Seller Merchant onboarding
Register a Seller Merchant account for your seller (Platform Use Case)
Get started
As a Platform Merchant (Platform Business), you are required to register a "Seller Merchant" account for each of your sellers/users via our APIs.
Key prerequisites:
- We only accept Japanese entities (both Corporation and Sole Proprietorship) to register a Seller Merchant account.
- Seller Merchant must have a Japanese Bank Account to receive payouts in JPY from KOMOJU.
1. Create a Seller Merchant account
Request Merchant: Create API to create a Seller Merchant account with platform_role set to seller.
curl -X POST https://komoju.com/api/v1/merchants \
-u <platform merchant secret key>: \
-d name='New Seller Merchant 1' \
-d platform_role="seller"
| Request Attribute | Type | Description |
|---|---|---|
name | string | Seller Merchant's name |
platform_role | dropdown | The role of sub-merchant account. Please specify it as sellerhere. |
2. Query the seller merchant’s live_application for required fields
Request Live Application: Show API with seller merchant's uuid you received from the previous step.
curl -X GET https://komoju.com/api/v1/live_application/{id}?locale=en \
-u platform_merchant_secret_key:
Response example
{
"merchant_id": "5td723eoi9txn8sj545ww2mv1",
"status": "incomplete",
"payments_enabled": false,
"payouts_enabled": false,
"requested_fields": [
{
"field_type": "phone_number",
"field": "company_information.company_phone",
"field_name": "Company Phone",
"field_properties": {
"minLength": 1,
"pattern": "^([() \\-_+]*[0-9]){10}[() \\-_+0-9]*$"
},
"optional": false
},
...
],
"newly_requested_fields": [],
"errored_fields": []
}
Within the requested_fields array, you’ll find the required information for Seller Merchant registration. If a field’s optional parameter is set to false, the Seller Merchant must provide the relevant information. If set to true, they can skip it if they don’t have the corresponding details.
Following is the breakdown of each field property.
"field": "visa_mastercard_credit_card.access_restrictions",
"field_name": "Implemented (to be implemented)",
"field_description": "Restrict IP addresses accessible to administrators; if IP addresses cannot be restricted, set access restrictions such as basic authentication on the administrator screen.",
"field_type": "checkbox",
"field_properties": {}
"optional": false
fieldis the property name that should be used when submitting information for that field.field_nameis the localized name for the field that should be shown to the user.field_descriptionis a localized explanation of what the field is asking.field_typeis the type of component that should be displayed.field_propertiesincludes information about restrictions on the value of the field.optionalrepresents whether the field is required or not.
(1) field_types
Different field_types are meant to help direct the types of form components shown to the user to help differentiate and format expected values.
| Type | Description |
|---|---|
| string | A string |
| dropdown | A dropdown of values. field_properties['enum'] will contain the translation ↔ value pairings |
| radio | A radio selection. field_properties['enum'] will contain the translation ↔ value pairings |
| checkbox | A true/false checkbox field. |
| url | a URL |
| text | a text box intended for longer values (ex: descriptions) than string |
| an email | |
| date | Datepicker that formats the date as “YYYY-MM-DD” |
| integer | a non-negative integer field |
| file_upload | A field that allows multiple files to be uploaded. The file should be uploaded to the merchant file upload endpoint. The value of the field should then be a list of the ids of the files uploaded. |
| single_file_upload | A field that allows one file to be uploaded. The file should be uploaded to the merchant file upload endpoint. The value of the field should then be the id of the file uploaded. |
| service_agreement | Should be represented as a checkbox, but will also have an extra external_links field property that links to the actual service agreement(s) |
| multi_select | A field that allows a list of selected options. field_properties['items']['enum'] will contain the translation ↔ value pairings. |
(2) field_properties
field_properties provide information on the properties of the field.
| Property | Description | Example |
|---|---|---|
| enum | A dictionary of option ↔ value mapping. The option is localized based on locale | "enum": { "Sole Proprietor": "sole_proprietor", "Corporation": "corporation" } |
| minLength | minimum length of the string/text | "minLength": 1 |
| minimum | minimum value for fields of integer field_type | "minimum": 0 |
| maximum | maximum value for fields of integer field_type | "maximum": 2147483647 |
| format | Follows the possible built-in formats as specified by https://json-schema.org/understanding-json-schema/reference/string.html#built-in-formats Currently only date or email | "format": "email" |
| pattern | Regex pattern for formatting values | "pattern": "^([() \-_+]_[0-9]){10}\[() \-_+0-9]\_$" |
| external_links | a list of URLs linking to hosted service agreements | "external_links": ["https://example.com"] |
3. Upload files for seller merchant
Some field_types (single_file_upload, file_upload) require that files be uploaded via our merchant file API first, then the UUID(s) submitted as the value for the live_application.
Request File: Create API to upload the files for Seller Merchant onboarding.
We only accept jpg, png, and pdf formats. Besides, each file size should be smaller than 10MB.
curl -X POST https://komoju.com/api/v1/merchants/{id}/files \
-u platform_merchant_secret_key: \
-F "paper=/path/to/file"
The response will look like:
{
"id": "6ssx1zxovw3fgmdsdd1zuzr5u",
"resource": "file",
"filename": "blank.png",
"size": 998,
"mime_type": "image/png",
"created_at": "2023-01-10T12:16:00.819+09:00",
"updated_at": "2023-01-10T12:16:01.085+09:00"
}
4. Submit fields
Based on the requested_fields received in step 2, information can now be submitted for the Seller Merchant via Live Application: Update API.
Here’s an example of submitting company_information.company_name
curl -X PATCH https://komoju.com/api/v1/live_application/{id} \
-u platform_merchant_secret_key: \
-d "company_information.company_name=My Company"
If successful, the response will include any additional required fields based on what was just submitted. In the case of company_name, newly_requested_fields will be blank as no additional fields rely on the value company_name.
