Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mul-Pay is the payment gateway and aggregator operated by GMO Payment Gateway, Inc., one of the largest payment service providers in Japan. It exposes a hosted payment page on the mul-pay.jp domain that processes credit card and alternative payments server-side. Cookies are written only on the payment domain during the transaction, are strictly necessary, and benefit from the EU Japan adequacy decision for any GDPR transfer.
Mul-Pay is the unified payment gateway service operated by GMO Payment Gateway, Inc., one of the largest payment service providers in Japan. It supports credit card processing, convenience store payments, bank transfers, Pay-easy, carrier billing and a range of Japanese e-wallets. Integration with the merchant site is done either through a server-side API call to mul-pay.jp or by redirecting the buyer to a hosted payment page on the gateway domain. In both cases the sensitive card data never reaches the merchant: it is captured on the GMO PG environment that holds a PCI DSS Level 1 attestation.
Cookies are written exclusively on the mul-pay.jp domain during the payment step and are all strictly necessary: a session identifier that links the form submission to the transaction record, a CSRF token that prevents request forgery, and a short lived security token used by the 3D Secure flow when the issuer requires it. No advertising, analytics or persistent tracking cookies are set by Mul-Pay. The data exchanged includes the transaction amount, currency, masked card details, the cryptogram and, for some payment methods, the buyer name and contact details required for fraud screening.
The cookies dropped during the payment step qualify as strictly necessary under ePrivacy Article 5(3) because they are required to provide the payment service explicitly requested by the buyer, namely the secure processing of the transaction. They do not require consent and merchants should not block them through a CMP. The processing of card and transaction data relies on the performance of the contract (Art. 6(1)(b) GDPR) and on legal obligations linked to PCI DSS, anti money laundering and Japanese financial regulations (Art. 6(1)(c)). GMO Payment Gateway acts as an independent controller for fraud monitoring data and as a processor for transaction execution on behalf of the merchant.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Japan was granted a full adequacy decision by the European Commission in January 2019, renewed in 2024, that recognises Japanese law as essentially equivalent to GDPR. Transfers of EU personal data to Mul-Pay therefore do not require Standard Contractual Clauses or a Transfer Impact Assessment. Merchants must however ensure that the supplementary rules adopted by the Japanese Personal Information Protection Commission (PPC) are referenced in the contract and are honoured by GMO Payment Gateway. APPI, the Japanese data protection law, applies on the local side and imposes its own obligations on the gateway.
Because the cookies are strictly necessary and the transfer relies on adequacy, the consent threshold is not crossed for the payment step itself. A DPIA is rarely required for the payment integration alone but the gateway should be referenced in the broader DPIA covering the e-commerce stack. PCI DSS Level 1 controls, 3D Secure 2 enforcement on EU cards, encryption in transit, tokenisation of card numbers, and clear retention rules for transaction metadata (typically 5 to 10 years for tax and AML purposes) are the core safeguards to document.
Sign the GMO Payment Gateway DPA, reference the EU Japan adequacy decision in the privacy notice and list mul-pay.jp in the cookie policy as the payment domain. Configure the CMP so that the gateway is never blocked, and provide a clear notice in the checkout flow that the buyer is redirected to a Japanese processor. Enforce 3D Secure 2 to comply with PSD2 SCA when the issuer is in the EEA. Document the retention policy for tokens and transaction logs separately from marketing data.
Websites using Mul-Pay must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is normally not required for the payment step alone because Mul-Pay processes a limited dataset for a defined contractual purpose, on Japanese infrastructure covered by the EU adequacy decision. The merchant must, however, document the data flow in the records of processing, the retention of transaction metadata for PCI DSS and AML purposes (typically 5 to 10 years), and the sub processors used by GMO Payment Gateway. If 3D Secure is invoked, the issuing bank participates as an additional processor.
