's last name |
| representative_director_information.last_name_kana | string | Representative Director's last name in Katakana |
| representative_director_information.date_of_birth | date | Representative Director's date of birth |
| representative_director_information.gender | radio | Representative Director's gender |
| representative_director_information.country | dropdown | Country of Representative Director's residence address |
| representative_director_information.postal_code | string | Postal code of Representative Director's residence address |
| representative_director_information.prefecture_state | string | Prefecture of Representative Director's residence address |
| representative_director_information.prefecture_state_kana | string | Prefecture of Representative Director's residence address in Katakana |
| representative_director_information.city | string | City of Representative Director's residence address |
| representative_director_information.city_kana | string | City of Representative Director's residence address in Katakana |
| representative_director_information.address | string | Address of Representative Director's residence address |
| representative_director_information.address_kana | string | Address of Representative Director's residence address in Katakana |
| representative_director_building.name (*) | string | The building name of Representative Director's residence address. - If the address doesn't have a building name, it's fine to leave it as null. |
| representative_director_building.name_kana (*) | string | The building name in Katakana of Representative Director's residence address. - If the address doesn't have a building name, it's fine to leave it as null. |
| representative_director_information.phone | string | Phone number of Representative Director |
| representative_director_information.identity_document_type | dropdown | The copy of Representative Director's identity document. - This field is required when the company type is sole_proprietor.- Any of the following is acceptable: 1. Passport 2. Driver's license 3. ID card 4. My Number Card |
| representative_director_information.identity_front | single_file_upload | Upload a picture or scan of the front side of the Representative Director's identity document |
| representative_director_information.identity_back | single_file_upload | Upload a picture or scan of the back side of the Representative Director's identity document - The back side is required if the doc type is Driver's License or ID Card. |
| applicant_information.country | dropdown | Country of Applicant's residence address - This field is required when the company type is corporation. |
| applicant_information.first_name | string | Applicant's first name - This field is required when the company type is corporation. |
| applicant_information.first_name_kana | string | Applicant's first name in Katakana - This field is required when the company type is corporation. |
| applicant_information.last_name | string | Applicant's last name - This field is required when the company type is corporation. |
| applicant_information.last_name_kana | string | Applicant's last name in Katakana - This field is required when the company type is corporation. |
| applicant_information.gender | radio | Applicant's gender - This field is required when the company type is corporation. |
| applicant_information.date_of_birth | date | Applicant's date of birth - This field is required when the company type is corporation. |
| applicant_information.identity_document_type | dropdown | The copy of Applicant's identity document. - This field is required when the company type is corporation.- Any of the following is acceptable: 1. Passport 2. Driver's license 3. ID card 4. My Number Card |
| applicant_information.identity_front | single_file_upload | Upload a picture or scan of the front side of the Applicant's identity document - This field is required when the company type is corporation. |
| applicant_information.identity_back | single_file_upload | Upload a picture or scan of the back side of the Applicant's identity document - The back side is required if the doc type is Driver's License or ID Card. |
(4) Site Information
Below is the comprehensive list of required site-related information.
- The store address should match the one listed on the website that hosts the Specified Commercial Transactions Law URL.