An example of newly_requested_fields
If you submit sole_proprietor as the company_information.corporation_type
curl -X PATCH https://komoju.com/api/v1/live_application/{id} \
-u platform_merchant_secret_key: \
-d "company_information.corporation_type=sole_proprietor"
In the response, see that newly_requested_fields now includes sole_proprietor_proofs.
"newly_requested_fields": [
{
"field": "company_information.sole_proprietor_proofs",
"field_name": "Sole proprietor proofs",
"field_type": "file_upload",
"field_properties": {}
}
]
newly_requested_fields are only shown upon update and return new fields that should be added to the form as a result of the last update to live_application.
For fields that allow multiple values (multi_select, file_upload field_types)
Submit an array of values.
curl -X PATCH https://komoju.com/api/v1/live_application/{id} \
-u platform_merchant_secret_key: \
-d '{
"visa_mastercard_credit_card.countermeasures_during_card_registration":
[ "access_restrictions_during_card_registration"]
}'
5. Complete the Live Application
The required information may vary based on the seller's type (e.g., corporation, sole proprietorship). Our API responses will guide you through the entire onboarding process, providing additional fields under the requested_fields and newly_requested_fields arrays as needed.
The live application must be completed by filling out all fields until requested_fields, newly_requested_fields, and errored_fields are empty. At this stage, the status field of the application should be set to pending.
The information required typically falls into five categories:
(1) Acceptance of KOMOJU Service Agreements
To provide Platform Model service to your sellers, KOMOJU must establish a direct contractual relationship with them. It requires each Seller Merchant to consent to KOMOJU Merchant Services Terms of Use and Privacy Policy. As the Platform Merchant, you are responsible for ensuring your sellers agree to these terms when registering via your interfaces.
Referencing KOMOJU's service agreement
At a minimum, you must provide your sellers with links to the correct terms and obtain their explicit consent when starting the onboarding process. Here’s the recommended process:
- Request Live Application: Show API to retrieve the URLs of KOMOJU Merchant Services Terms of Use and Privacy Policy from
service_agreement.agreed_to_tosfield. - Display these terms to your sellers on your platform when they opt into the service.
- Submit your seller's consent back to KOMOJU via
service_agreement.agreed_to_tosfield in Live Application: Update API.
Here’s an example of how to present our terms to your users via your interface.
(2) Company information
Below is a detailed list of the company-related information required for registration.
| Field | Type | Optional | Description |
|---|---|---|---|
| company_information.company_country | dropdown | false | Country of company's entity. - Since only a Japanese entity is allowed to use our service at this moment, you must select JP. |
| company_information.corporation_type | radio | false | The type of company, eithercorporation or sole_proprietor |
| company_information.company_phone | phone_number | false | Company's phone number |
| company_information.share_capital_amount | integer | false | Company's share capital. - This field is required when the company type is corporation. |
| company_information.share_capital_currency | dropdown | false | The currency of the company's share capital. - This field is required when the company type is corporation. |
| company_information.registration_number | string | false | The corporate number is a 13-digit unique identifier for every Japanese corporation. (reference) - This field is required when the company type is corporation. |
| company_information.company_name | string | false | Company's name |
| company_information.company_name_kana | string | false | Company's Katakana name |
| company_information.company_name_alphabet | string | false | Company's Alphabet name |
| company_information.company_postal_code | string | false | Postal code of company's address |
| company_information.company_prefecture_state | string | false | Prefecture of company's address |
| company_information.company_prefecture_state_kana | string | false | Prefecture of company's address in Katakana |
| company_information.company_city | string | false | City of company's address |
| company_information.company_city_kana | string | false | City of company's address in Katakana |
| company_information.company_address | string | false | Company's address |
| company_information.company_address_kana | string | false | Company's address in Katakana |
| company_information.company_url | url | true | The URL of the company's official site. |
| company_information.industry_description | text | false | Description of the industry that the company belongs to |
| company_information.business_description | text | false | Description of the company's business |
| company_information.employee_number | integer | false | Number of employees |
| company_information.establishment_date | date | false | The date of the company's establishment |
| company_information.office_name | string | false | Name of the company's Customer Support Department. (Please provide information that can be disclosed to Seller Merchant's customers.) |
| company_information.contact_email | false | Email to contact the company's Customer Support (Please provide information that can be disclosed to Seller Merchant's customers.) | |
| company_information.contact_phone | phone_number | false | Phone number to contact the company's Customer Support (Please provide information that can be disclosed to your user's customers.) |
| company_information.sole_proprietor_proofs | file_upload | false | Provide proof of registration of sole proprietorship. - This field is required when the company type is sole_proprietor. |
(3) Personal Information
Below is the required information for the Representative Director and Applicant.
For Corporations:
- The Representative Director and Applicant can be the same person.
- The Applicant must have the authority to make decisions on corporate contracts.
For Sole Proprietorships:
- The Representative Director and Applicant should be the same person, so you only have to complete the
representative_directorfields.