Sample consent text
When you reach the payment step you are redirected to the secure Mul-Pay gateway operated by GMO Payment Gateway in Japan. The cookies set on the Mul-Pay page are strictly necessary to process your payment safely and to prevent fraud, and they do not require consent. Card data is never stored by the merchant; it is processed under PCI DSS by Mul-Pay and transferred from the EU to Japan on the basis of the EU Japan adequacy decision.
Third-party domains contacted
mul-pay.jpp01.mul-pay.jpp02.mul-pay.jpgmopg.jpCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| MULPAY_SESSION | strictly-necessary | Session | Session identifier set on mul-pay.jp that links the buyer payment form to the transaction record. Required to deliver the payment service requested by the buyer. |
| XSRF-TOKEN | strictly-necessary | Session | CSRF token used to validate form submissions on the Mul-Pay hosted payment page and prevent request forgery. |
| mulpay_3ds | strictly-necessary | 15 minutes | Short lived token used during the 3-D Secure 2 challenge flow to bind the issuer authentication step to the original transaction. |
Mul-Pay uses cookies for user preferences — inform visitors with a consent banner.
Mul-Pay writes only strictly necessary cookies on the mul-pay.jp domain during the payment flow: a session identifier that ties the buyer to the transaction record, an XSRF token for CSRF protection on the hosted payment page and a short lived 3-D Secure token when the issuer requires strong authentication. No advertising, analytics or persistent tracking cookies are set.
No. The cookies set on the Mul-Pay payment page are strictly necessary to process the payment transaction explicitly requested by the buyer. Under ePrivacy Article 5(3) they are exempt from consent. The merchant should not block the Mul-Pay domain through the CMP because that would prevent the payment from completing.
Performance of a contract (Art. 6(1)(b) GDPR) is the primary basis for processing the payment: without it, the merchant cannot deliver the purchase. Legal obligations (Art. 6(1)(c) GDPR) cover PCI DSS, anti money laundering record keeping and Japanese financial regulations. Legitimate interest (Art. 6(1)(f)) can support fraud monitoring carried out independently by GMO Payment Gateway.
Japan benefits from a European Commission adequacy decision adopted in January 2019 and renewed in 2024. Transfers to Mul-Pay are therefore lawful without Standard Contractual Clauses and without a Transfer Impact Assessment. The merchant should still reference the adequacy decision in the privacy notice and ensure the supplementary rules adopted by the Japanese Personal Information Protection Commission are respected by GMO Payment Gateway.
A DPIA is rarely required for the payment integration alone because the dataset is limited, the purpose is well defined, and the destination country benefits from an adequacy decision. Mul-Pay should still be referenced in the DPIA covering the broader e-commerce stack and in the Article 30 records. Document the retention of transaction metadata (typically 5 to 10 years for tax and AML) and the sub processor list provided by GMO Payment Gateway.
Use the server to server API when possible to keep card data entirely on the GMO Payment Gateway side, or use the hosted payment page with HTTPS and a clear visual notice that the buyer is redirected to a Japanese processor. Sign the DPA with GMO Payment Gateway, list mul-pay.jp in the cookie policy as the payment domain, and never block the gateway through the CMP. Enforce 3-D Secure 2 to satisfy PSD2 SCA requirements when the issuer is in the EEA.
Yes. Adyen (Netherlands), Mollie (Netherlands), Worldline (France), Nexi (Italy) and Stripe Europe (Ireland) are EU based payment processors covering similar feature sets. They are usually preferred for purely EU based commerce because they remove any third country dimension. Mul-Pay remains the natural choice when the target market is Japan and the buyer expects Japan specific payment methods such as Konbini or Pay-easy.
List Mul-Pay as the payment gateway operated by GMO Payment Gateway, Inc. on the mul-pay.jp domain, classify its cookies as strictly necessary, and reference the EU Japan adequacy decision in the international transfers section. Note that payment cookies are only set during the checkout flow, that they are not accessible to the merchant, and that the buyer can review the gateway privacy policy on the Mul-Pay website.