When e-commerce businesses start accepting credit cards, the secure handling of customer card information is a core issue. Alongside efforts to expand cashless adoption, the Japanese government is strengthening payment security by developing a range of guidelines to help sellers accept card transactions in a safe environment.

Against this backdrop, an increasing number of businesses are adopting policies and practices to avoid retention of card details by not handling it themselves. This approach has become widely recognised as one of the safeguards that digital storefronts need to use.

This article clearly explains the fundamental concepts of non-retention of credit card data, its importance and the measures e-commerce businesses need to take to support it.

What's in this article?

• What is non-retention of credit card information?
  
• The importance of not retaining credit card information
  
• Methods for supporting the non-retention of credit card information
  
• Key points when implementing the non-retention of credit card information
  
• Credit card fraud protection measures e-commerce companies need to take
  
• How Stripe Payments can help
  

What is non-retention of credit card information?

As cash-free checkout expands in Japan, the risks of credit card fraud and chargebacks are also increasing.

A survey by the Japan Consumer Credit Association shows that credit card fraud losses hit a record high of approximately ¥55.5 billion in 2024. As a result, e-commerce businesses now face growing pressure to adopt increasingly sophisticated protections year after year.

The Ministry of Economy, Trade and Industry (METI) has established Credit Card Security Guidelines that require digital sellers to adhere to one of the following as part of their steps to protect card information:

• Compliance with the Payment Card Industry Data Security Standard (PCI DSS)
  
• Achieve non-retention
  

The central point here is that complying with PCI DSS imposes a significant burden on systems, organisational structure and personnel.

PCI DSS is a strict standard comprising 12 specifications and hundreds of specific requirements, such as firewalls, log auditing, encryption and access control. Meeting all of them is extremely difficult.

That's precisely why many e-commerce businesses opt to outsource their card processing to PCI DSS–compliant payment agents, rather than attempting to meet the requirements on their own. This is because doing so enables them to avoid the handling of card information in the service of attaining non-retention.

Conditions for achieving non-retention

Nonretention of credit card data refers to e-commerce businesses not storing their customers' card information on their own servers or infrastructure. However, simply avoiding storing these records within a site is insufficient to qualify as a no-storage approach.

More specifically, all three of the following conditions are required:

• Do not retain card information
  
• Do not process card information
  
• Do not pass card information through your own servers
  

In practical terms, the setup must transmit the card details entered by the user straight to a PCI DSS–compliant payment processor, ensuring the data never passes through the e-commerce seller's server.

The importance of not retaining credit card information

Cashless payments have become well accepted in Japan for everyday shopping and web-based services and adoption keeps gaining momentum. In response to these changes in the checkout environment, the METI had aimed to double the cash-free ratio to reach approximately 40% by June 2025. By 2024, the cash-free ratio had climbed to 42.8% (¥141 trillion), allowing the government to meet its target ahead of schedule.

Against this backdrop, cashless payments and credit card transactions will continue to expand. The need to address threats such as data leaks, fraud and chargebacks grows in tandem as adoption rises.

As long as credit cards remain central to cashless checkouts, protecting customers' information becomes a more notable concern for digital sellers. Among these, non-retention, which is the ability to operate without retaining or handling credit card details inside your organisation, is a practical approach that lets businesses keep accepting online payments confidently.

Methods for supporting the non-retention of credit card information

When implementing non-retention of credit card information, it is key to first correctly identify whether your company's payment flow is "pass-through" or "non-pass-through."

In the pass-through model, credit card numbers route via the enterprise's servers or networks, creating the chance of unintended record traces in logs, backups, monitoring tools and similar systems. In this case, the organisation assumes the position of storing card data and has to therefore meet with PCI DSS.

On the other hand, in the non-pass-through model, because the company's internal infrastructure never touches the card info, they are able to achieve non-retention status because the e-commerce business has not actually handled or retained its details. Many digital sellers choose this non-pass-through method to both reduce the load of PCI DSS compliance and, above all, reach a no-storage approach status.

Redirect payments

Redirect payments, or link payments, is a method that directs purchasers to an external page to complete checkout. By entrusting the checkout screen itself to the payment processor, the e-commerce business does not need to store, process, or transmit card information.

Pay by link – payments sent via email or social media – represent another checkout type that relies on this approach. Still, attacks targeting the front end, including those that rewrite the destination URL, have been reported. Basic security measures, such as screen-tampering defences, must then also be put in place.

JavaScript type

In the JavaScript type (token system), the buyer's browser converts the card digits into a token, and the seller receives just that token. The actual digits are sent directly to the payment processor, so the e-commerce business never handles the information itself.