| Field | Type | Optional | Description |
|---|---|---|---|
| representative_director_information.first_name | string | false | Representative Director's first name |
| representative_director_information.first_name_kana | string | false | Representative Director's first name in Katakana |
| representative_director_information.last_name | string | false | Representative Director's last name |
| representative_director_information.last_name_kana | string | false | Representative Director's last name in Katakana |
| representative_director_information.date_of_birth | date | false | Representative Director's date of birth |
| representative_director_information.gender | radio | false | Representative Director's gender |
| representative_director_information.country | dropdown | false | Country of Representative Director's residence address |
| representative_director_information.postal_code | string | false | Postal code of Representative Director's residence address |
| representative_director_information.prefecture_state | string | false | Prefecture of Representative Director's residence address |
| representative_director_information.prefecture_state_kana | string | false | Prefecture of Representative Director's residence address in Katakana |
| representative_director_information.city | string | false | City of Representative Director's residence address |
| representative_director_information.city_kana | string | false | City of Representative Director's residence address in Katakana |
| representative_director_information.address | string | false | Address of Representative Director's residence address |
| representative_director_information.address_kana | string | false | Address of Representative Director's residence address in Katakana |
| representative_director_information.address_building_name | string | true | The building name of Representative Director's residence address. |
| representative_director_information.address_building_name_kana | string | true | The building name in Katakana of Representative Director's residence address. |
| representative_director_information.phone | string | false | Phone number of Representative Director |
| applicant_information.country | dropdown | false | Country of Applicant's residence address - This field is required when the company type is corporation. |
| applicant_information.first_name | string | false | Applicant's first name - This field is required when the company type is corporation. |
| applicant_information.first_name_kana | string | false | Applicant's first name in Katakana - This field is required when the company type is corporation. |
| applicant_information.last_name | string | false | Applicant's last name - This field is required when the company type is corporation. |
| applicant_information.last_name_kana | string | false | Applicant's last name in Katakana - This field is required when the company type is corporation. |
| applicant_information.gender | radio | false | Applicant's gender - This field is required when the company type is corporation. |
| applicant_information.date_of_birth | date | false | Applicant's date of birth - This field is required when the company type is corporation. |
| applicant_information.identity_document_type | dropdown | false | The copy of Applicant's identity document. 1. Passport 2. Driver's license 3. ID card 4. My Number Card- If the company is sole_proprietor, upload Representative Director's identity document. |
| applicant_information.identity_front | single_file_upload | false | Upload a picture or scan of the front side of the Applicant's identity document - If the company is sole_proprietor, upload Representative Director's identity document. |
| applicant_information.identity_back | single_file_upload | false | Upload a picture or scan of the back side of the Applicant's identity document - The back side is required if the doc type is either Driver's License or ID Card. - If the company is sole_proprietor, upload Representative Director's identity document. |
(4) Site Information
Below is the required information related to your website.
- The store address must match the one listed on the website that hosts the Specified Commercial Transactions Law URL.
| Field | Type | Optional | Description |
|---|---|---|---|
| site_information.site_name | string | false | Site's name - Site Name should be consistent with the name of the actual store. |
| site_information.site_name_kana | string | false | Site's Katakana name |
| site_information.site_name_alphabet | string | false | Site's Alphabet name |
| site_information.site_url | string | false | Site's URL |
| site_information.note | string | true | If making a payment on Seller Merchant's store requires any login information or other credentials, please supply them here. We may need to view the entire payment flow from the end-user perspective during screening. |
| site_information.establishment_date | date | false | The date of the site's establishment |
| site_information.industry_type | dropdown | false | The industry type of the site's services and products. - If you're unsure, please select other_not_listed_category. |
| site_information.site_annual_sales | integer | false | Annual sales forecast of the store |
| site_information.site_annual_sales_currency | dropdown | false | The currency of annual sales forecast |
| site_information.site_average_transactional_value | integer | false | The average order value of the store |
| site_information.site_average_transactional_currency | dropdown | false | The currency of the average order value |
| site_information.site_minimum_product_pricing_cents | integer | false | The minimum price of a product in the store |
| site_information.site_minimum_product_pricing_currency | dropdown | false | The currency of the minimum price |
| site_information.site_maximum_product_pricing_cents | integer | false | The maximum price of a product in the store |
| site_information.site_maximum_product_pricing_currency | dropdown | false | The currency of the maximum price |
| site_information.store_country | dropdown | false | The country of the store address. - The store address should match the one listed on the website that hosts the Specified Commercial Transactions Law URL. |
| site_information.store_postal_code | string | false | The postal code of the store address. |
| site_information.store_prefecture_state | string | false | The state of the store address |
| site_information.store_prefecture_state_kana | string | false | The state of the store address in Katakana |
| site_information.store_city | string | false | The city of the store address |
| site_information.store_city_kana | string | false | The city of the store address in Katakana |
| site_information.store_address | string | false | Store's address |
| site_information.store_address_kana | string | false | Store's address in Katakana |
| site_information.sctl_url | url | false | This represents Specified Commercial Transactions Law URL. - Please place the Specified Commercial Transactions Law page in a location that can be accessed directly from the top page. - Note: A Specified Commercial Transaction Act page is required when operating an online shop in Japan. During the review process, we check if the page exists and confirm the contents of the page. Please refer to this page for the appropriate content for the page. |
| site_information.sales_permit_required | radio | false | Does the seller's business require a sales permit to be able to sell the products described? (Secondhand Dealer License, Liquor Sales License, Cosmetics Manufacturing and Sales License, Pharmaceutical Sales License) |
| site_information.sales_permits | file_upload | false | Upload the copies of Sales permits if the answer is true in site_information.sales_permit_required |
| site_information.aup_accepted | terms_of_service | false | Please ensure the seller has acknowledged and agreed with the acceptable use policy. |
(5) Bank Account information
Below is the required bank account information.
For Corporations:
- You can only register a bank account under the same name as the corporation applying.
For Sole Proprietorships:
- You can only register a bank account under the name of the representative or the business name.
Before proceeding, please read this guide to ensure the bank account information is entered correctly.
