Information Security

Rakuten's Approach

While the internet has enhanced convenience and become indispensable social infrastructure, it has also led to issues such as personal information leaks, fraud, and privacy violations. There is growing public demand for solutions to these issues for the establishment of a secure and resilient IT society.
Rakuten Group provides a wide range of online and offline services, including e-commerce, fintech, digital content and communications. The informational assets we manage, such as personal data obtained through these services, as well as the hardware and software that support our systems are essential to our operations. Protecting and managing these assets is a top management priority. We are continuously strengthening our information security efforts to safeguard the trust of our stakeholders.

Please see here for more information on our efforts on information security efforts.

Rakuten’s Group CISO is responsible for ensuring the secure management and operations of information and data by establishing common rules applicable to all Group organization, from an information security perspective.

Information Security Basic Policy

Establishment of the information security management system
Build an information security management system under a management-team initiative and strive to enhance and maintain information security.
Appropriate management of information assets
Recognize the importance of information assets held, evaluate risks and properly manage these assets.
Establishing regulations for ensuring information security
Establish regulations and other guidelines for ensuring information security and thoroughly extending these to all related persons.
Compliance with laws and norms
Comply with all laws and norms related to information security.
Continuous improvement
Implement audits on a regular basis and continuously improve our information security management system.

Our common rules related to information security cover a wide range of areas, including but not limited to the definition of responsibilities of information security officers and all employees regardless of employment type; security awareness and training; data integrity and protection; threat monitoring and response; third-party management; and incident response.

Management System

We strive to strengthen information security governance by promoting consistent policies and values across the Group, from management to employees. The Rakuten Group Information Security & Privacy Committee, chaired by the Group CISO (Chief Information Security Officer), is held monthly to report on and decide matters related to policy implementation and recent incidents. Yoshito Naganuma, an Audit & Supervisory Board Member of Rakuten Group and has information security expertise, gained notably through his past position as the CISO of Rakuten Edy, attends the committee meetings as a corporate auditor. Key resolutions important matters discussed by the committee are reported at the Corporate Management Meetings and communicated to CISOs and information security personnel at each Group company to ensure implementation at the operational level.

Aligning with Global Standards

The Rakuten Group sets standards and regulations based on ISO/IEC 27001, ensure the confidentiality, integrity and availability of information assets. We do this by constructing, operating and continuously improving our Information Security Management System (ISMS), which addressed various risks, such as data loss or falsification and service outages.

Rakuten Ichiba obtained ISO/IEC27001 certification in November 2006. Since then, we have been working toward certifying all Rakuten Group organizations, including major domestic and overseas group companies. To date, 48 Rakuten Group companies have achieved this certification through annual independent external audits.

ISO/IEC 27001

Rakuten Group, Inc.

ISO/IEC 27001

Rakuten Card Co., Ltd.

Rakuten Group, Inc.
Rakuten Mobile, Inc.
Rakuten Mobile Infra Solution, Inc.
Rakuten Mobile Engineering, Inc.
Rakuten Communications Corp.
Rakuten Card Co., Ltd.
Rakuten Payment, Inc.
Rakuten Edy, Inc.
Rakuten Wallet, Inc.
Rakuten Sociobusiness ,Inc
Rakuten Customer Service, Inc.
Rakuten Total Solutions, Inc.
Rakuten Business Support, Inc.
Rakuten Travel Service, Inc.
Rakuten ANA Travel Online Co., Ltd.
Rakuten Car Inc.
Hunglead, Inc.
Rakuten SQREEM,Inc.
Rakuten STAY, Inc.
Rakuten STAY Asset Management, Inc.
Rakuten Ticket, Inc.
Clips, Inc.
Monzen Corporation Japan
K Dreams Co.,Ltd.