| Field | Type | Description |
|---|---|---|
| site_information.site_name | string | Site's name - Site Name should be consistent with the name of the actual store. |
| site_information.site_name_kana | string | Site's Katakana name |
| site_information.site_name_alphabet | string | Site's Alphabet name |
| site_information.site_url | string | Site's URL |
| site_information.note (*) | string | If making a payment on Seller Merchant's store requires any login information or other credentials, please supply them here. We may need to view the entire payment flow from the end-user perspective during screening. - If the store doesn't require any logic information, it's fine to leave it as null. |
| site_information.establishment_date | date | The date of the site's establishment |
| site_information.industry_type | dropdown | The industry type of the site's services and products. - If you're unsure, please select other_not_listed_category. |
| site_information.site_annual_sales | integer | Annual sales forecast of the store |
| site_information.site_annual_sales_currency | dropdown | The currency of annual sales forecast |
| site_information.site_average_transactional_value | integer | The average order value of the store |
| site_information.site_average_transactional_currency | dropdown | The currency of the average order value |
| site_information.site_minimum_product_pricing_cents | integer | The minimum price of a product in the store |
| site_information.site_minimum_product_pricing_currency | dropdown | The currency of the minimum price |
| site_information.site_maximum_product_pricing_cents | integer | The maximum price of a product in the store |
| site_information.site_maximum_product_pricing_currency | dropdown | The currency of the maximum price |
| site_information.store_country | dropdown | The country of the store address. - The store address should match the one listed on the website that hosts the Specified Commercial Transactions Law URL. |
| site_information.store_postal_code | string | The postal code of the store address. |
| site_information.store_prefecture_state | string | The state of the store address |
| site_information.store_prefecture_state_kana | string | The state of the store address in Katakana |
| site_information.store_city | string | The city of the store address |
| site_information.store_city_kana | string | The city of the store address in Katakana |
| site_information.store_address | string | Store's address |
| site_information.store_address_kana | string | Store's address in Katakana |
| site_information.sctl_url | url | This represents Specified Commercial Transactions Law URL. - Please place the Specified Commercial Transactions Law page in a location that can be accessed directly from the top page. - Note: A Specified Commercial Transaction Act page is required when operating an online shop in Japan. During the review process, we check if the page exists and confirm the contents of the page. Please refer to this link for the appropriate content for the page. |
| site_information.sales_permit_required | radio | Does the seller's business require a sales permit to be able to sell the products described? (Secondhand Dealer License, Liquor Sales License, Cosmetics Manufacturing and Sales License, Pharmaceutical Sales License) |
| site_information.sales_permits | file_upload | Upload the copies of Sales permits if the answer is true in site_information.sales_permit_required |
| site_information.aup_accepted | terms_of_service | Please ensure the seller has acknowledged and agreed with the acceptable use policy. |
(5) Bank Account information
Below is the comprehensive list of required bank account information.
- If you are a corporation, you can only register an account in the name of the corporation you applied for. If you are a sole proprietor, you can only register an account in the name of the representative or business name.
- Please read this guide first to ensure you provide the bank account information correctly.
Possible payout delay
If the account holder name is incorrect, there may be a delay in receiving the payout. Please make sure to accurately enter the half-width kana name as it appears in your bank passbook.
| Field | Type | Description |
|---|---|---|
| bank_account_information.transfer_type | dropdown | Limited to Japanese bank accounts. Therefore, the option is limited to domestic. |
| bank_account_information.default_frequency | dropdown | You can decide the frequency that KOMOJU pays out to your user, either weekly or monthly.- Learn more about payout frequency here |
| bank_account_information.zengin_bank_name | string | Bank's name |
| bank_account_information.zengin_bank_code | string | Bank's code |
| bank_account_information.zengin_branch_name | string | Bank branch's name |
| bank_account_information.zengin_branch_code | string | Bank branch's code |
| bank_account_information.zengin_account_type | dropdown | The bank account type, either ordinary or checking |
| bank_account_information.zengin_account_number | string | The bank account number. - Please refer to this guide before filling out. If the bank of your bank account is under ゆうちょ銀行, please also refer to this guide to see how to convert 8-digit ゆうちょ銀行's account number to 7 digits. |
| bank_account_information.zengin_account_holder_kana | string | Account holder's Katakana name. - If the account holder's name is incorrect, there may be a delay in receiving the payout. Please make sure to accurately enter the half-width kana name as it appears in your bank passbook. |
| bank_account_information.currency | dropdown | Limited to JPY option since we only support Japanese domestic bank accounts for payout. |
6. Checking submitted information
Querying the Liveapplication: Show again to review all submitted information populated under submitted_fields array with any previous information provided.
7. Setup the webhook
You can set up Webhook to subscribe to the events so that you'll receive a notification immediately after the review status of a Seller Merchant's application has any update.
- Learn more about Webhook events for Platform Model here
8. Specify Owned Payment Methods of Seller Merchant
Your Common Payment Methods specifies the available Owned Payment Methods for all your Seller Merchants
Please be mindful that only payment methods in Common Payment Methods are available for Owned Payment Methods of Seller Merchant. You can refer to here for more details.