Possible payout delay
If the account holder name is incorrect, there may be a delay in receiving the payout. Please make sure to accurately enter the half-width kana name as it appears in your bank passbook.
| Field | Type | Optional | Description |
|---|---|---|---|
| bank_account_information.transfer_type | dropdown | false | Limited to Japanese bank accounts. Therefore, the option is limited to domestic. |
| bank_account_information.default_frequency | dropdown | false | You can decide the frequency that KOMOJU pays out to your user, either weekly or monthly.- Learn more about payout frequency here |
| bank_account_information.zengin_bank_name | string | false | Bank's name |
| bank_account_information.zengin_bank_code | string | false | Bank's code |
| bank_account_information.zengin_branch_name | string | false | Bank branch's name |
| bank_account_information.zengin_branch_code | string | false | Bank branch's code |
| bank_account_information.zengin_account_type | dropdown | false | The bank account type, either ordinary or checking |
| bank_account_information.zengin_account_number | string | false | The bank account number. - Please refer to this guide before filling out. If the bank of your bank account is under ゆうちょ銀行, please also refer to this guide to see how to convert 8-digit ゆうちょ銀行's account number to 7 digits. |
| bank_account_information.zengin_account_holder_kana | string | false | Account holder's Katakana name. - If the account holder's name is incorrect, there may be a delay in receiving the payout. Please make sure to accurately enter the half-width kana name as it appears in your bank passbook. |
| bank_account_information.currency | dropdown | false | Limited to JPY option since we only support Japanese domestic bank accounts for payout. |
6. Review submitted information
Request Live Application: Show again to review all submitted information. The submitted_fields array will display the information you’ve already provided.
7. Set up webhook
You can set up webhooks to subscribe to events and receive notifications when there are updates to the review status of a Seller Merchant's application.
- Learn more about Webhook events for Platform Model here
8. Specify Seller Merchant's Owned Payment Methods
Owned Payment Methods can only be selected from your Common Payment Methods
Please note that only the payment methods listed in your Common Payment Methods are available for selection as Owned Payment Methods. For more details, refer to here.
You will need to apply for the payment methods your Seller Merchant intends to use. To view applicable payment methods to apply for, use the Live Application: Payment Methods API which will return the following:
curl -X GET https://komoju.com/api/v1/live_application/{id}/payment_methods \
-u platform_merchant_secret_key: \
submitted_payment_methodslists the payment methods Seller Merchant has already applied for.unsubmitted_payment_methodslists the applicable payment methods Seller Merchant has not yet applied for.
To apply for a specific payment method, request Live Application: Update Payment Method API.
Below are the details when applying for each payment method:
(1) VISA/MasterCard
Payment methods: visa_mastercard_credit_card
Available for corporation andsole_proprietor
Note: 3D Secure 2.0 will be used for all credit card payments except some integration types. For more details, please see this article (Japanese).
To enable credit card payments for your Seller Merchant, you will have to provide additional information about their business.
1st stage questionnaire:
| Field | Type | Optional | Description |
|---|---|---|---|
| shared_payment_method_data.has_processed_cc_before | checkbox | false | Question: Has your user's business processed credit card transactions before? Option: 1. True 2. False |
| shared_payment_method_data.processes_card_info | checkbox | false | Question: Does you user intend to save or process credit card details? Option: 1. True 2. False - Should select Falsehere since you should process the card instead of your seller. |
| shared_payment_method_data.conducts_door_to_door_sales | checkbox | false | Question: Does your user's company operate Door-to-Door sales? Option: 1. True 2. False |
| shared_payment_method_data.conducts_telemarketing | checkbox | false | Question: Does your company operate Telemarketing Sales? Option: 1. True 2. False |
| shared_payment_method_data.conducts_mlm_scheme | checkbox | false | Question: Does your company operate Network Marketing? Option: 1. True 2. False |
| shared_payment_method_data.conducts_business_opportunity_scheme | checkbox | false | Question: Does your company operate Business Opportunity (Biz-Opp)? Option: 1. True 2. False |
| shared_payment_method_data.provides_specified_continuous_services | checkbox | false | Question: Does your company provide specified continuous services (aesthetic salon, beauty care, language class, tutoring, tutoring school, marriage introduction service, computer class)? Option: 1. True 2. False |
| shared_payment_method_data.violated_consumer_contract_act | checkbox | false | Question: Has your business violated the Consumer Contract Act (消費者契約法) and lost a lawsuit due to the violation(s) in the past 5 years? Option: 1. True 2. False |
| shared_payment_method_data.violated_commercial_transaction_act | checkbox | false | Question: Has your business violated the Specified Commercial Transaction Act (特定商取引法) in the past five years and lost a lawsuit due to the violation(s) in the past? Option: 1. True 2. False |
2nd stage questionnaire: Reporting on Security Measures
KOMOJU has been requested by the Ministry of Economy, Trade and Industry (METI), the Japan Credit Association (JCA), and other organizations to request that EC merchants planning to introduce new credit card payment systems declare the status of their security measures based on the "Security Checklist" developed by the Credit Transaction Security Measures Council.
The "Security Checklist" is a list of basic security measures that the Credit Card Transaction Security Council has compiled as part of the security measures that merchants should implement in order to build and operate EC sites, and covers the basic security measures set forth in the "Credit Card Security Guidelines (Version 4.0)" published by METI. We request that merchants newly applying for credit card settlement services declare the security measures listed on the next page based on this checklist and agree to implement and maintain the security measures. We have received guidance that if you do not agree to follow the above guidelines, you should not enter into a contract with us. Thank you for your cooperation.
If you are a merchant who plans to introduce KOMOJU credit card payment systems, please indicate your implementation status of the following security measures. If the system has not yet been established, please answer on the premise that the items for each key measure will be satisfied upon completion of the establishment of the system. Also, please answer on the premise that the measures will be maintained not only at the time of signing a new franchise agreement, but also continuously after the agreement is signed.
In principle, all items must be checked for a contract to be concluded. However, since the status of installation of each security measure is dependent on the system environment of your company, please check with your internal system staff or contracted system developer before checking the status of each security measure. If your system is outsourced, please confirm the status of the outsourced system before responding to our inquiry.
