We help businesses accept payments online.
Entering or expanding into Japan’s digital market can be a smart move for companies in the video gaming industry, whether you’re selling in-game currency, downloadable content (DLC) or full digital game titles.
With a tech-savvy population and high entertainment spending, Japan offers real growth potential. The digital media market is projected to reach ¥14.2 trillion (approx. USD 99 billion) by 2030. But with that opportunity comes a tightly regulated environment.
From the Payment Services Act to data protection laws and tax obligations, Japan enforces clear standards for selling and paying for digital products online. These rules apply equally to domestic and international businesses, and failing to comply with them can result in legal penalties, chargeback issues, or loss of customer trust.
This article outlines the most important laws and compliance practices for selling digital media in Japan, using examples and insights relevant to platforms, storefronts, and payment providers like KOMOJU that help streamline the process.
How Japan Pays
Japan is often seen as a tech-forward nation, but its payment habits reflect a complex blend of tradition and innovation. While credit cards, mobile wallets, and QR code apps are gaining traction, cash is still widely used, especially among older demographics and in-person transactions.
As of 2024, 42.8% of payments in Japan were cashless, surpassing the government’s original target of 40% by 2025 (METI). That figure has grown steadily thanks to government-led cashless incentives, but it still lags behind markets like South Korea or China.
In South Korea, cash accounts for just 16% of all transactions, making it one of the most cash-averse countries globally. In China, the adoption rate of mobile payments among mobile internet users reached 92.8% in 2024, representing a user base of over 1 billion people.
Meanwhile, in Japan, even in eCommerce, many customers prefer paying in cash at a convenience store (Konbini payments)—a somewhat uniquely Japanese workaround for those who shop online but prefer cash.
Local Payment in Japan
For online businesses, your payment setup must do more than “work”—it must align with consumer habits in Japan and a layered regulatory structure. Offering familiar domestic options like PayPay or Konbini payments at checkout is more than convenience—it’s arguably necessary to even compete.
Popular local payment methods in Japan include:
- Konbini (Convenience Store) Payments: After ordering online, pay in cash at stores like 7-Eleven, Lawson, or FamilyMart.
- PayPay: Japan’s leading QR code app with 68+ million users as of March 2025. Widely accepted and boosted by cashback campaigns.
- Rakuten Pay / au PAY: These mobile wallets are tied to major loyalty programs and are popular for both online and in-store use.
- Furikomi (Bank Transfers): Still widely used for B2B, bill payments, and high-ticket items.
- Credit & Debit Cards: A core method for many online shoppers, especially for subscriptions and larger purchases.
- Prepaid Cards: These are common among minors and unbanked users for digital goods, games, and mobile apps.
Prepaid Cards as a Bridge for Youth and the Unbanked
Prepaid cards are especially popular among video gamers in Japan, who use them to buy digital content like video game credits, skins, and app-based purchases. Supporting prepaid options means unlocking revenue from minors, students, and players without bank accounts—a key demographic for the video gaming industry.
Who's Using Prepaid Cards in Japan?
According to survey data from Japan’s National Institute for Research Advancement (NIRA), usage of prepaid electronic money is widespread across all age groups:
- Among 18–29-year-olds, 55% reported using prepaid cards.
- Usage increases steadily with age, peaking at 73% among people in their 60s.
- Even in lower-income households (under ¥2 million), prepaid use hovers around 65%.
This broad appeal is partly due to Japan’s preference for cash-based and non-credit systems. Prepaid cards also serve as a privacy-friendly, low-risk entry point to online shopping for younger users, many of whom spend regularly on digital goods.
Prepaid options, including Konbini-linked gift cards, are fraud-resistant, compliance-ready, and part of a market projected to exceed ¥93 trillion (USD 625.9 billion) by 2032. In fiscal 2023, issuers released over ¥29.9 trillion in prepaid value across gift cards, IC cards, and QR-code payments
Regulatory Oversight in Japan
Japan’s payment ecosystem is shaped not only by consumer habits but also by a strict regulatory framework. Several government agencies are responsible for supervising different aspects of electronic payments, each with specific mandates that digital businesses must understand.