In this stage, you should apply for the payment methods that your Seller Merchant wants to adopt on behalf of it. First, you can check all applicable payment methods in submitted_payment_methods and unsubmitted_payment_methodsby requesting Live Application: Payment Methods API:
curl -X GET https://komoju.com/api/v1/live_application/{id}/payment_methods \
-u platform_merchant_secret_key: \
submitted_payment_methodsshows the applicable payment methods Seller Merchant has applied for.unsubmitted_payment_methodsshows the available payment methods Seller Merchant has not applied for yet.
Then, you should request Live Application: Update Payment Method API to apply for a specific payment method for your seller.
Below are the details when applying for each payment method:
(1) VISA/MasterCard
Payment methods: visa_mastercard_credit_card
Available for corporation andsole_proprietor
Note: 3D Secure 2.0 will be used for all credit card payments except some integration types. For more details, please see this article (Japanese).
To enable credit card payments on your user's account, we need to acquire the following information about your user's business.
1st stage questionnaire:
| Field | Type | Description |
|---|---|---|
| shared_payment_method_data.has_processed_cc_before | checkbox | Question: Has your user's business processed credit card transactions before? Option: 1. True 2. False |
| shared_payment_method_data.processes_card_info | checkbox | Question: Does you user intend to save or process credit card details? Option: 1. True 2. False - Should select Falsehere since you should process the card instead of your seller. |
| shared_payment_method_data.conducts_door_to_door_sales | checkbox | Question: Does your user's company operate Door-to-Door sales? Option: 1. True 2. False |
| shared_payment_method_data.conducts_telemarketing | checkbox | Question: Does your company operate Telemarketing Sales? Option: 1. True 2. False |
| shared_payment_method_data.conducts_mlm_scheme | checkbox | Question: Does your company operate Network Marketing? Option: 1. True 2. False |
| shared_payment_method_data.conducts_business_opportunity_scheme | checkbox | Question: Does your company operate Business Opportunity (Biz-Opp)? Option: 1. True 2. False |
| shared_payment_method_data.provides_specified_continuous_services | checkbox | Question: Does your company provide specified continuous services (aesthetic salon, beauty care, language class, tutoring, tutoring school, marriage introduction service, computer class)? Option: 1. True 2. False |
| shared_payment_method_data.violated_consumer_contract_act | checkbox | Question: Has your business violated the Consumer Contract Act (消費者契約法) and lost a lawsuit due to the violation(s) in the past 5 years? Option: 1. True 2. False |
| shared_payment_method_data.violated_commercial_transaction_act | checkbox | Question: Has your business violated the Specified Commercial Transaction Act (特定商取引法) in the past five years and lost a lawsuit due to the violation(s) in the past? Option: 1. True 2. False |
2nd stage questionnaire: Reporting on Security Measures
KOMOJU has been requested by the Ministry of Economy, Trade and Industry (METI), the Japan Credit Association (JCA), and other organizations to request that EC merchants planning to introduce new credit card payment systems declare the status of their security measures based on the "Security Checklist" developed by the Credit Transaction Security Measures Council.
The "Security Checklist" is a list of basic security measures that the Credit Card Transaction Security Council has compiled as part of the security measures that merchants should implement in order to build and operate EC sites, and covers the basic security measures set forth in the "Credit Card Security Guidelines (Version 4.0)" published by METI. We request that merchants newly applying for credit card settlement services declare the security measures listed on the next page based on this checklist and agree to implement and maintain the security measures. We have received guidance that if you do not agree to follow the above guidelines, you should not enter into a contract with us. Thank you for your cooperation.
If you are a merchant who plans to introduce KOMOJU credit card payment systems, please indicate your implementation status of the following security measures. If the system has not yet been established, please answer on the premise that the items for each key measure will be satisfied upon completion of the establishment of the system. Also, please answer on the premise that the measures will be maintained not only at the time of signing a new franchise agreement, but also continuously after the agreement is signed.
In principle, all items must be checked for a contract to be concluded. However, since the status of installation of each security measure is dependent on the system environment of your company, please check with your internal system staff or contracted system developer before checking the status of each security measure. If your system is outsourced, please confirm the status of the outsourced system before responding to our inquiry.
