We recognize that information security management is essential to the successful operation of our services. It forms the foundation for earning and maintaining the trust of our customers, business partners, and stakeholders. To uphold this commitment, we have established a comprehensive Information Security Policy designed to support and implement effective structures for safeguarding information.
Information Security Management Organization

In order to drive information security measures encompassing all companies in the group, we established an Information Security Committee and have appointed a Chief Information Security Officer (CISO). We also assign a Person Responsible for Information Management in each Division to ensure appropriate decision-making and implementation of relevant policies. Through this, we have built an organization that can carry out information security measures swiftly, broadly, and effectively.
Employing and Maintaining Information Security Policies
We maintain comprehensive security policies covering areas including encryption, asset management, application security, and physical security. These policies are routinely reviewed and updated to reflect emerging threats and ensure compliance with regulatory requirements.
Identifying and Managing Security Risks
Our critical assets, processes, and systems undergo annual risk assessments to ensure the identification and appropriate handling of risks. We also maintain a security risk management process and a security risk register to manage and follow up on security risks identified through our activities.
Supply Chain Risk Management
Our team assesses the security posture of our external tool and external parties we utilize, ensuring they meet security and data protection requirements.
Managing Information Assets Appropriately
We classify information assets according to their confidentiality level, and manage information assets appropriately according to their sensitivity in order to ensure their confidentiality, integrity, and availability.
Managing Access Control
We conduct periodic access reviews to confirm if access to systems is aligned with the principles of need-to-know and least privilege to ensure that all access remains appropriate and revoke any unused access or permissions.
Improving Information Security Literacy
We continuously work to educate all employees about information security via a comprehensive security and privacy education and awareness curriculum, including onboarding and annual refresher training, delivered via multiple channels. Our education and awareness activities and content are updated annually to align with the most current recommendations and best practices.
Abiding by Laws and Ordinances
We follow applicable laws and regulations, as well as contracts and agreements made with users, business partners, and employees.
Continuously Improving
Mercari Group strives to continuously improve information security by periodically evaluating and reviewing the above initiatives.
Compliance with Information Security Standards
Certifications
- ISO/IEC 27001:2022
- Merpay (Certificate number: IS 800079)
- PCI DSS
- Merpay (Mercard and Virtual Card)
- Mercari JP Marketplace
- Mercari US Marketplace
- MASA
- Tested by an independent third-party: NowSecure