Keiba Mall, Inc
Target, Inc.
LINKSHARE JAPAN K.K.
Rakuten Insight, Inc.
Rakuten Data Marketing, Inc.
Rakuten Data Solutions, Inc.
Rakuten Baseball, Inc.
Rakuten Vissel Kobe, Inc.
Rakuten Drone, Inc.
Rakuten Symphony, Inc.
Rakuten Symphony Korea, Inc.
Rakuten Symphony Singapore Pte Ltd
RAKUTEN SYMPHONY USA LLC
Rakuten Symphony India Private Limited
Rakuten Symphony Deutschland GmbH
Rakuten International Commercial Bank Co., Ltd.
Rakuten Europe S.a r.l.
Rakuten France S.A.S.
Rakuten TV Europe, S.L.U.
Rakuten USA, Inc.
Rakuten Travel Singapore Pte. Ltd.
Rakuten Travel Xchange Pte. Ltd.
RAKUTEN ASIA PTE. LTD.
Rakuten India Enterprise Private Limited

Furthermore, we maintain strict compliance with PCI DSS*¹, an international information security standard for organizations handling payment cards, including credit cards. In recognition of these efforts, Rakuten was elected in early 2021 as the only company in Asia to serve on the Board of Advisors for PCI SSC*²

*1 Payment Card Industry Data Security Standard
*2 Payment Card Industry Security Standards Council

PCI SSC

Information Security Education

Building strong information security requires raising awareness among all stakeholders, including employees. At Rakuten Group, company-wide Asakai meetings regularly feature security and privacy-related topics. All executives and employees, including directors, regular employees, contract and temporary staff, partners, and outsourced workers, and part-time employees also undergo annual information security training. Through case studies of real incidents, participants deepen their understanding of security risks and pledge their adgerence to internal regulations.
To ensure prompt and proper responses to incidents or suspicious activities, we actively communicate the internal escalation process, including designated contact points and reporting channels. For contractors, we conduct mandatory outsourcing security reviews before engaging in new business relationships, helping us to identify and manage potential security risks from the outset.
At the annual Global CISO Summit, CISOs from across the Rakuten Group come together to share best practices and technical expertise, exploring key security themes in subcommittees and attend expert-led lectures. These activities, along with policy updates from headquarters, foster Group-wide security literacy.

Strengthening Cyber Security

Cybersecurity refers to protecting the digital environment, including the internet, networks, information systems and devices such as personal computers, smartphones, as well as users, from threats. These include data falsification, computer viruses, destructive behavior and phishing attacks.
The Rakuten Group has established a specialized organization dedicated to cybersecurity. This team works to eliminate vulnerabilities by educating developers, performing security reviews during software development and conducting inspections for weaknesses. We also monitor for unauthorized access and respond to information security flaws.
To offer secure services across the Group, we are expanding the Security Champion system globally. This framework promotes secure development in each department through thorough reviews and knowledge sharing.

Development Process

Furthermore, we have established a Groupwide CSIRT*¹ to strengthen cooperation with external stakeholders, including government ministries, cybercrime specialists and other companies. We also collaborate closely with organizations such as the police, investigative and administrative agencies, FIRST*² and the Nippon CSIRT Association. Our goal is not only to safeguard Rakuten’s information security, but also to contribute to broader efforts that protect society as a whole.

*1 Computer Security Incident Response Team: A team that investigates and responds to security incidents.
*2 Forum of Incident Response and Security Teams: A global organization that coordinates responds to security incidents.

Measures against Phishing Emails

Phishing, or fraudulent activity carried out over email, has become increasingly common. To protect our customers, Rakuten is accelerating the implementation of Sender Domain Authentication Technologies (SPF, DKIM, DMARC) for advertising emails. These technologies verify Rakuten as the sender and enable email servers to detect and reject fraudulent emails before they reach recipients.
We are applying these technologies to domains used in our 70+ services, with plans to extend coverage to all outgoing e-mails. In addition, we are working with IT companies and mobile carriers to implement a system that displays the Rakuten brand symbol or official account label on messages. This allows customers to easily confirm that the messages are genuinely from Rakuten.

Please see here for more information on our efforts against phishing emails.

Specified User Information Handling Policy

In June 2023, the Japanese Telecommunications Business Act was amended to require businesses that handle Specified User Information to establish and disclose a handling policy. Rakuten Group created this policy to help customers understand the purposes and protection measures related to the user of their Specified User Information in compliance with the law.

You can view the Specified User Information Handling Policy here.

Privacy

Rakuten Group strives to implement, enhance and enforce privacy requirements to enable its users to fully enjoy the Rakuten ecosystem.

>READ MORE

Rakuten Symphony Global Partner Summit: "Reinventing Telecom Together"

Deepfakes and agent manipulation: Staying secure in the age of AI

From Crisis to Core: Rakuten Card's 20-year Journey Since Issuance