Topic 1: Measures against inadequate access restrictions on the administrator's screen and administrator ID/PW mismanagement
| Field | Type | Description |
|---|---|---|
| visa_mastercard_credit_card.access_restrictions | checkbox | Question: Restrict IP addresses accessible to administrators; if IP addresses cannot be restricted, set access restrictions such as basic authentication on the administrator screen. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| visa_mastercard_credit_card.mfa_implementation | checkbox | Question: Adopt two-step or two-factor authentication to prevent unauthorized use of acquired accounts. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| visa_mastercard_credit_card.account_lock | checkbox | Question: In the login form of the administrator screen, enable the account lock function and lock the account after 10 or less failed login attempts (based on PCI DSS ver 4.0). Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 2: Measures against inadequate settings due to exposure of data directories
| Field | Type | Description |
|---|---|---|
| visa_mastercard_credit_card.public_directories | checkbox | Question: Do not place important files in public directories. (Make certain directories private. Place important files in directories other than public directories.) Option: 1. true= Implemented (to be implemented)2. false= Not known |
| visa_mastercard_credit_card.file_extension_restrictions | checkbox | Question: Configure settings such as restricting file extensions and files that can be uploaded by web servers and web applications. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 3: Periodic vulnerability assessments or penetration tests, and measures to address web application vulnerabilities.
| Field | Type | Description |
|---|---|---|
| visa_mastercard_credit_card.vulnerability_assessments | checkbox | Question: Conduct periodic vulnerability assessments or penetration tests, and take necessary corrective actions. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| visa_mastercard_credit_card.sql_injection_and_xss | checkbox | Question: As measures against SQL injection vulnerabilities and cross-site scripting vulnerabilities, use the latest plug-ins (preferably those without such vulnerabilities) and upgrade software versions. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| visa_mastercard_credit_card.source_code_review | checkbox | Question: If a web application is developed or customized, conduct a source code review to confirm that it has been securely coded. Check input values of input forms at the same time. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 4: Installation and operation of anti-virus software as measure against malware
| Field | Type | Description |
|---|---|---|
| visa_mastercard_credit_card.anti_virus_software | checkbox | Question: Install anti-virus software as measures against malware detection/removal, etc., and update signatures, perform periodic full scans, etc. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 5: Countermeasures against malicious validation and credit masters
| Field | Type | Description |
|---|---|---|
| TBD | checkbox | Question: One or more of the following measures are implemented against malicious validation and credit masters*. - Restrict access from suspicious IP addresses - Restrict input from the same account and hide error content so that error content is not known in the event of an error - Identity verification, including EMV 3-D Secure and SMS notification - Take measures such as setting a limit on the number of validity checks. Option: 1. true= Implemented (*You do not need to take any additional measures, if your Platform Merchant may clear this item by introducing 3D Secure at KOMOJU.)2. false= Not known |
Topic 6: Countermeasures against unauthorized login
| Field | Type | Description |
|---|---|---|
| TBD | checkbox | Question: Does your site have a user login function (i.e., register/maintain a credit card number and log in to use that card number)? Option: 1. true= Yes2. false= No |
Topic 7: If you answered true to the question in Topic 6, please answer the following questions regarding the anti-fraud login measures implemented in your system. (According to the rules of the Japan Credit Association, one or more of the measures listed below must be implemented in each of the following situations: member registration, member login authentication, and user attribute information change.)
(1) Question: Please check if you have implemented effective measures to prevent fraudulent use at the time of member registration (credit card number registration).
- Option: Can select one or multiple of the following
| Field | Type | Description |
|---|---|---|
| TBD | checkbox | Restrict access from suspicious IP addresses |
| TBD | checkbox | Identification by two-factor authentication, etc. |
| TBD | checkbox | Confirmation of personal information at the time of member registration |
| TBD | checkbox | Fraud detection system (Fraud service) |
(2) Question: Please check if you have implemented effective countermeasures against fraudulent logins during login authentication after member registration.
