Security Initiatives at Mercari Group

Read about what we do at Mercari Group to enhance our security measures and protect your information and assets.


Data Protection

Personal information (telephone number, name, etc.) and payment information that we receive is encrypted in transit.
Data stored on our systems are stored after being encrypted or hashed based on industry best practice standards.
All access to sensitive data is limited on a need-to-know basis.

Secure Design and Secure Programming


The Security team is available for all employees to consult with about any security concerns or questions they may have, and works closely together with employees to help resolve these.

Secure Coding Guidelines

Developers are provided with a set of secure coding guidelines based on version 4.0 of the OWASP Application Security Verification Standard (ASVS), to help ensure quality and security in our applications.

Secure Design Review

All major releases undergo a design review by the Product Security team. The Mercari Group follows a shift-left security philosophy and the Security team is involved from the initial stages of the software development lifecycle, ensuring the quality and security of all releases throughout every stage of their development.

Vulnerability Assessment

Pre-release testing

Major releases undergo pre-release testing by the Product Security team.
Testing follows a threat modelling based methodology, and aims to discover and eliminate potential vulnerabilities with a focus on the OWASP Top Ten.
Releases that do not meet our strict security standards are not approved for release.

End-to-end Security Testing

The Product Security team carries out end-to-end security testing of services.
The Product Security team also offers an end-to-end security testing automation tool (built and maintained in house) to developers to allow them to discover potential vulnerabilities earlier in the development process.

Automated Vulnerability Scanning

The Product Security team carries out frequent static and dynamic analysis of applications to detect potential vulnerabilities. All vulnerabilities found through this scanning follow our vulnerability management workflow to ensure swift remediation.

Vulnerability Management Workflow

Vulnerabilities found in our applications follow a strict workflow to ensure swift remediation. Vulnerabilities are prioritized using a threat model based methodology and an SLA is agreed with development teams responsible for remediating the vulnerabilities based on the priority and urgency of the vulnerability. The Security team follows up on all vulnerabilities and ensures their timely remediation.

Third Party Penetration Testing

Penetration testing of our application and corporate environment is carried out periodically by certified third party vendors to ensure an objective evaluation of our security measures and pick up anything we may have missed in-house.

Security Training

In-house Security Training

All employees take our in-house security training at the time of joining the company, and security training is provided on a regular basis in order to improve employee’s awareness.
The Security team also provides various security e-learning courses through the company’s learning management system.

Security Champion Program

In addition to training aimed at all employees, the Security team provides a Security Champion Program aimed at developers.
This program enables developers from each domain team to build hands-on security experience, and take greater responsibility in ensuring the security of their domains.
For more details see the following Mercan article

Threat Monitoring and Handling

Monitoring and Analysis

The Security team monitors systems for various indicators of attack, such as unauthorized access attempts and malware infection. The team responds promptly to significant security events and conducts a thorough investigation of potential threats.
A Security Orchestration, Automation and Response (SOAR) tool (developed and maintained in-house by the Security Engineering team) is used to centralize, monitor, and respond to alerts allowing us to adapt and respond to threats rapidly.


Protecting our users from malicious phishing attacks is a priority.
We work with external organizations and have countermeasures in place to ensure we can take-down phishing sites as quickly as possible.

Information Sharing and Cooperation with External Parties

Cyber Bosai Security Awareness Campaign
The Mercari Group takes part in the Cyber Bosai security awareness campaign run annually by LINE, together with other IT industry leaders in Japan including AU, DeNA, NTT Docomo, GREE, Softbank, and Yahoo!

Nippon CSIRT Association Member
The Mercari Group is a member of the Nippon CSIRT Association.

Information Security Policy at Mercari Group

Information Security Policy at Mercari Group

Read more