Information Security Initiatives

INDEX
Safe & Secure Rakuten’s Service

Rakuten's Approach to Information Security

Secure Software Development Initiatives for Developers

Initiatives to Strengthen Information Security

Security initiatives for Major Services

Countermeasures and what to do in case of an emergency

Security tips to start today

Safe & Secure Rakuten’s Service

1. Rakuten's Approach to Information Security

Rakuten Group provides various services such as online shopping and auction sites. However, there are cases where hackers use our services for criminal activities or harassment. Hackers steal important customer information through means like unauthorized access. They also attempt to deceive customers into divulging important information or money by means like cleverly leading them to malicious sites. The group is continuously implementing various initiatives to ensure the overall safety and security of any of its services.

Rakuten's Approach to Information Security

2. Secure Software Development Initiatives for Developers

At Rakuten Group, security experts are actively involved from the development stage of software and services, providing education and conducting inspections to deliver secure services from the initial release.

Rather than detecting and fixing vulnerabilities—system defects or specification issues that threaten user safety—after the fact, our approach is based on developers creating secure systems without vulnerabilities from the beginning. This forms the foundation of Rakuten's philosophy for creating secure services.

Generally, in information systems like Rakuten's services, defects in systems or issues in specifications that threaten the safety of customers and users are called vulnerabilities. Rakuten is undertaking numerous initiatives to create systems without vulnerabilities. Among them, what we consider most important is our developer education.
At Rakuten, thousands of developers work daily to develop new services. To ensure that all developers acquire sufficient security knowledge and develop with high professional standards, we conduct regular education and testing.

Service Development Process

Rakuten uses the following process to release new services. The following is a step-by-step explanation of the security efforts we are making in response to service development.

Security Education

Among the service development processes, Rakuten considers the education of developers to be the most important. Rakuten provides regular education and examinations to ensure that all developers have sufficient knowledge of security and are motivated to develop with a high level of professionalism. In addition, passing the exam once is not enough. Programmers take the exam again every year. This ensures all programmers maintain their security skills. First, developers must attend an all-day seminar conducted by a security expert.

Security RFP and checklist

Rakuten conducts in-house development as a rule, but we outsource some services. We provide a security RFP and checklist to ensure a constant level of security for subcontractors. By using these checks, security audits after delivery can reduce the number of items that are pointed out. It can also be effective as a security review, allowing system specifications to be reviewed prior to contracting.

Confirming that there are no vulnerabilities caused by the server configuration

  • Preventing password leaks
  • Restricting access
  • Preventing phishing attacks
  • Encrypting information
  • Preventing session hijacking

Security Review

Once the service itself is planned out, we conduct a security review on data handling and specific programming techniques as needed. Its purpose is to review upstream processes from a security standpoint to identify potential problems and risks in advance so that we can perform more secure development.

Vulnerability testing using tools

After coding is completed, we perform quality checks prior to the actual service release.
This serves to find general program and on-screen bugs, but we use tools to test for cross-site scripting, cross-site request forgery and other vulnerabilities.

Security Auditing

At Rakuten, we always conduct a security audit before every service release. Audits are required by our internal regulations. If an audit reveals a vulnerability, the service cannot be released.
Audits are often conducted in-house by audit specialists, though some audits are conducted by specialized security firms.

3. Initiatives to Strengthen Information Security

Rakuten Group is committed to protecting you and your valuable information from unauthorized access, fraud and other information security issues.

Certification to various standards for information security

Prevent unauthorized logins

Safe and secure operation of systems

Certification to various standards for information security

Rakuten Group has established an information security management system based on a variety of standards and obtained various certifications in order to protect our customers' valuable information.

  • ISO/IEC 27001: Information security, cybersecurity and privacy protection — Information security management systems — Requirements
  • PCI DSS: Payment Card Industry Data Security Standard
  • Privacy Mark: System to certify companies that have a system in place to protect personal information. For more information on these initiatives, please see the following:
Aligning with Global Standards

Prevent unauthorized logins

Rakuten Group monitors log-in status to detect unauthorized logins as quickly as possible and prevent further damage to customers. If our monitoring finds signs of an unauthorized login, we reset the user’s password.

This may cause a temporary inconvenience, but we hope you will understand that this is a necessary measure to prevent further damage to you.

Safe and secure operation of systems

Rakuten has also established several measures in its daily system operations to prevent security incidents.