- Option: Can select one or multiple of the following
| Field | Type | Description |
|---|---|---|
| TBD | checkbox | Restrict access from suspicious IP addresses |
| TBD | checkbox | Identification by two-factor authentication, etc. |
| TBD | checkbox | Tighten limits on the number of login attempts (to address account password cracking) |
| TBD | checkbox | Email and SMS notifications upon login, throttling, etc. |
| TBD | checkbox | Device fingerprints, etc. |
(3) Question: Please check if you have implemented effective measures to prevent fraudulent use when changing member attributes (name, address, email address, etc.) after login.
- Option: Can select one or multiple of the following
| Field | Type | Description |
|---|---|---|
| TBD | checkbox | Restrict access from suspicious IP addresses |
| TBD | checkbox | Identification by two-factor authentication, etc. |
| TBD | checkbox | Fraud detection system (Fraud service) |
(2) JCB/AMEX/Diners (Japan)
Payment methods: jcb_amex_diners_credit_card
Available for corporation andsole_proprietor
Note: 3D Secure 2.0 will be used for all credit card payments except some integration types. For more details, please see this article (Japanese).
To enable credit card payments on your user's account, we need to acquire the following information about your user's business.
1st stage questionnaire:
| Field | Type | Description |
|---|---|---|
| shared_payment_method_data.has_processed_cc_before | checkbox | Question: Has your user's business processed credit card transactions before? Option: 1. True 2. False |
| shared_payment_method_data.processes_card_info | checkbox | Question: Does you user intend to save or process credit card details? Option: 1. True 2. False - Should select Falsehere since you should process the card instead of your seller. |
| shared_payment_method_data.conducts_door_to_door_sales | checkbox | Question: Does your user's company operate Door-to-Door sales? Option: 1. True 2. False |
| shared_payment_method_data.conducts_telemarketing | checkbox | Question: Does your company operate Telemarketing Sales? Option: 1. True 2. False |
| shared_payment_method_data.conducts_mlm_scheme | checkbox | Question: Does your company operate Network Marketing? Option: 1. True 2. False |
| shared_payment_method_data.conducts_business_opportunity_scheme | checkbox | Question: Does your company operate Business Opportunity (Biz-Opp)? Option: 1. True 2. False |
| shared_payment_method_data.provides_specified_continuous_services | checkbox | Question: Does your company provide specified continuous services (aesthetic salon, beauty care, language class, tutoring, tutoring school, marriage introduction service, computer class)? Option: 1. True 2. False |
| shared_payment_method_data.violated_consumer_contract_act | checkbox | Question: Has your business violated the Consumer Contract Act (消費者契約法) and lost a lawsuit due to the violation(s) in the past 5 years? Option: 1. True 2. False |
| shared_payment_method_data.violated_commercial_transaction_act | checkbox | Question: Has your business violated the Specified Commercial Transaction Act (特定商取引法) in the past five years and lost a lawsuit due to the violation(s) in the past? Option: 1. True 2. False |
2nd stage questionnaire: Reporting on Security Measures
KOMOJU has been requested by the Ministry of Economy, Trade and Industry (METI), the Japan Credit Association (JCA), and other organizations to request that EC merchants planning to introduce new credit card payment systems declare the status of their security measures based on the "Security Checklist" developed by the Credit Transaction Security Measures Council.
The "Security Checklist" is a list of basic security measures that the Credit Card Transaction Security Council has compiled as part of the security measures that merchants should implement in order to build and operate EC sites, and covers the basic security measures set forth in the "Credit Card Security Guidelines (Version 4.0)" published by METI. We request that merchants newly applying for credit card settlement services declare the security measures listed on the next page based on this checklist and agree to implement and maintain the security measures. We have received guidance that if you do not agree to follow the above guidelines, you should not enter into a contract with us. Thank you for your cooperation.
If you are a merchant who plans to introduce KOMOJU credit card payment systems, please indicate your implementation status of the following security measures. If the system has not yet been established, please answer on the premise that the items for each key measure will be satisfied upon completion of the establishment of the system. Also, please answer on the premise that the measures will be maintained not only at the time of signing a new franchise agreement, but also continuously after the agreement is signed.
In principle, all items must be checked for a contract to be concluded. However, since the status of installation of each security measure is dependent on the system environment of your company, please check with your internal system staff or contracted system developer before checking the status of each security measure. If your system is outsourced, please confirm the status of the outsourced system before responding to our inquiry.