Topic 1: Measures against inadequate access restrictions on the administrator's screen and administrator ID/PW mismanagement
| Field | Type | Optional | Description |
|---|---|---|---|
| visa_mastercard_credit_card.access_restrictions | checkbox | false | Question: Restrict IP addresses accessible to administrators; if IP addresses cannot be restricted, set access restrictions such as basic authentication on the administrator screen. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| visa_mastercard_credit_card.mfa_implementation | checkbox | false | Question: Adopt two-step or two-factor authentication to prevent unauthorized use of acquired accounts. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| visa_mastercard_credit_card.account_lock_v2 | checkbox | false | Question: In the login form of the administrator screen, enable the account lock function and lock the account after 10 or less failed login attempts (based on PCI DSS ver 4.0). Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 2: Measures against inadequate settings due to exposure of data directories
| Field | Type | Optional | Description |
|---|---|---|---|
| visa_mastercard_credit_card.public_directories | checkbox | false | Question: Do not place important files in public directories. (Make certain directories private. Place important files in directories other than public directories.) Option: 1. true= Implemented (to be implemented)2. false= Not known |
| visa_mastercard_credit_card.file_extension_restrictions | checkbox | false | Question: Configure settings such as restricting file extensions and files that can be uploaded by web servers and web applications. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 3: Periodic vulnerability assessments or penetration tests, and measures to address web application vulnerabilities.
| Field | Type | Optional | Description |
|---|---|---|---|
| visa_mastercard_credit_card.vulnerability_assessments | checkbox | false | Question: Conduct periodic vulnerability assessments or penetration tests, and take necessary corrective actions. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| visa_mastercard_credit_card.sql_injection_and_xss_v2 | checkbox | false | Question: As measures against SQL injection vulnerabilities and cross-site scripting vulnerabilities, use the latest plug-ins (preferably those without such vulnerabilities) and upgrade software versions. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| visa_mastercard_credit_card.source_code_review | checkbox | false | Question: If a web application is developed or customized, conduct a source code review to confirm that it has been securely coded. Check input values of input forms at the same time. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 4: Installation and operation of anti-virus software as measures against malware
| Field | Type | Optional | Description |
|---|---|---|---|
| visa_mastercard_credit_card.anti_virus_software | checkbox | false | Question: Install anti-virus software as measures against malware detection/removal, etc., and update signatures, perform periodic full scans, etc. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 5: Countermeasures against malicious validation and credit masters
| Field | Type | Optional | Description |
|---|---|---|---|
| visa_mastercard_credit_card.against_validation_hack | checkbox | false | Question: One or more of the following measures are implemented against malicious validation and credit masters*. - Restrict access from suspicious IP addresses - Restrict input from the same account and hide error content so that error content is not known in the event of an error - Identity verification, including EMV 3-D Secure and SMS notification - Take measures such as setting a limit on the number of validity checks. Option: 1. true= Implemented (*You do not need to take any additional measures if you have introduced 3D Secure via KOMOJU.)2. false= Not known |
Topic 6: Countermeasures against unauthorized login
| Field | Type | Optional | Description |
|---|---|---|---|
| visa_mastercard_credit_card.have_countermeasures_against_unauthorized_login | checkbox | false | Question: Does your site have a user login function (i.e., register/maintain a credit card number and log in to use that card number)? Option: 1. true= Yes2. false= No |
Topic 7: If you answered true to the visa_mastercard_credit_card.have_countermeasures_against_unauthorized_login, please answer the following questions regarding the anti-fraud login measures implemented in your system. (According to the rules of the Japan Credit Association, one or more of the measures listed below must be implemented in each of the following situations: member registration, member login authentication, and user attribute information change.)
| Field | Type | Optional | Description |
|---|---|---|---|
| visa_mastercard_credit_card.countermeasures_during_card_registration | multi_select | false | Question: Please check if you have implemented effective measures to prevent fraudulent use at the time of member registration (credit card number registration). Option: 1. access_restrictions_during_card_registration2. mfa_implementation_during_card_registration3. user_information_validation_during_card_registration4. fraud_detection_system_during_card_registration |
access_restrictions_during_card_registration: Restrict access from suspicious IP addressesmfa_implementation_during_card_registration: Identification by two-factor authentication, etc.user_information_validation_during_card_registration: Confirmation of personal information at the time of member registrationfraud_detection_system_during_card_registration: Fraud detection system (Fraud service)
| Field | Type | Optional | Description |
|---|---|---|---|
| visa_mastercard_credit_card.countermeasures_during_authentication | multi_select | false | Question: Please check if you have implemented effective countermeasures against fraudulent logins during login authentication after member registration. Option: 1. access_restrictions_during_authentication2. mfa_implementation_during_authentication3. login_attempt_restriction_during_authentication4. login_notification_during_authentication5. device_fingerprint_during_authentication |
access_restrictions_during_authentication: Restrict access from suspicious IP addressesmfa_implementation_during_authentication: Identification by two-factor authentication, etc.login_attempt_restriction_during_authentication: Tighten limits on the number of login attempts (to address account password cracking)login_notification_during_authentication: Email and SMS notifications upon login, throttling, etc.device_fingerprint_during_authentication: Device fingerprints, etc.
| Field | Type | Optional | Description |
|---|---|---|---|
| visa_mastercard_credit_card.countermeasures_during_user_data_modification | multi_select | false | Question: Please check if you have implemented effective measures to prevent fraudulent use when changing member attributes (name, address, email address, etc.) after login. Option: 1. access_restrictions_during_user_data_modification2. mfa_implementation_during_user_data_modification3. fraud_detection_system_during_user_data_modification |
access_restrictions_during_user_data_modification: Restrict access from suspicious IP addressesmfa_implementation_during_user_data_modification: Identification by two-factor authentication, etc.fraud_detection_system_during_user_data_modification: Fraud detection system (Fraud service)
(2) JCB/AMEX/Diners (Japan)
Payment methods: jcb_amex_diners_credit_card
Available for corporation andsole_proprietor
Note: 3D Secure 2.0 will be used for all credit card payments except some integration types. For more details, please see this article (Japanese).