About Rakuten's System

With thousands of servers running on Rakuten's Web services, it’s no exaggeration to say that they’re constantly exposed to threats on the Internet. It’s no easy task to maintain the security of Rakuten's massive system. But all of our employees work hard every day to provide safe and secure services to our customers with their abundant security knowledge. This page introduces how Rakuten operates its systems safely and securely.

  • About Rakuten-CERT
    Rakuten uses the following process to release new services.
  • Rakuten-CERT Organization Chart
    One of the important roles of Rakuten-CERT is to serve as an intermediary for information exchange with external parties.
    The development of information sharing within our company is a very important function, of course, but we also transcend our business interests to share information about computer security with other companies.
    As a part of these activities, Rakuten-CERT is a member of the Japan CSIRT Council and FIRST (Forum of Incident Response and Security Teams) and actively exchanges information with external parties.
  • The Future of Rakuten: CERT
    Rakuten will expand its business not only in Japan but also in other countries around the world. We plan to incorporate the framework of Rakuten-CERT at branch offices and group companies in each country to establish a global information exchange and improve our incident response.
  • Management and Application of Vulnerability Information
    Every day, vulnerabilities are discovered in all kinds of applications and devices. Rakuten collects publicly available vulnerability information on a daily basis and contacts the relevant security personnel, who are also members of Rakuten-CERT, about vulnerabilities that we believe must be addressed. We then give appropriate instructions on conducting investigations and take action accordingly. Vulnerabilities that we believe must be addressed are scheduled and managed by the Rakuten-CERT office, and we provide support for them until they are resolved.

4. Security initiatives for Major Services

TFor more information on these initiatives, please see the following:

Rakuten Ichiba is implementing the Rakuten Group information security initiative so that our customers can enjoy a safe and secure shopping experience.

Rakuten Ichiba Security initiatives (Japanese only)

Stores are required to take our Information Security Test before opening a new store on Rakuten Ichiba. They cannot open if they don’t pass the test. We’re also striving to have each store publish a privacy policy and to hire and advertise store security managers to ensure that customers can enjoy online shopping with peace of mind. Another way we ensure that customers can feel safe shopping with us is our anti-counterfeit measures. We provide refunds in the event that customers are sold counterfeit goods.

Refunds for counterfeit goods1 (Japanese only)

Rakuten Rakuma is implementing various initiatives to provide customers with a comfortable, secure buying experience.

Rakuma's safety and security initiatives (Japanese only)

Rakuten Card is ISMS certified.

Rakuten Card ISMS certification (Japanese only)

This section presents security information about how Rakuten Bank endeavors to make your time at the bank and using our online services enjoyable and safe.

Rakuten Bank security (Japanese only)

This section presents the security measures we use to ensure safe and secure transactions for our customers. It also presents links to financial crime statistics and cases.

Rakuten Securities security (Japanese only)

This section summarizes the security measures that Rakuten Mobile recommends.

Rakuten Mobile information security policy (Japanese only)

Countermeasures and what to do in case of an emergency

1. Security tips to start today

The Rakuten Group provides many different services, including online shopping and auction sites. With the development of various technologies, there’s a risk that hackers may use online services for criminal activities or harassment. Hackers steal important customer information through means like unauthorized access. They also attempt to deceive customers into divulging important information or money by means like cleverly leading them to malicious sites.

This section provides information on what our customers should watch for on a daily basis to avoid problems when they use our online services. It also provides information on what to do if they become a victim.

Combating Fake Sites and Emails

Strengthening Your Security Measures for Login

When you suspect unauthorized login or fraud

Combating Fake Sites and Emails

Strengthening Your Security Measures for Login

When you suspect unauthorized login or fraud

Combating Fake Sites and Emails

Take the following measures to prevent unauthorized logins to your account by third parties as much as possible.

Beware of fake websites

To shop at Rakuten, please visit https://www.rakuten.co.jp. There’s an endless amount of attempts to steal customers' valuable information or cheat them out of their money by directing them to websites that look just like the real thing.
There’s an endless amount of attempts to steal customers' valuable information or cheat them out of their money by directing them to websites that look just like the real thing.

Ministry of Internal Affairs and Communications "Information Security Site for Citizens" (Japanese only)
STOP. THINK. CONNECT. (Japanese only)

Beware of suspicious emails and messages

Beware of messages pretending to be from real people or from people you know that direct you to malicious services, emails with attachments containing viruses, and messages on social media platforms directing you to malicious sites.
Your personal information could be stolen or you could be charged a large sum of money. It may be difficult to tell, but if the message is written in an unusual way or has a strange attachment, please contact the sender directly first.

