Alipay Information Security Standards
These Alipay Information Security Standards (“Standards”) apply to Alipay Overseas Commercial Cooperative Partners including but not limited to ISO, ISV, Overseas Acquirers (and their Secondary Merchants) and other partners (“Partners”).
All Partners must ensure that their business operations comply with these Standards.
Unless otherwise defined herein, capitalized terms used in this document have these meanings given to them in the Alipay Service Contract between the Overseas Acquirer and Alipay:
· “Alipay User Data” means any data or information which is transmitted or processed (but not stored) through an Alipay Account as part of a Payment submitted to Alipay by an Alipay User.
· “Sensitive Data” means any Alipay User Data or Transaction information held by the Partner (including its employees, agents, sub-contractors and other acting on its behalf) and/or any Alipay Merchant (including its employees, agents, sub-contractors and other acting on its behalf) obtained from the platform of Alipay and its Affiliates including but not limited to any data generated during the use of Partners’ Application by Alipay Users.
1. The account registered and designated for Partners by Alipay to enable access to Alipay’s platform and service (“Alipay Account”). The Alipay Account can only be used by Partners and Partners must not transfer, lease to any third party in any way. The Partners must keep and protect the information that enable them to be identified, such as account and passwords. The Partners must notify Alipay immediately when there is, or when the Partner becomes aware of an unauthorized use of Alipay account or passwords, or any other issues affecting the security of Alipay Account.
2. The Partners shall independently develop, operate, integrate, support and maintain the application to access Alipay Service (“Application”) and agrees to accept all related risks and outcomes associated with the Application. Alipay is not responsible for any content or information published on Alipay’s Platform which is incorrect or inaccurate, whether or not it is caused by Alipay Users or by any devices or programs connected to or used by the Application.
3. The Application developed by Partners to access Alipay Services as approved by Alipay shall not include any links (except for the website(s) of the Partner) which may induce or mislead clients to log in, register or use any other websites other than Alipay.
4. The Partners must not:
1) falsify any aspects of or partly delete any logo, trademark, copyright or other statements which may infringe the intellectual property rights of merchants.
2) distribute, sell, re-sell, lease, license, re-license or otherwise provide the information of Alipay or any Alipay User to any third party including but not limited to storing or giving unauthorized access to such information in any way.
3) ensure all Applications are free of malicious codes, programs, or viruses which will or have the potential to interrupt the operation of Alipay’s business or Applications or any part of the Application.
4) directly or indirectly include any links to any of the following content in the Application: (A) any product or service prohibited by Applicable Laws or Alipay’s Internal Policies; or (B) any products or services not authorized to be connected or incorporated.
5) use any data and information in connection with Application and the platform of the Partner and its affiliates which is obtained through Alipay’s API, public channels and operations for any other purpose not agreed in the relevant agreement and these Standards, including but not limited to any information of Alipay User, Transaction information, data generated during the use of Partner’s Application, API material and service fee rates.
6) use of Alipay User Data obtained in violation of Applicable Laws or Alipay’s Internal Policies for the purpose of improper interests or benefits.
7) obtain or use Alipay User Data by utilizing App ID or relevant rights of other Partners without authorization from Alipay.
8) request, collect or otherwise obtain access rights to the Alipay Account, usernames, passwords or other authentication and identification credentials from Alipay Users.
9) provide any proxy authentication credential to any Alipay Users to automatically log in and gain access to Alipay’s platform, Applications or API.
10) provide tracking functions to track Alipay Users and their activities, behaviours, operations of the Application, Application documents and Transactions, including but not limited to identifying and authenticating Alipay Users.
5. The API must be set up and used based on authentic business needs and be solely used for a business or commercial purpose.
6. If Application collects, stores or uses Alipay User Data then the Partners must comply with the following requirements:
1) Without prior written authorization of Alipay Users, the Partners must not collect any Alipay User Data and must only collect Alipay User Data after informing Alipay Users of the purpose and scope of collection and usage.
2) Partners must take appropriate measures to safeguard Alipay User Data and protect it from unauthorized access, misuse, damage or loss.
3) All Alipay User Data collected through the Application by the Partner must only be used in that Application or used in accordance with Applicable Laws, Alipay’s Internal Policies and any express agreement between Alipay User and the Partner.
4) The Partners must display their privacy and data protection policies to Alipay Users in a prominent position of the Application.
5) The Partners must allow and provide Alipay Users with appropriate channels to correct or delete their Data as and when requested, and and ensure that Alipay Users can also use these channels to correct or delete their data themselves.
6) In the event of loss, unauthorized access or misuse of Alipay User Data (‘Data Event’), the Partner must notify Alipay Users and Alipay within 72 hours of such Data Event. The Partner must not conceal the details of such Data Event and must implement reasonable and appropriate measures to protect the interest of Alipay Users and prevent any further misuse, loss or damage.
7) The Partners must ensure the segregation of merchant accounts and merchant data, and the separate of access by each merchant.
8) If certain Alipay User Data are required to be shared with Alipay’s Merchants, the Partner must anonymize all Alipay User Data to ensure that any information presented does not contain any personal or sensitive information (e.g. any identification numbers or other contact information).
9) The Application must not be capable of allowing bulk download or retention of Alipay User Data.
10) The Application must have in place appropriate controls and measures to prevent any Sensitive Data from being the subject to data crawling.
Updated on April 30, 2019