To enable credit card payments for your Seller Merchant, you will have to provide additional information about their business.
1st stage questionnaire:
| Field | Type | Optional | Description |
|---|---|---|---|
| shared_payment_method_data.has_processed_cc_before | checkbox | false | Question: Has your user's business processed credit card transactions before? Option: 1. True 2. False |
| shared_payment_method_data.processes_card_info | checkbox | false | Question: Does you user intend to save or process credit card details? Option: 1. True 2. False - Should select Falsehere since you should process the card instead of your seller. |
| shared_payment_method_data.conducts_door_to_door_sales | checkbox | false | Question: Does your user's company operate Door-to-Door sales? Option: 1. True 2. False |
| shared_payment_method_data.conducts_telemarketing | checkbox | false | Question: Does your company operate Telemarketing Sales? Option: 1. True 2. False |
| shared_payment_method_data.conducts_mlm_scheme | checkbox | false | Question: Does your company operate Network Marketing? Option: 1. True 2. False |
| shared_payment_method_data.conducts_business_opportunity_scheme | checkbox | false | Question: Does your company operate Business Opportunity (Biz-Opp)? Option: 1. True 2. False |
| shared_payment_method_data.provides_specified_continuous_services | checkbox | false | Question: Does your company provide specified continuous services (aesthetic salon, beauty care, language class, tutoring, tutoring school, marriage introduction service, computer class)? Option: 1. True 2. False |
| shared_payment_method_data.violated_consumer_contract_act | checkbox | false | Question: Has your business violated the Consumer Contract Act (消費者契約法) and lost a lawsuit due to the violation(s) in the past 5 years? Option: 1. True 2. False |
| shared_payment_method_data.violated_commercial_transaction_act | checkbox | false | Question: Has your business violated the Specified Commercial Transaction Act (特定商取引法) in the past five years and lost a lawsuit due to the violation(s) in the past? Option: 1. True 2. False |
2nd stage questionnaire: Reporting on Security Measures
KOMOJU has been requested by the Ministry of Economy, Trade and Industry (METI), the Japan Credit Association (JCA), and other organizations to request that EC merchants planning to introduce new credit card payment systems declare the status of their security measures based on the "Security Checklist" developed by the Credit Transaction Security Measures Council.
The "Security Checklist" is a list of basic security measures that the Credit Card Transaction Security Council has compiled as part of the security measures that merchants should implement in order to build and operate EC sites, and covers the basic security measures set forth in the "Credit Card Security Guidelines (Version 4.0)" published by METI. We request that merchants newly applying for credit card settlement services declare the security measures listed on the next page based on this checklist and agree to implement and maintain the security measures. We have received guidance that if you do not agree to follow the above guidelines, you should not enter into a contract with us. Thank you for your cooperation.
If you are a merchant who plans to introduce KOMOJU credit card payment systems, please indicate your implementation status of the following security measures. If the system has not yet been established, please answer on the premise that the items for each key measure will be satisfied upon completion of the establishment of the system. Also, please answer on the premise that the measures will be maintained not only at the time of signing a new franchise agreement, but also continuously after the agreement is signed.
In principle, all items must be checked for a contract to be concluded. However, since the status of installation of each security measure is dependent on the system environment of your company, please check with your internal system staff or contracted system developer before checking the status of each security measure. If your system is outsourced, please confirm the status of the outsourced system before responding to our inquiry.
Topic 1: Measures against inadequate access restrictions on the administrator's screen and administrator ID/PW mismanagement
| Field | Type | Optional | Description |
|---|---|---|---|
| jcb_amex_diners_credit_card.access_restrictions | checkbox | false | Question: Restrict IP addresses accessible to administrators; if IP addresses cannot be restricted, set access restrictions such as basic authentication on the administrator screen. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| jcb_amex_diners_credit_card.mfa_implementation | checkbox | false | Question: Adopt two-step or two-factor authentication to prevent unauthorized use of acquired accounts. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| jcb_amex_diners_credit_card.account_lock_v2 | checkbox | false | Question: In the login form of the administrator screen, enable the account lock function and lock the account after 10 or less failed login attempts (based on PCI DSS ver 4.0). Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 2: Measures against inadequate settings due to exposure of data directories
| Field | Type | Optional | Description |
|---|---|---|---|
| jcb_amex_diners_credit_card.public_directories | checkbox | false | Question: Do not place important files in public directories. (Make certain directories private. Place important files in directories other than public directories.) Option: 1. true= Implemented (to be implemented)2. false= Not known |
| jcb_amex_diners_credit_card.file_extension_restrictions | checkbox | false | Question: Configure settings such as restricting file extensions and files that can be uploaded by web servers and web applications. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 3: Periodic vulnerability assessments or penetration tests, and measures to address web application vulnerabilities.
