momo has long worked to implement information security and privacy protection. In November 2009, we obtained ISO 27001 information security certification from SGS Taiwan and have continued to renew our certification every three years. In 2021, we expanded the scope of our re-certification process to include our logistics business. This will ensure that consumer details are highly protected with multiple layers of information security, and it will maintain the validity of our certification.
The Information Security Committee was set up by momo in 2009 to develop information security operations. To control and supervise information security risks and to strengthen the competence of the Board, an “Information Security Management Committee” was established under the Board of Directors in 2020. The “Information Security and Personal Information Protection Management Review Committee”, set up as a requirement of ISO 27001 and BS 10012, was renamed the “Information Security and Privacy Protection Working Team.” The working team reports the results during the year to the “Information Security Management Committee”, in accordance with the articles of the ISO and BS management systems. To integrate our information security management and personal information management system standards, when the certifications came up for renewal in 2021, we moved from BS 10012 to the ISO 27701 standard to maintain the validity of our certification. We passed the continuity certification on May 25, 2022, and have maintained the validity of the certificate every year since.
Cybersecurity Risk Identification, Assessment and Exercises
The Information Security and Privacy Protection Working Team conducts a risk assessment of information security and system assets every year. Aspects assessed include confidentiality, integrity, probability and compliance. Suitable control and response mechanisms are established for high risks, and business continuity exercise plans are developed for core IT systems and new equipment. Annual exercises are held to manage business risks. The computer storage system hardware and data communications links within momo data centers are managed directly by momo. High-traffic activities are assessed every year to deliver faster processing speeds, shorten page loading times, and strengthen the overall infrastructure.
Information Security Education and Training
momo employees and executives receive online security courses and tests for 4 hours per year, information staff for at least 6 hours per year and information security staff for at least 16 hours per year, with occasional information training courses.
Information Security Incident Reporting
momo defined the “Information Security Incident Reporting Guidelines” for reporting and handling information security incidents. The guidelines cover ownership, incident classification, reporting procedure, assessment and decision-making. The IT unit must troubleshoot and resolve information security events within the target processing time. Root cause analysis and corrective actions must be adopted once the incident has been resolved to prevent any further recurrence. There were no information security incidents in 2022.
momo strives to enforce proper information security and protection of personal information, safeguarding both the Company’s information security and consumer’s peace of mind when shopping online. We passed ISO 27001 and ISO 27701 on May 25, 2022, and maintain the validity of the certificate every year. momo has developed a comprehensive system to protect customer’s personal information, and confidential and sensitive data. To prevent internal leaks, the Information Security and Privacy Protection Working Team conducts at least two internal audits every year to confirm that operating guidelines are being followed by our personnel. We continue to refine the security design and continually monitor the system structure. Protective measures, such as network partitioning, access control, internal/external weak point management, and intrusion detection, enhance system reliability.
momo Privacy Policy
To protect consumer privacy, a “Privacy Policy” section on the momo website details how we collect, process, use and manage consumer data. When consumers are contacted about our marketing activities, the event page details the channel and contact method for indicating that they no longer wish to receive momo marketing services. In addition to complying with the “Personal Information Protection Act” of R.O.C. and related regulations, momo also drew up the “Information Security Incident Reporting Guidelines” and “Personal and Sensitive Information Security Protection Guidelines.” Every person must have proper authorization in order to process and use essential data.
As of December 31, 2022, momo has not introduced rules requiring an opt-out option for the collection of personal information that requires or does not require consent. We did not share, sell, rent or distribute in some other manner data or information to a third-party. All personal information is currently encrypted. Information is retained for five years in accordance with government regulations and operating guidelines. There is no use of customer information for retargeting either.
Customer Personal Information Management
In 2022, there were no personal data security incidents affecting consumers' rights. However, to cope with the trend of personal data cases in Taiwan, we have been taking several measures to enhance personal data protection, including stopping the sending of OTP emails and setting up multiple identity and device verification mechanisms. We are also updating our anti-fraud campaigns on our website to keep consumers informed of the latest fraudulent tricks to protect their personal data.
PCI DSS-Protect Transaction Safety during Electronic Payment by Consumers
As the leader in Taiwan's e-commerce sector, momo handles more than one million credit card transactions per year and is expected to abide by the Payment Card Industry Data Security Standard (PCI DSS) as required by card issuers and acquirers to ensure the security of electronic payment transactions. Since completing the Level 2 self-evaluation questionnaire in Q1 2019, we were required by the Payment Card Industry Security Standards Council (PCI SSC) to acquire a Level 1 field audit compliance report after 2020 due to continued business growth with over 6 million card transactions. Our last compliance report was obtained on March 17, 2022, and thereafter an annual on-site audit is conducted by a conformity assessment body every year to confirm our compliance with the PCI DSS with a compliance report submitted.
3D Verification for Credit Cards-Reduce Risk of Fraudulent Transactions
momo has begun introducing 3D verification for credit cards to reduce the risk of fraudulent transactions for consumers. The service is an information security verification mechanism launched by international card-issuing organizations such as Visa and MasterCard. The service ensures that consumers use their own credit card to make payments when shopping online. This provides enhanced security, doubles the protection, and effectively reduces the risk of fraud.
When a consumer uses a credit card issued by a bank offering 3D verification services on the momo shopping network to conduct special product transactions, the online payment process is forwarded to the card-issuing bank and a verification code is requested. The code will vary depending on the card-issuing bank and may consist of a One-Time Password (OTP) or fixed password. Once the processing bank confirms with the international credit card certification system and card-issuing bank that the data and password are correct, the credit card transactions is complete. Moreover, a "Bonus Payment Biometric Project" was rolled out in 2022 to enhance transaction security by adding a biometric function when consumers choose to pay with bonuses/momo coins. (Note) “Special products” refers to products that match the risk management conditions issued by the momo Finance Department.
Logistics Staff Safe Call-Number-Hiding on Home Delivery Bills
momo introduced the “Logistics Staff Safe Call” in 2021. Consumer telephone numbers are encoded and personal details, such as consumer name, telephone number and address details on the home delivery bill, are hidden. In 2022, we continued to extend the scope of service, ranging from factory orders shipped by suppliers to orders shipped by outsourced own warehouses, and in 2023, we expect to introduce a system to code the phone numbers of consumers who return goods. momo's goal is to eliminate the possibility of leakage of personal information in the logistics and distribution channels, so that consumers can enjoy shopping on the momo platform with greater confidence.