Topic 1: Measures against inadequate access restrictions on the administrator's screen and administrator ID/PW mismanagement
| Field | Type | Description |
|---|---|---|
| jcb_amex_diners_credit_card.access_restrictions | checkbox | Question: Restrict IP addresses accessible to administrators; if IP addresses cannot be restricted, set access restrictions such as basic authentication on the administrator screen. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| jcb_amex_diners_credit_card.mfa_implementation | checkbox | Question: Adopt two-step or two-factor authentication to prevent unauthorized use of acquired accounts. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| jcb_amex_diners_credit_card.account_lock | checkbox | Question: In the login form of the administrator screen, enable the account lock function and lock the account after 10 or less failed login attempts (based on PCI DSS ver 4.0). Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 2: Measures against inadequate settings due to exposure of data directories
| Field | Type | Description |
|---|---|---|
| jcb_amex_diners_credit_card.public_directories | checkbox | Question: Do not place important files in public directories. (Make certain directories private. Place important files in directories other than public directories.) Option: 1. true= Implemented (to be implemented)2. false= Not known |
| jcb_amex_diners_credit_card.file_extension_restrictions | checkbox | Question: Configure settings such as restricting file extensions and files that can be uploaded by web servers and web applications. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 3: Periodic vulnerability assessments or penetration tests, and measures to address web application vulnerabilities.
| Field | Type | Description |
|---|---|---|
| jcb_amex_diners_credit_card.vulnerability_assessments | checkbox | Question: Conduct periodic vulnerability assessments or penetration tests, and take necessary corrective actions. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| jcb_amex_diners_credit_card.sql_injection_and_xss | checkbox | Question: As measures against SQL injection vulnerabilities and cross-site scripting vulnerabilities, use the latest plug-ins (preferably those without such vulnerabilities) and upgrade software versions. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| jcb_amex_diners_credit_card.source_code_review | checkbox | Question: If a web application is developed or customized, conduct a source code review to confirm that it has been securely coded. Check input values of input forms at the same time. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 4: Installation and operation of anti-virus software as measure against malware
| Field | Type | Description |
|---|---|---|
| jcb_amex_diners_credit_card.anti_virus_software | checkbox | Question: Install anti-virus software as measures against malware detection/removal, etc., and update signatures, perform periodic full scans, etc. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 5: Countermeasures against malicious validation and credit masters
| Field | Type | Description |
|---|---|---|
| TBD | checkbox | Question: One or more of the following measures are implemented against malicious validation and credit masters*. - Restrict access from suspicious IP addresses - Restrict input from the same account and hide error content so that error content is not known in the event of an error - Identity verification, including EMV 3-D Secure and SMS notification - Take measures such as setting a limit on the number of validity checks. Option: 1. true= Implemented (*You do not need to take any additional measures, if your Platform Merchant may clear this item by introducing 3D Secure at KOMOJU.)2. false= Not known |
Topic 6: Countermeasures against unauthorized login
| Field | Type | Description |
|---|---|---|
| TBD | checkbox | Question: Does your site have a user login function (i.e., register/maintain a credit card number and log in to use that card number)? Option: 1. true= Yes2. false= No |
Topic 7: If you answered true to the question in Topic 6, please answer the following questions regarding the anti-fraud login measures implemented in your system. (According to the rules of the Japan Credit Association, one or more of the measures listed below must be implemented in each of the following situations: member registration, member login authentication, and user attribute information change.)
(1) Question: Please check if you have implemented effective measures to prevent fraudulent use at the time of member registration (credit card number registration).
- Option: Can select one or multiple of the following
| Field | Type | Description |
|---|---|---|
| TBD | checkbox | Restrict access from suspicious IP addresses |
| TBD | checkbox | Identification by two-factor authentication, etc. |
| TBD | checkbox | Confirmation of personal information at the time of member registration |
| TBD | checkbox | Fraud detection system (Fraud service) |
(2) Question: Please check if you have implemented effective countermeasures against fraudulent logins during login authentication after member registration.
