Information Security Policy

Compliance with laws, industry guidelines, and internal regulations, etc.

The Company will develop regulations in line with relevant laws, guidelines stipulated by the government, and other relevant standards (such as industry guidelines) to protect information resources provided by customers and information resources of the Company from unauthorized access, leakage, loss, damage and alteration, etc., and comply with such regulations.

Maintaining an information security management system

The Company will establish an information security management system, make clear where the responsibility lies for managing the information resources provided by customers and the information resources of the Company, and clarify the obligations and responsibilities of the person in charge of managing such information resources.

Communicating and providing education on information security measures

The Company will conduct awareness-raising activities, such as providing education and training on information security to all employees, and communicate the importance of information security measures to all employees.

Evaluating and reviewing information security measures

The Company will periodically check and evaluate the implementation status of information security measures. Based on the evaluation results, the Company will reconsider its information security measures as needed, and continuously work on maintaining and improving them. The Company has adopted PCI DSS as part of its security measures to protect the information it handles. PCI DSS stipulates the following six goals and 12 data security requirements to protect information.

Build and maintain secure networks and systems

Install and maintain a firewall configuration to protect cardholder data.

Do not use vendor supplied defaults for system passwords and other security parameters.

Protect cardholder data.

Protect stored cardholder data.

Encrypt transmission of cardholder data over open public networks.

Maintain a vulnerability management program.

Use and regularly update anti-virus software or programs.

Develop and maintain secure systems and applications.

Implement strong access control measures.

Restrict access to cardholder data by business need to know.

Assign a unique ID to each person with computer access.

Restrict physical access to cardholder data.

Regularly monitor and test networks.

Track and monitor all access to network resources and cardholder data.

Regularly test security systems and processes.

Maintain an information security policy.

Maintain a policy that addresses information security for all personnel.