The Journal The Authority on Global Business in Japan

Seven-Eleven Japan thought using two-factor authentication for its just-released mobile payment feature would be too much of a hassle for users—a gamble that quickly cost the company consumer trust.

In the days after the convenience store chain rolled out 7pay on July 1, hackers made off with more than ¥38 million ($350,000) from unsuspecting accounts. Now, the parent company, Seven & i Holdings Co., Ltd., will shut down the service in its entirety at the end of September.

Part of the service’s draw was its simplicity. All a user had to do was enter a username and password to access their account, a mostly outdated scheme that cyberthieves wasted little time exploiting. The hackers apparently breached 7pay accounts by using lists of usernames and passwords leaked from a website or illegally obtained online.

“Two-factor authentication was not fully considered, which weakened defenses against a list-type attack,” Seven & i Vice President Katsuhiro Goto told reporters on August 1.

Goto was referring to a fairly common technique adopted by banks and other online service providers that involves unique passcodes sent to trusted devices, as well as restrictions against logging in from multiple devices.

7pay was designed as an added function within Seven-Eleven’s official app. The cashless service also served as a vehicle for sales promotions. In that context, a less cumbersome user experience was given higher priority over security.

Given its history, Seven & i should have shown more aware­ness of the importance of digital security. In 2001, the group established what is now Seven Bank, which installed its own ATMs that same year. And in 2007, the retailer was the first in the domestic industry to launch an e-money service, nanaco.

Seven-Eleven was late to the smart­phone payment game, however. The company did not feel much pressure from rivals: it earned an operating profit of ¥245 billion in the last fiscal year ended February, far outstripping the unconsolidated profit of ¥45.7 billion of Lawson, Inc. and the ¥44.2 billion made by FamilyMart Co., Ltd.

Despite its dominance, same-store traffic at Seven-Eleven outlets was underperforming. As a promotional vehicle, 7pay was anticipated to be the cornerstone for analyzing customer data.

The official Seven-Eleven app has more than 12 million downloads. With the integrated 7pay service attracting 1.5 million registered users in the first three days after its launch, it would have had access to a wealth of data.

The growth strategy failed in a high-profile manner, but Seven & i indicated that it will take another stab at the sector. “There is no change to making digital a pillar of growth,” Goto said. “We may have scrapped 7pay, but this field still has potential.”

For Seven & i to achieve success, the company faces the daunting task of winning back trust from consumers.

“I was thankful that I was able to shop without a wallet, but they were really sloppy,” said a 41-year-old company worker in Nagoya. “A shutdown was inevitable.”

The failure of 7pay risks throwing cold water on the spread of smartphone payments in Japan. There are cases where financial groups have offered services that sacrificed ease of use for security. “When the problem of unauthorized use persists, it impacts those of us that do business steadfastly,” said a source close to the smartphone payment industry.

Other companies are learning from the episode. When Makoto Takahashi, president of mobile carrier KDDI Corporation, was asked about his company’s au Pay digital wallet, he struck a cautious tone.

“This relates to us, too. There are many people who are looking for holes in security. We intend to fully maintain security.” 

Seven & i Vice President Katsuhiro Goto (right) acknowledged the security lapses that led to the abrupt decision to scrap 7pay. Photo: Akira Kodaka

The failure of 7pay risks throwing cold water on the spread of smartphone payments in Japan.