Structure

Information Security Policy at Mercari Group

Read about our basic policy on information security and learn about the information security management structure we implement.

Structure

We recognize that information security management is essential to the successful operation of our services. It forms the foundation for earning and maintaining the trust of our customers, business partners, and stakeholders. To uphold this commitment, we have established a comprehensive Information Security Policy designed to support and implement effective structures for safeguarding information.

Information Security Management Organization

Information security management organization chart

In order to drive information security measures encompassing all companies in the group, we established an Information Security Committee and have appointed a Chief Information Security Officer (CISO). We also assign a Person Responsible for Information Management in each Division to ensure appropriate decision-making and implementation of relevant policies. Through this, we have built an organization that can carry out information security measures swiftly, broadly, and effectively.

Employing and Maintaining Information Security Policies

We maintain comprehensive security policies covering areas including encryption, asset management, application security, and physical security. These policies are routinely reviewed and updated to reflect emerging threats and ensure compliance with regulatory requirements.

Identifying and Managing Security Risks

Our critical assets, processes, and systems undergo annual risk assessments to ensure the identification and appropriate handling of risks. We also maintain a security risk management process and a security risk register to manage and follow up on security risks identified through our activities.

Supply Chain Risk Management

Our team assesses the security posture of our external tool and external parties we utilize, ensuring they meet security and data protection requirements.

Managing Information Assets Appropriately

We classify information assets according to their confidentiality level, and manage information assets appropriately according to their sensitivity in order to ensure their confidentiality, integrity, and availability.

Managing Access Control

We conduct periodic access reviews to confirm if access to systems is aligned with the principles of need-to-know and least privilege to ensure that all access remains appropriate and revoke any unused access or permissions.

Improving Information Security Literacy

We continuously work to educate all employees about information security via a comprehensive security and privacy education and awareness curriculum, including onboarding and annual refresher training, delivered via multiple channels. Our education and awareness activities and content are updated annually to align with the most current recommendations and best practices.

Abiding by Laws and Ordinances

We follow applicable laws and regulations, as well as contracts and agreements made with users, business partners, and employees.

Continuously Improving

Mercari Group strives to continuously improve information security by periodically evaluating and reviewing the above initiatives.

Compliance with Information Security Standards

Certifications

  • ISO/IEC 27001:2022 
  • PCI DSS
    • Merpay (Mercard and Virtual Card)
    • Mercari JP Marketplace
    • Mercari US Marketplace
  • MASA
    • Tested by an independent third-party: NowSecure
Reporting a Vulnerability

Reporting a Vulnerability

Read more