The main advantage lies in its ease of setup while preserving the site's existing design. That said, the risk of leaks remains because JavaScript files can be tampered, making robust file management and vulnerability countermeasures indispensable.

Key points when implementing the non-retention of credit card information

By implementing non-retention of card data, digital storefronts can provide payment processing without handling card details themselves. Still, depending on setup and operational conditions, it might not be possible to reach a no-storage approach. Next, let's review the key points for proper non-retention rollout.

PCI DSS compliance is mandatory when non-retention cannot be achieved

Businesses often mistakenly treat non-retention and PCI DSS compliance as mutually exclusive, "either/or" choices. For clarity, they can be organised as shown below:

In other words, if your company cannot achieve non-retention, you need to be aware that you will bear the full burden of PCI DSS requirements. For example, if a card number passes through your enterprise's servers or network a single time, the e-commerce business is deemed to be retaining card information. It must meet with PCI DSS, the global standard of international card brands.

As mentioned earlier, PCI DSS requires adherence with numerous standards covering both technical and operational aspects, as well as ongoing oversight, creating a significant strain for organisations. For this reason, many digital sellers are adopting non-pass-through options and moving toward a no-storage approach by avoiding in-house handling of card data altogether.

Risk of accidental card information pass-through

When adopting a non-pass-through approach, card numbers can remain in logs, backups, test environments, monitoring tools and similar systems, depending on how teams configure it. Such temporary records might lead to a determination that card data was transmitted, despite the business believing it has ceased storing its information.

Since functionality checks during testing and debug settings can sometimes be transferred as-is into the live production environment, it is necessary to design infrastructure so that card details are never acquired by the application, from development into day-to-day operations.

Importance of countermeasures against tampering or vulnerability exploits

When non-pass-through systems are employed, there have been confirmed cases of card records being illicitly obtained by tampering on the e-commerce site itself. Embedded malicious JavaScript can occur regardless of site structure and could arise via any method, so caution is necessary.

As countermeasures, it is important to continuously implement fundamental security protocols, including file tampering detection, vulnerability management, removal of unnecessary permissions and timely updates for CMS and plugins.

Credit card fraud protection measures e-commerce companies need to take

If you implement a system that eliminates the handling of card info within your own company through non-retention, the chance of fraud does not disappear. Online charges are susceptible to various forms of misuse, including unauthorised theft of card data, high-risk access from overseas, credit master attacks and identity theft.

Use 3D Secure 2 to improve identity verification

3D Secure 2 is considered an effective way to strengthen identity verification for online payments. It enables risk assessment based on device information, behavioural signals and transaction details, and will require additional authentication exclusively for high-threat cases.

This supports a balanced approach that maintains convenience for legitimate users while addressing fraudulent actors by requiring additional authentication.

Utilise fraud detection services to visualise risks

You can pair fraud detection services such as Stripe Radar in combination with 3D Secure. The screening tools provided by payment processors comprehensively analyse factors including IP addresses, device details, order history and purchase behaviour to assign a risk score to each transaction.

By using these kinds of tools, you can automatically identify the following transaction patterns:

• Credit master brute-force attacks
  
• High-risk access from overseas IP addresses or through VPNs
  
• Sudden changes in amount, frequency, or behaviour
  
• Fraud trends by country or region
  

As the use of cards issued overseas increases in cross-border e-commerce, adopting and using 3D Secure 2 and other fraud-detection services can help reduce the chance of unauthorised activity.

How Stripe Payments can help

Stripe Payments provides a unified, global payments solution that helps any business – from scaling startups to global enterprises – accept payments online, in person and around the world.

Stripe Payments can help you:

• Optimise your checkout experience: Create a frictionless customer experience and save thousands of engineering hours with prebuilt payment UIs, access to 125+ payment methods and Link, a wallet built by Stripe.
  
• Expand to new markets faster: Reach customers worldwide and reduce the complexity and cost of multicurrency management with cross-border payment options, available in 195 countries across 135+ currencies.
  
• Unify payments in person and online: Build a unified commerce experience across online and in-person channels to personalise interactions, reward loyalty and grow revenue.
  
• Improve payments performance: Increase revenue with a range of customisable, easy-to-configure payment tools, including no-code fraud protection and advanced capabilities to improve authorisation rates.
  
• Move faster with a flexible, reliable platform for growth: Build on a platform designed to scale with you, with 99.999% historical uptime and industry-leading reliability.
  

Learn more about how Stripe Payments can power your online and in-person payments or get started today.