Financial Services Agency (FSA)
Under the Payment Services Act (PSA), the FSA oversees fund transfers, stored value systems (such as prepaid payment instruments), and crypto asset providers. This includes regulating entities that issue prepaid payment instruments and operate crypto asset exchange services.
Ministry of Economy, Trade and Industry (METI)
METI is responsible for overseeing credit card transactions and enforcing security standards. Notably, METI mandated the implementation of 3D Secure 2.0 for all eCommerce businesses at the end of March 2025 to improve credit card security and combat fraud.
Consumer Affairs Agency (CAA)
The CAA handles payment-related consumer protection issues, including dispute resolution and addressing misleading sales practices. It formulates and implements policies to protect consumers from fraudulent business practices and defective products.
Nevertheless, Japan continues to grapple with rising payment fraud. In 2024, credit card fraud caused ¥55.5 billion in damages—the highest level in nearly a decade. In 2023, the National Police Agency reported that online transaction scams more than doubled to 3,343 cases, with losses totaling around ¥2.13 billion—a 115% increase from the previous year.
Still, Japan is pushing to reverse these trends. The government has already implemented 3D Secure 2.0 for all eCommerce businesses and announced a plan to train 50,000 cybersecurity professionals by 2030—a major investment aimed at closing the talent gap and strengthening its digital infrastructure for the long term.
The Payment Services Act and Digital Transactions
Japan’s Payment Services Act (Shikin Kessai Hō, 資金決済法) governs the issuance, storage, and transfer of digital value. Businesses offering downloadable content, in-game currency, app credits, or user wallets must determine whether their services require notification, registration, or licensing.
Digital Credits or Game Currency
Selling stored value, such as virtual coins, game tokens, or prepaid credits, qualifies as a “prepaid payment instrument” (maebarai-shiki shiharai shudan, 前払式支払手段) under Articles 3 and 4.
- If the total unused balance exceeds ¥10 million, registration with the Financial Services Agency (FSA) is required (Article 4).
- If below that threshold, a notification is still mandatory (Article 5).
This applies even if the credits are non-transferable or used only within your platform.
Managing User Funds or Payouts
If your platform holds user funds, enables peer-to-peer transfers, or issues payouts, it may fall under the category of a funds transfer service (資金移動業, shikin idō gyō) as defined in Articles 36–45 of the Payment Services Act.
To operate legally, you must obtain a license (Article 37), which requires:
- Minimum capital (typically ¥10 million or more)
- An internal audit structure
- Compliance frameworks for user protection and operational security
This typically applies to platforms acting as intermediaries—those that receive money from users (e.g., buyers, advertisers) and later distribute it to third parties (e.g., sellers, affiliates, or creators).
Issuing Electronic Money
If your platform issues value that can be redeemed with external merchants or partners, it may be considered electronic money (電子マネー, denshi maikin) under Articles 3 and 7.
In this case, customer funds must be safeguarded using a trust account or security deposit (Articles 14–16). This classification often applies to multi-use wallets, branded payment apps, and cross-platform rewards programs.
Use KOMOJU to Avoid Licensing and Legalese
If your business issues digital credits, holds user funds, or processes payouts, you may fall under Japan’s Payment Services Act. That means dealing with licensing, capital requirements, audits, and detailed reporting.
By using a licensed provider like KOMOJU, you operate under the law’s outsourcing provisions (Article 57-2) without needing to register as a financial service yourself.
KOMOJU handles:
- Payment processing and user fund transfers
- Compliance with prepaid and fund transfer regulations
- Required disclosures and regulatory reporting
Instead of managing financial infrastructure and legal obligations, you can focus on your service. KOMOJU ensures your payments remain compliant with Japanese law without adding administrative burden to your business.
Compliance Checklist for Video Gaming Companies in Japan
If you’re developing, publishing, or distributing video games or related digital content in Japan, ensure you’re compliant with these key areas:
- Selling in-game currency or downloadable items
- You may be classified as issuing prepaid payment instruments and must notify or register with the Financial Services Agency under the Payment Services Act.