- Option: Can select one or multiple of the following
| Field | Type | Description |
|---|---|---|
| TBD | checkbox | Restrict access from suspicious IP addresses |
| TBD | checkbox | Identification by two-factor authentication, etc. |
| TBD | checkbox | Tighten limits on the number of login attempts (to address account password cracking) |
| TBD | checkbox | Email and SMS notifications upon login, throttling, etc. |
| TBD | checkbox | Device fingerprints, etc. |
(3) Question: Please check if you have implemented effective measures to prevent fraudulent use when changing member attributes (name, address, email address, etc.) after login.
- Option: Can select one or multiple of the following
| Field | Type | Description |
|---|---|---|
| TBD | checkbox | Restrict access from suspicious IP addresses |
| TBD | checkbox | Identification by two-factor authentication, etc. |
| TBD | checkbox | Fraud detection system (Fraud service) |
(3) PayPay
Payment methods: paypay
Available for corporation andsole_proprietor
The following information is required when applying for PayPay:
| Field | Type | Description |
|---|---|---|
| paypay.accepted_paypay_tos | terms_of_service | Seller Merchant has read and agreed with the following terms and conditions and privacy policy. and also agrees to be contacted by PayPay regarding sales promotions. 1. PayPay加盟店規約 2. PayPay加盟店ガイドライン 3. 自治体等およびふるさと納税ポータルサイト運営会社への加盟店情報連携の同意について |
(4) LINE Pay
Payment methods: linepay
Available for corporation andsole_proprietor
The following information is required when applying for LINEPay:
| Field | Type | Description |
|---|---|---|
| linepay.accepted_line_tos | terms_of_service | Seller Merchant has read and agreed with the following terms and conditions and privacy policy. 1. LINE Cash加盟店規約 2. LINE Money出店規約 3. 包括代理加盟店経由加盟店契約特約 4. 甲のプライバシーポリシー Note: If Seller Merchant is a Dropshipping Business, it is NOT eligible to apply for LINE Pay. |
(5) Merpay
Payment methods: merpay
Available for corporation only.
The following information is required when applying for Merpay:
| Field | Type | Description |
|---|---|---|
| merpay.accepted_merpay_tos | terms_of_service | Seller Merchant has read and agreed with the following terms and conditions and privacy policy. 1. メルペイ加盟店規約 2. メルペイプライバシーポリシー |
| shared_payment_method_data.privacy_policy_url | string | URL of your user's privacy policy |
(6) Bank Transfer
Payment methods: bank_transfer
Available for corporation andsole_proprietor
No additional information is required when applying for Bank Transfer.
(7) Pay-easy
Payment methods: pay_easy
Available for corporation andsole_proprietor
No additional information is required when applying for Pay-easy.
(8) Konbini
Payment methods: convenience_store
Available for corporation andsole_proprietor
The following information is required when applying for Merpay:
| Field | Type | Description |
|---|---|---|
| shared_payment_method_data.open_time | string | Opening time of Seller Merchant's customer service |
| shared_payment_method_data.close_time | string | Closing time of Seller Merchant's customer service |
| convenience_store.expected_number_of_payments | integer | Seller Merchant's expected number of transactions per month |
(9) 7-Eleven
Payment methods: seven_eleven
Available for corporation only
For 7-Eleven payment, there is a screening process to ensure that the site and operation are in line with the regulations set by 7-Eleven. To enable 7-Eleven payments, your site must meet all the following requirements.
The expected review time is approximately one to two months after applying.
During the review process, both 7-Eleven and the KOMOJU Support Team may contact your user individually for confirmation or suggestions.
