momo has been committed to implementing information security and personal data protection controls for a long time. In November 2009, it passed the SGS international certification and obtained the ISO 27001 Information Security Management System certification, with regular annual audits and a re-certification every three years. In 2023, the electronic invoice operation and management process of the National Taxation Bureau' s Value-Added Service Center was included in the scope of certification. In 2024, the transition of the 2022 version was completed to ensure that consumer data is protected at the highest standards under multi-layered information security controls.
Cybersecurity Management Mechanism
In 2009, momo established the "Information Security Committee", responsible for promoting information security operations. To strengthen personal data protection, in 2018, the Information Security Committee was renamed the "Information Security and Personal Data Protection Management Review Committee", which continues to regularly review information security and personal data protection policies and promote their implementation.
In 2020, to strengthen control and supervision of information security risks and enhance the functions of the Board of Directors, the "Information Security Management Committee" was established under the Board of Directors. The "Information Security and Personal Data Protection Management Review Committee", originally established in accordance with ISO 27001 and ISO 27701, was renamed the "Information Security and Personal Data Protection Task Force". The organization continues to comply with the provisions of the ISO management system and reports the annual execution results to the "Information Security Management Committee".
In 2021, to comply with cybersecurity regulations and enhance information security and personal data protection management, our company established a Chief Information Security Officer (CISO) position and a dedicated information security unit. The CISO serves as the convener of the Information Security and Privacy Protection Working Team, responsible for reviewing the information security management system, technology, resource allocation, risk management, and achieving performance objectives.
Information security and Management
Information Security Education and Training
Company-wide information security education and training are promoted with 1 announcement per week and a total of 4 courses per year. All 100% of current employees at momo have completed the online courses and passed the tests.
Information Security Incident Reporting
momo defined the "Information Security Incident Reporting Guidelines" for reporting and handling information security incidents. The guidelines cover ownership, incident classification, reporting procedure, assessment and decision-making. The IT unit must troubleshoot and resolve information security events within the target processing time. Root cause analysis and corrective actions must be adopted once the incident has been resolved to prevent any further recurrence. There were no incidents related to information security or personal data breaches in 2024.
Customer Privacy Protection
momo is committed to implementing information security and personal data protection controls. To ensure the company' s information security and provide consumers with confidence in online shopping, in 2024, momo completed the transition to the ISO 27001 Information Security Management System (2022 version) and the recertification of the ISO 27701 Personal Data Management System. The certifications were successfully passed on May 29, 2024, and the Company will continue to maintain the validity of these certificates annually thereafter. momo has developed a comprehensive system to protect customer' s personal information, and confidential and sensitive data. To prevent internal leaks, the Information Security and Privacy Protection Working Team conducts at least two internal audits every year to confirm that operating guidelines are being followed by our personnel. We continue to refine the security design and continually monitor the system structure. Protective measures, such as network partitioning, access control, internal/external weak point management, and intrusion detection, enhance system reliability.
• momo Privacy Policy
To safeguard consumer privacy and implement personal data protection and management, momo' s official website has a dedicated "Privacy Policy" section. This section elaborates on the collection, processing, utilization, and management of consumer data, all of which adhere to the "Personal Information Protection Act" of the R.O.C. and related legal regulations. momo has also clearly established norms such as the "Information Security Incident Reporting Guidelines", "Personal and Sensitive Information Security Protection Guidelines", and "Personal Data File Security Maintenance Plan". These norms require strict adherence by anyone involved, including the company itself, all personnel, suppliers, entrusted agents, external consultants, and other cooperating parties. All individuals are obligated to follow designated authorization regulations when handling and utilizing necessary data to effectively protect personal data and rights.
As of December 31, 2024, momo has not sold, rented, or otherwise distributed data or information to third parties. All personal data are properly managed and protected, with a retention period of five years in accordance with legal regulations and operational standards.
• Customer Personal Information Management
In 2024, no personal data security incidents affecting consumer rights occurred. To cope with the trend of personal data cases in Taiwan, we have been taking several measures to enhance personal data protection, including stopping the sending of OTP emails and setting up multiple identity and device verification mechanisms. Simultaneously, 23 anti-fraud campaigns have been continuously updated on the website (with a total of 165,412 views). In addition, momo collaborated with the New Taipei City Women and Children Protection Brigade to conduct live broadcasts to educate consumers on fraud prevention, enabling them to stay informed about the latest scam tactics and protect their personal data security.
• PCI DSS Protect Transaction Safety during Electronic Payment by Consumers
momo, as the leading e-commerce company in Taiwan, processes over one million credit card transactions annually. In compliance with the requirements of card-issuing institutions and acquiring banks, it adheres to the Payment Card Industry Data Security Standard (PCI DSS) to ensure the security of cardholder information. Since completing the Level 2 self- evaluation questionnaire in Q1 2019, we were required by the Payment Card Industry Security Standards Council (PCI SSC) to acquire a Level 1 field audit compliance report after 2020 due to continued business growth with over 6 million card transactions. Our last seller compliance report was obtained on March 21, 2024, and thereafter an annual on-site audit is conducted by a conformity assessment body every year to confirm our compliance with the PCI DSS with a compliance report submitted.
• 3D Verification for Credit Cards - Reduce Risk of Fraudulent Transactions
momo has begun introducing 3D verification for credit cards to reduce the risk of fraudulent transactions for consumers. The service is an information security verification mechanism launched by international card-issuing organizations such as Visa and MasterCard. The service ensures that consumers use their own credit card to make payments when shopping online. This provides enhanced security, doubles the protection, and effectively reduces the risk of fraud.
When a consumer uses a credit card issued by a bank offering 3D verification services on the momo shopping network to conduct special product transactions, the online payment process is forwarded to the card-issuing bank and a verification code is requested. The code will vary depending on the card issuing bank and may consist of a One-Time Password (OTP) or fixed password. Once the processing bank confirms with the international credit card certification system and card- issuing bank that the data and password are correct, the credit card transactions is complete.
Moreover, a "Bonus Payment Biometric Project" was rolled out in 2022, adding a biometric function when consumers choose to pay with bonuses/momo coins. In 2023, further expansion of biometric authentication functionality was implemented, allowing for biometric authentication during transactions involving specific products to enhance transaction security.
• Logistics Staff Safe Call: Number-Hiding on Home Delivery Bills
Since 2021, momo has implemented the "Logistics Staff Safe Call" service, which converts consumers' phone numbers into codes and simultaneously masks consumers' names, phone numbers, and addresses on delivery orders to protect personal information. Starting in 2022, the scope of implementation was expanded from supplier shipment factory orders to include orders shipped from outsourced proprietary warehouses. In 2023, the mechanism for coding consumers' phone numbers for returns was further extended, and by 2024, the implementation of this system will be completed in cooperation with logistics companies handling returns. Additionally, momo simultaneously applied to implement the Ministry of Digital Development' s "2024 Digital Trust Field Service On-Site Verification Project" and successfully passed the review and completed the execution with the "momo Secure Return Service Implementation". As of the end of 2024, the rate of suppliers adopting the "Logistics Staff Safe Call" service has reached 99.5%, and the return and recycling orders have also completed the implementation of the "momo Safe Return Service". momo' s goal is to eliminate the possibility of leakage of personal information in the logistics and distribution channels, so that consumers can enjoy shopping on the momo platform with greater confidence.