Combating spoofing and phishing emails at Rakuten Group

Help section for each of our services regarding suspicious emails and SMS

Suspicious social media posts claiming to be from Rakuten Customer Service (Japanese only)
Suspicious emails claiming to be from Rakuten Ichiba (Japanese only)
Suspicious email claiming to be from Rakuten Card (Japanese only)
About the new Rakuten Group login screen (Japanese only)

Strengthening Your Security Measures for Login

The Rakuten Group provides many different services, including online shopping and auction sites. With the development of various technologies, there’s a risk that hackers may use online services for criminal activities or harassment. Hackers steal important customer information through means like unauthorized access. They also attempt to deceive customers into divulging important information or money by means like cleverly leading them to malicious sites. Hackers steal important customer information through means like unauthorized access. They also attempt to deceive customers into divulging important information or money by means like cleverly leading them to malicious sites.

Strengthening Your Security Measures for Login

The Rakuten Group provides many different services, including online shopping and auction sites. With the development of various technologies, there’s a risk that hackers may use online services for criminal activities or harassment. Hackers steal important customer information through means like unauthorized access. They also attempt to deceive customers into divulging important information or money by means like cleverly leading them to malicious sites. Hackers steal important customer information through means like unauthorized access. They also attempt to deceive customers into divulging important information or money by means like cleverly leading them to malicious sites.

Don’t reuse the same password

Please use a password for Rakuten Member ID that you are not using for any other services.
It is very dangerous to use the same password for multiple online services. Recently, there have been many cases of accounts getting hacked using lists of IDs and passwords obtained through various means.
If an unauthorized third party logs in, they can not only view and change your member information, they can also purchase products in your name. Please use a password for Rakuten Member ID that you are not using for any other services.

STOP!! Don’t reuse passwords!! (Japanese only)

Strengthen your passwords

Use a password that is as complex as possible and that is al so difficult for others to guess.
Using a complex password that includes alphanumeric characters and symbols makes it as difficult as possible for hackers to guess your password and break into your account.
Rakuten Group provides a feature that measures the strength of your password during member registration or whenever you change your password.

The gauge changes between low, medium-low, medium and high, depending on the password you set.
We recommended setting a password with as high a rating as possible.

Be careful when using a shared device

Always log out at the end of every session when using a computer or tablet that you share with anyone else, such as at home, at work or at an Internet cafe. Log in using the incognito mode of your browser to prevent unauthorized access by hackers.

Even if you log in using incognito mode, please remember to log out or close the relevant window when you’re done.
If you remain logged in, the personal information you registered may be seen and used.
It’s even safer to also delete your browsing history and clear your browser’s cache.

*If you have any questions about how to set up your browser or about other browser settings, please check your browser's help section or contact the browser company.

*If you open the login screen from a smartphone app (one of Rakuten's apps or social media apps such as LINE, Facebook, Twitter, Instagram, etc.), the in-app browser displays the information. In this case, you can’t use incognito mode. To use incognito mode, please use a browser such as Chrome or Safari.

Using incognito mode (Japanese only)

Enhanced login security

Cybercrime is becoming more sophisticated every year. Review passwords that you set several years ago and check if they are easy to guess or if they are being used for other services. If you have received an email from Rakuten titled "It has been a long time since you changed your password," please see this help page and consider taking action. (Japanese only)

Criminals who have obtained your ID and password through some means can continue to access your account without your knowledge. If you don’t change your passwords for a long time, you won’t be able to stop this kind of unauthorized access, because you haven’t replaced the compromised password.

We recommend that you check your current password and set a strong one that is difficult for a malicious user to guess.

Password reset (Japanese only)

Watch for unauthorized logins

Set up login history, login alerts and card usage notification emails so that you are immediately notified if something happensYou can minimize the damage if you notice an unauthorized login early. Always be on the lookout for unauthorized logins.
Rakuten Group provides you with the ability to check login information at any time.

How to view your login history (Japanese only)
How to use login alerts (Japanese only)
Card usage notification emails (Japanese only)

When you suspect unauthorized login or fraud

If you identify unusual activities, such as unknown users accessing your account, please contact us as follows.

Please be cautious in following cases

  • If you receive a password-reset email at an already-registered email address, an email notifying you about an address change or order that you don't remember If you see an unrecognized login in your login history, login alerts, etc.
  • Please follow the following instructions.

If you find what seems to be an unauthorized login or fraud

If you find usage history or orders that you don't remember