| Field | Type | Optional | Description |
|---|---|---|---|
| jcb_amex_diners_credit_card.vulnerability_assessments | checkbox | false | Question: Conduct periodic vulnerability assessments or penetration tests, and take necessary corrective actions. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| jcb_amex_diners_credit_card.sql_injection_and_xss_v2 | checkbox | false | Question: As measures against SQL injection vulnerabilities and cross-site scripting vulnerabilities, use the latest plug-ins (preferably those without such vulnerabilities) and upgrade software versions. Option: 1. true= Implemented (to be implemented)2. false= Not known |
| jcb_amex_diners_credit_card.source_code_review | checkbox | false | Question: If a web application is developed or customized, conduct a source code review to confirm that it has been securely coded. Check input values of input forms at the same time. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 4: Installation and operation of anti-virus software as measures against malware
| Field | Type | Optional | Description |
|---|---|---|---|
| jcb_amex_diners_credit_card.anti_virus_software | checkbox | false | Question: Install anti-virus software as measures against malware detection/removal, etc., and update signatures, perform periodic full scans, etc. Option: 1. true= Implemented (to be implemented)2. false= Not known |
Topic 5: Countermeasures against malicious validation and credit masters
| Field | Type | Optional | Description |
|---|---|---|---|
| jcb_amex_diners_credit_card.against_validation_hack | checkbox | false | Question: One or more of the following measures are implemented against malicious validation and credit masters*. - Restrict access from suspicious IP addresses - Restrict input from the same account and hide error content so that error content is not known in the event of an error - Identity verification, including EMV 3-D Secure and SMS notification - Take measures such as setting a limit on the number of validity checks. Option:1. true= Implemented (*You do not need to take any additional measures, if your Platform Merchant may clear this item by introducing 3D Secure at KOMOJU.)2. false= Not known |
Topic 6: Countermeasures against unauthorized login
| Field | Type | Description |
|---|---|---|
| jcb_amex_diners_credit_card.have_countermeasures_against_unauthorized_login | checkbox | Question: Does your site have a user login function (i.e., register/maintain a credit card number and log in to use that card number)? Option: 1. true= Yes2. false= No |
Topic 7: If you answered true to the jcb_amex_diners_credit_card.have_countermeasures_against_unauthorized_login, please answer the following questions regarding the anti-fraud login measures implemented in your system. (According to the rules of the Japan Credit Association, one or more of the measures listed below must be implemented in each of the following situations: member registration, member login authentication, and user attribute information change.)
| Field | Type | Optional | Description |
|---|---|---|---|
| jcb_amex_diners_credit_card.countermeasures_during_card_registration | multi_select | false | Question: Please check if you have implemented effective measures to prevent fraudulent use at the time of member registration (credit card number registration). Option: 1. access_restrictions_during_card_registration2. mfa_implementation_during_card_registration3. user_information_validation_during_card_registration4. fraud_detection_system_during_card_registration |
access_restrictions_during_card_registration: Restrict access from suspicious IP addressesmfa_implementation_during_card_registration: Identification by two-factor authentication, etc.user_information_validation_during_card_registration: Confirmation of personal information at the time of member registrationfraud_detection_system_during_card_registration: Fraud detection system (Fraud service)
| Field | Type | Optional | Description |
|---|---|---|---|
| jcb_amex_diners_credit_card.countermeasures_during_authentication | multi_select | false | Question: Please check if you have implemented effective countermeasures against fraudulent logins during login authentication after member registration. Option: 1. access_restrictions_during_authentication2. mfa_implementation_during_authentication3. login_attempt_restriction_during_authentication4. login_notification_during_authentication5. device_fingerprint_during_authentication |
access_restrictions_during_authentication: Restrict access from suspicious IP addressesmfa_implementation_during_authentication: Identification by two-factor authentication, etc.login_attempt_restriction_during_authentication: Tighten limits on the number of login attempts (to address account password cracking)login_notification_during_authentication: Email and SMS notifications upon login, throttling, etc.device_fingerprint_during_authentication: Device fingerprints, etc.
| Field | Type | Optional | Description |
|---|---|---|---|
| jcb_amex_diners_credit_card.countermeasures_during_user_data_modification | multi_select | false | Question: Please check if you have implemented effective measures to prevent fraudulent use when changing member attributes (name, address, email address, etc.) after login. Option: 1. access_restrictions_during_user_data_modification2. mfa_implementation_during_user_data_modification3. fraud_detection_system_during_user_data_modification |
access_restrictions_during_user_data_modification: Restrict access from suspicious IP addressesmfa_implementation_during_user_data_modification: Identification by two-factor authentication, etc.fraud_detection_system_during_user_data_modification: Fraud detection system (Fraud service)
(3) PayPay
Payment methods: paypay
Available for corporation andsole_proprietor
The following information is required when applying for PayPay:
| Field | Type | Optional | Description |
|---|---|---|---|
| paypay.accepted_paypay_tos | terms_of_service | false | Seller Merchant has read and agreed with the following terms and conditions and privacy policy. and also agrees to be contacted by PayPay regarding sales promotions. 1. PayPay加盟店規約 2. PayPay加盟店ガイドライン 3. 自治体等およびふるさと納税ポータルサイト運営会社への加盟店情報連携の同意について |
(4) Merpay
Payment methods: merpay
Available for corporation only.
The following information is required when applying for Merpay:
| Field | Type | Optional | Description |
|---|---|---|---|
| merpay.accepted_merpay_tos | terms_of_service | false | Seller Merchant has read and agreed with the following terms and conditions and privacy policy. 1. メルペイ加盟店規約 2. メルペイプライバシーポリシー |
| shared_payment_method_data.privacy_policy_url | string | false | URL of your user's privacy policy |
(5) Bank Transfer
Payment methods: bank_transfer
Available for corporation andsole_proprietor
No additional information is required when applying for Bank Transfer.
(6) Pay-easy
Payment methods: pay_easy
Available for corporation andsole_proprietor
No additional information is required when applying for Pay-easy.
(7) Konbini
Payment methods: convenience_store
Available for corporation andsole_proprietor
The following information is required when applying for Merpay:
| Field | Type | Optional | Description |
|---|---|---|---|
| shared_payment_method_data.open_time | string | false | Opening time of Seller Merchant's customer service |
| shared_payment_method_data.close_time | string | false | Closing time of Seller Merchant's customer service |
| convenience_store.expected_number_of_payments | integer | false | Seller Merchant's expected number of transactions per month |
(8) 7-Eleven
Payment methods: seven_eleven
Available for corporation only
For 7-Eleven payment, there is a screening process to ensure that the site and operation are in line with the regulations set by 7-Eleven. To enable 7-Eleven payments, your site must meet all the following requirements.