The following information is required when applying for 7-Eleven:
| Field | Type | Description |
|---|---|---|
| shared_payment_method_data.open_time | string | Opening time of Seller Merchant's customer service |
| shared_payment_method_data.close_time | string | Closing time of Seller Merchant's customer service |
| seven_eleven.no_direct_delivery_from_producer | checkbox | Description: 7-Eleven payment is not available for products that are shipped directly from the place of production or from the manufacturer. Products must be in your own warehouse or contracted warehouse for immediate delivery at the time of order. Checkbox: No products are shipped directly from the place of production or from the manufacturer |
| seven_eleven.no_ticket_sales | checkbox | Description: Admission tickets, spectator tickets, and other "ticket sales" cannot be handled. Checkbox: No tickets are sold |
| seven_eleven.correct_flow_for_order_items | checkbox | Description: If you have products that are on backorder or made-to-order, the flow must be such that orders are accepted only after the products have arrived at your store or warehouse. Checkbox: We follow the above flow |
| seven_eleven.delivery_within_two_months | checkbox | Description: Made-to-order products (custom-made) and pre-order products (pre-launch products) must be shipped within two months of ordering. In addition, the specific date of shipment or arrival must be clearly indicated on the website for each product. [Recommended] Delivery on YYYY/MM/DD (specific date) [Acceptable] Delivery in early YYYY/MM (specified in the form of early, mid, or late month) [Not Acceptable] Delivery in YYYY/MM, after YYYY/MM, delivery from YYYY/MM, etc Checkbox: Sales of made-to-order and pre-order products are made in accordance with the above regulations |
| seven_eleven.all_items_are_cheaper_than_konbini_limit | checkbox | Description: If you have merchandise that requires more than 300,000 yen per transaction, your site must clearly indicate "Konbini Payment(s) cannot be used for payments over 300,000 yen" If you handle transactions exceeding 300,000 yen and the above information cannot be confirmed on your website, the screening process will take longer. Checkbox: Our merchandise meets the above regulation |
| seven_eleven.display_sales_permit_number | checkbox | Description: If you have products that require a sales license, you must clearly state the license number on your website. Also, if you are dealing with cosmetics, health foods, or supplements, please make sure that the description and sales are in accordance with the Pharmaceutical Affairs Law ( https://www.mhlw.go.jp/shingi/2006/05/dl/s0525-4e.pdf ). Checkbox: Acknowledged |
| seven_eleven.order_fee_is_displayed | checkbox | Description: Shipping costs must be clearly listed on the site in an easy to understand manner by region or by product size. They should also be available for review before adding items to the shopping cart. Checkbox: Users can check the shipping cost before adding items to the shopping cart |
| seven_eleven.no_international_transaction | checkbox | Description: 7-Eleven payment can only be used within Japan. 7-Eleven payment cannot be used for overseas orders or shipments. We also cannot provide 7-Eleven payment for non-Japanese websites. Checkbox: We will not use 7-Eleven payment for international orders, international shipping, or non-Japanese websites |
| seven_eleven.provided_info_matches_sctl | checkbox | Description: The application information you submitted to KOMOJU and the content of the "Notation based on Act of Specified Commercial Transactions" page must match. Checkbox: There are no discrepancies between the information submitted to KOMOJU and the content of the "Notation based on Act of Specified Commercial Transactions" page |
| seven_eleven.sctl_page_has_phone_number | checkbox | Description: You phone number must be displayed on the "Notation based on Act of Specified Commercial Transactions" page. The phone number must be a landline number, cell phone numbers are not acceptable. If your phone number is different than the one specified on the "Notation based on Act of Specified Commercial Transactions" page, please enter your new phone number in the "Notes" section at the bottom of the form. Checkbox: The phone number is displayed on the "Notation based on Act of Specified Commercial Transactions" page |
| seven_eleven.product_pages_are_public | checkbox | Description: Are the product pages ready and publicly accessible? Checkbox: Product pages are ready and publicly accessible |
| seven_eleven.have_sold_as_regular_price | checkbox | Description: If the product or service you are selling is listed with a regular price and a discounted price, do you have a record of selling it at the regular price? Please make sure that you are not in violation of the Act against Unjustifiable Premiums and Misleading Representations. https://www.caa.go.jp/policies/policy/representation/fair_labeling/representation_regulation/double_price/ Checkbox: We have a track record of selling our products at both regular and discounted prices/this regulation does not apply to our product or service |
| seven_eleven.site_is_public | checkbox | Description: Is the site URL accessible? If login is required, please write "ID/PW for site viewing" and include the login information in the "Notes" section at the bottom of the form. Checkbox: Site is accessible |
| seven_eleven.note | string | Share the login credential here if ID/PW is required to access your user's site. |
Updated 26 days ago