- Holding user balances or enabling peer-to-peer trades
- This could qualify as a funds transfer service, requiring licensing, capital reserves, and audit systems.
- Serving minors or cash-reliant users
- Support prepaid cards and konbini-linked payments to stay compliant and accessible to younger or unbanked demographics.
- Collecting personal data (e.g., player IDs, email addresses, analytics)
- You must comply with the Act on the Protection of Personal Information (APPI), including consent, purpose specification, and breach notification.
- Processing credit card payments
- 3D Secure 2.0 is mandatory for all online transactions as of March 2025.
Credit Cards: Still Japan's Most Important Payment Method
Credit cards remain the dominant cashless option in Japan. In 2024, they accounted for 82.9% of all non-cash transactions, totaling ¥116.9 trillion out of the ¥141.0 trillion cashless total (METI). Despite the rise of QR payments and e-money, most consumers still prefer credit cards, especially for online purchases, subscriptions, and digital goods.
3D Secure 2.0 is Mandatory
As of March 2025, all online businesses in Japan must use 3D Secure 2.0, as recommended by the Ministry of Economy, Trade and Industry (METI). This system verifies cardholder identity during checkout and reduces fraud liability.
Compared to the original version, 3D Secure 2.0 is:
- Mobile-optimized and compatible with in-app purchases
- Biometric-ready, supporting fingerprint and face ID
- Less intrusive, triggering step-up authentication only when necessary
- Better integrated, allowing the process to happen within your app, avoiding suspicious pop-ups or redirects
This improves conversion rates and fraud prevention, which is especially important for digital merchants with high cart abandonment rates.
PCI DSS: Protecting Cardholder Data
Even though it’s not a law, the Payment Card Industry Data Security Standard (PCI DSS) is a critical contractual requirement for anyone processing or storing credit card information. Issued by the major card networks (Visa, Mastercard, JCB, etc.), it ensures a secure environment for handling cardholder data.
To be compliant, businesses must:
- Encrypt card data in transit and at rest
- Maintain secure firewalls and remove default passwords
- Implement access controls and assign unique IDs to staff
- Monitor and log access to all systems
- Regularly test security measures
- Maintain a formal, enforced security policy
The level of PCI DSS compliance depends on your transaction volume. For example, businesses handling fewer than 20,000 card payments per year can complete a Self-Assessment Questionnaire, while larger merchants require external audits and regular vulnerability scans.
Avoiding Risk with KOMOJU
Working with a payment gateway like KOMOJU simplifies this entire process.
KOMOJU:
- Fully supports 3D Secure 2.0
- Is PCI DSS Level v4.0-compliant, so you don’t need to build infrastructure or get certified yourself
- Handles secure card processing and regulatory obligations on your behalf
This means fewer technical requirements on your side and far less liability if things go wrong.
Japan's Data Privacy Law: APPI And Your Business
If your eCommerce store collects data from customers in Japan, you’re subject to the Act on the Protection of Personal Information (APPI)—a law with strict requirements around consent, security, and cross-border data transfers. Whether you’re handling shipping addresses or customer behavior, compliance is not optional, even if your business is based overseas.
You're Responsible—Even from Abroad
Japan’s privacy law applies extraterritorially. If you gather or process personal data from users in Japan—say, for processing payments or sending emails—you must follow APPI rules, regardless of your company’s location.
Vague Policies Won't Cut It
The APPI requires you to specify why you’re collecting data and how you’ll use it. Vague catch-all purposes like “improving services” don’t meet the standard. You also need to make this information easily accessible to users in Japanese.
Handling Data Across Borders
Sending customer data outside Japan, whether to a fulfillment center, analytics tool, or support platform, requires:
- User consent, or
- Adequate safeguards, such as data processing agreements that meet Japan’s legal requirements.
Customers Can Ask You to Stop
Japanese users have clear rights under APPI:
- Access their stored data
- Correct errors
- Request deletion or halt data usage
- You’re legally obligated to respond within strict timeframes.
When Personal Data Is Compromised
Under the APPI, certain data breaches require mandatory reporting—not just to users but also to Japan’s Personal Information Protection Commission (PPC). Failing to do so can trigger fines, business disruption, or even criminal charges.