The expected review time is approximately one to two months after applying.
During the review process, both 7-Eleven and the KOMOJU Support Team may contact your user individually for confirmation or suggestions.
The following information is required when applying for 7-Eleven:
| Field | Type | Optional | Description |
|---|---|---|---|
| shared_payment_method_data.open_time | string | false | Opening time of Seller Merchant's customer service |
| shared_payment_method_data.close_time | string | false | Closing time of Seller Merchant's customer service |
| seven_eleven.no_direct_delivery_from_producer | checkbox | false | Description: 7-Eleven payment is not available for products that are shipped directly from the place of production or from the manufacturer. Products must be in your own warehouse or contracted warehouse for immediate delivery at the time of order. Checkbox: No products are shipped directly from the place of production or from the manufacturer |
| seven_eleven.no_ticket_sales | checkbox | false | Description: Admission tickets, spectator tickets, and other "ticket sales" cannot be handled. Checkbox: No tickets are sold |
| seven_eleven.correct_flow_for_order_items | checkbox | false | Description: If you have products that are on backorder or made-to-order, the flow must be such that orders are accepted only after the products have arrived at your store or warehouse. Checkbox: We follow the above flow |
| seven_eleven.delivery_within_two_months | checkbox | false | Description: Made-to-order products (custom-made) and pre-order products (pre-launch products) must be shipped within two months of ordering. In addition, the specific date of shipment or arrival must be clearly indicated on the website for each product. [Recommended] Delivery on YYYY/MM/DD (specific date) [Acceptable] Delivery in early YYYY/MM (specified in the form of early, mid, or late month) [Not Acceptable] Delivery in YYYY/MM, after YYYY/MM, delivery from YYYY/MM, etc Checkbox: Sales of made-to-order and pre-order products are made in accordance with the above regulations |
| seven_eleven.all_items_are_cheaper_than_konbini_limit | checkbox | false | Description: If you have merchandise that requires more than 300,000 yen per transaction, your site must clearly indicate "Konbini Payment(s) cannot be used for payments over 300,000 yen" If you handle transactions exceeding 300,000 yen and the above information cannot be confirmed on your website, the screening process will take longer. Checkbox: Our merchandise meets the above regulation |
| seven_eleven.display_sales_permit_number | checkbox | false | Description: If you have products that require a sales license, you must clearly state the license number on your website. Also, if you are dealing with cosmetics, health foods, or supplements, please make sure that the description and sales are in accordance with the Pharmaceutical Affairs Law ( https://www.mhlw.go.jp/shingi/2006/05/dl/s0525-4e.pdf ). Checkbox: Acknowledged |
| seven_eleven.order_fee_is_displayed | checkbox | false | Description: Shipping costs must be clearly listed on the site in an easy to understand manner by region or by product size. They should also be available for review before adding items to the shopping cart. Checkbox: Users can check the shipping cost before adding items to the shopping cart |
| seven_eleven.no_international_transaction | checkbox | false | Description: 7-Eleven payment can only be used within Japan. 7-Eleven payment cannot be used for overseas orders or shipments. We also cannot provide 7-Eleven payment for non-Japanese websites. Checkbox: We will not use 7-Eleven payment for international orders, international shipping, or non-Japanese websites |
| seven_eleven.provided_info_matches_sctl | checkbox | false | Description: The application information you submitted to KOMOJU and the content of the "Notation based on Act of Specified Commercial Transactions" page must match. Checkbox: There are no discrepancies between the information submitted to KOMOJU and the content of the "Notation based on Act of Specified Commercial Transactions" page |
| seven_eleven.sctl_page_has_phone_number | checkbox | false | Description: You phone number must be displayed on the "Notation based on Act of Specified Commercial Transactions" page. The phone number must be a landline number, cell phone numbers are not acceptable. If your phone number is different than the one specified on the "Notation based on Act of Specified Commercial Transactions" page, please enter your new phone number in the "Notes" section at the bottom of the form. Checkbox: The phone number is displayed on the "Notation based on Act of Specified Commercial Transactions" page |
| seven_eleven.product_pages_are_public | checkbox | false | Description: Are the product pages ready and publicly accessible? Checkbox: Product pages are ready and publicly accessible |
| seven_eleven.have_sold_as_regular_price | checkbox | false | Description: If the product or service you are selling is listed with a regular price and a discounted price, do you have a record of selling it at the regular price? Please make sure that you are not in violation of the Act against Unjustifiable Premiums and Misleading Representations. https://www.caa.go.jp/policies/policy/representation/fair_labeling/representation_regulation/double_price/ Checkbox: We have a track record of selling our products at both regular and discounted prices/this regulation does not apply to our product or service |
| seven_eleven.site_is_public | checkbox | false | Description: Is the site URL accessible? If login is required, please write "ID/PW for site viewing" and include the login information in the "Notes" section at the bottom of the form. Checkbox: Site is accessible |
| seven_eleven.note | string | true | 1. Share the login credential here if ID/PW is required to access your user's site. 2. If your phone number is different than the one specified on the "Notation based on Act of Specified Commercial Transactions" page, please enter your new phone number here. |
9. (Test environment only) Simulate the Live application status
Once you complete the merchant application and at least one Owned Payment Method application, you'll be able to simulate the result of KOMOJU's review.
(1) Simulate Merchant Application status
Request Live Application: Simulate Status API to simulate whether the merchant application will be accepted or declined.
(2) Simulate Owned Payment Method Application status
Request Live Application: Simulate Payment Method Status API to simulate the status (accepted or declined) of an Owned Payment Method application.
Updated about 24 hours ago