You must notify the PPC and affected users without delay if:
- The breach involves sensitive personal data (like payment info, passwords, health records)
- It affects 1,000+ individuals
- There’s a risk of financial harm or identity theft
- The breach is likely due to malicious access, such as hacking or unauthorized account use
If a breach meets these criteria, you must:
- File a preliminary notice with the PPC
- Submit a full report within 30 days (60 if caused by an external actor)
- Notify affected users, including details on the leaked data, mitigation steps, and a contact window for questions
Penalties for non-compliance can include:
Up to ¥100 million in corporate fines
- Criminal liability for individuals—up to 2 years imprisonment or ¥1 million in fines
- Public reprimands, which the PPC publishes on its website
KOMOJU Helps You Respond—Not Just Prevent
A breach tests your security, systems, response time, and legal preparedness. KOMOJU helps eCommerce businesses reduce their exposure and react swiftly when incidents occur.
With built-in compliance support, KOMOJU offers:
- Real-time fraud alerts and transaction monitoring
- Tokenized card data and encrypted storage
- API access to transaction logs and refund history—crucial for breach documentation
- Infrastructure and policies aligned with APPI and PCI DSS requirements
- If a data incident occurs, KOMOJU gives you the tools and evidence you need to file reports, notify users, and show regulators you acted responsibly.
Summary
Entering Japan’s digital market involves more than just localizing your storefront or adding yen to your checkout. Every transaction comes with specific compliance requirements, like secure payment processing, proper handling of customer data, and fraud prevention standards. Businesses must now support 3D Secure 2.0 for credit cards, follow clear rules for collecting and storing personal information, and act quickly if there’s a data breach. Missing even one of these steps can lead to blocked payouts, fines, or damage to your reputation.
KOMOJU simplifies this entire process. As a licensed payment provider in Japan, it gives your platform the tools to operate legally, securely, and efficiently from day one. You don’t need to register with the Financial Services Agency, manage PCI DSS audits, or build breach response workflows from scratch. Instead, KOMOJU handles:
- Localized payment options your customers actually use – Konbini payment, PayPay, and more
- Full compliance with prepaid, funds transfer, and electronic money regulations
- Credit card processing with built-in support for 3D Secure 2.0 and PCI DSS Level 1
- Tokenization, real-time fraud monitoring, and transaction logs ready for incident reporting
- Outsourced legal obligations, reducing your regulatory burden
Japan’s digital economy is growing fast, but it’s not plug-and-play. With KOMOJU, you gain a compliant, localized payments infrastructure that’s ready for growth without diverting resources away from your product or customer experience.
FAQ
It depends. If your platform stores customer funds, issues credits, or enables peer-to-peer payments, you may fall under Japan’s Payment Services Act and require registration or a license. Using a provider like KOMOJU can help you avoid needing your own license.
At a minimum, eCommerce businesses in Japan must support 3D Secure 2.0 for credit card payments (as of March 2025) and follow PCI DSS standards for handling card data. If you’re collecting customer information, you’re also required under the Act on the Protection of Personal Information (APPI) to safeguard that data with encryption, access controls, and breach notification protocols.
You risk penalties, including public warnings, fines of up to ¥100 million, and possible criminal liability. Japan’s data privacy law (APPI) applies even to foreign businesses that collect data from users in Japan.
No, but you do need to comply with Japanese regulations. Foreign businesses can operate without a Japanese entity if they work with a licensed payment processor like KOMOJU, which handles regulatory compliance, tax issues, and local payment methods.
If your platform sells stored digital value (like game currency or app credits), depending on the total outstanding balance, you may need to register with the Financial Services Agency or submit a notification. If you’re using KOMOJU’s system, you can have this handled on your behalf.
Chargebacks in Japan are rare compared to other markets. According to Degica, KOMOJU’s parent company, the chargeback rate is less than 0.1%, significantly lower than in the U.S. or Europe. Strong consumer trust and secure payment infrastructure play a major role in keeping fraud and disputes to a minimum.
We help businesses accept payments online.
