Can Convenience and Safety Coexist?

19

  • Security Philosophy: Convenient Safety IS Possible

  • Security Team: The Core of Innovation

  • Security Technology and Features: Tight-er Knit in Crises

  • Building Trust Beyond Industry and Global Standards

  • Branding with Social Trust at the Core

  • Evolving Ahead of Tomorrow’s Threats

    • “Innovation at Toss is built on security.”

    Toss founder SG Lee once said, “Security must be the start and end of every innovative service.” If customers can’t trust the services to be safe, it’s meaningless, no matter how useful the features are. Toss has earned multiple international certifications in data security and personal information protection, received the Information Security Award, and established a dual data center system to ensure reliability even in the event of disruptions. Toss also operates a 24/7 monitoring system, runs a customer service center, develops proprietary security systems, and maintains a world-class team of white-hat hackers.

    Toss invests 10.7% of its total IT spending in security, with 9.9%* of its workforce dedicated to security roles, far above the industry average of 3–5%. This demonstrates that, even while driving innovation across every aspect of daily finance, Toss has remained unwavering in its commitment to security. *Based on 2025 Information Security Disclosure (for 2024 investment)

    “Security is not a cost, but an investment in trust. Our growth has been built on the trust of our customers and investors, and at the root of that lies security.” - Jungho Chi, Toss CISO (Chief Information Security Officer)

    Security Philosophy: Convenient Safety IS Possible

    Toss has long fought against the prejudice that convenience and security cannot coexist. Before Toss, financial life was either convenient but vulnerable, or secure but burdensome. How did Toss’ security and personal information protection teams break this deeply rooted belief and turn the ideal of safe convenience into reality?

    With Toss, it takes less than 30 seconds to open the app and complete a transfer. Users don’t see all security measures in that brief moment, yet hundreds of security processes run simultaneously behind the scenes. From the very first stage of service design, Toss’ security team works with engineers to build security into the user experience itself. Thanks to advanced security technology, customers can achieve their goals without going through countless steps.

    “At Toss, security isn’t a tech feature, it’s the default foundation of a service.” - Hyunseok Lee, Toss CTO (Chief Technology Officer)

    Security Team: The Core of Innovation

    Toss places information security and personal data protection at the core of its operations, working to minimize blind spots and strengthen both areas. The CISO oversees all aspects of information security, while the CPO focuses specifically on protecting personal data.

    The Information & Security Tribe leads the company’s security framework, designing protection across every area including products, personal information, internal operations, and infrastructure. In addition, the Security Operations Center (SOC) operates 24/7, monitoring every security event in real time. With more than 500 monitoring policies in place, the SOC can oversee all services at a glance and respond instantly when needed.

    There are a total of 8 security teams.

    • Security Policy: Operates the information protection management framework, reviews and deliberates on security matters
    • Security Purple: Builds security threat monitoring systems, develops security and inspection features
    • Security Green: Analyzes and responds to security threats, builds and operates the security system
    • Security Build: Supports the establishment of security organizations across affiliates, assist with security inspections
    • IT Innovation: Operates an internal IT infrastructure such as network separation, oversees the security of work devices
    • Personal Data Protection: Operates the personal information management framework, manages personal information data security
    • Compliance Platform: Develops the personal information management system and data risk detection system
    • Security Monitoring: Supports 24/7 security monitoring, supports analysis and response to security events

    Toss enhances its security daily, powered by top-class specialists, including a dedicated white-hat hacker team that researches hacking methods and security technologies. Their capabilities have been proven in the industry, with Toss winning the Financial Security Threat Contest hosted by the Financial Security Institute.

    Toss’ security team is not a behind-the-scenes team, but the engine that drives innovation. With their systems and expertise, Toss continues to launch new services faster than anyone else while upholding its principle of zero tolerance for hacking incidents.

    Security Technology and Features: Tight-er Knit in Crises

    Countless security technologies are applied in combination throughout processes such as authentication and money transfers. Beyond this, Toss proactively alerts and protects customers when they face security threats that may have been difficult to avoid. These technologies and services usually remain out of sight, but in critical moments they give customers a tangible sense of safety.

    App Security Technology: The Invisible Layer of Protection

    • Toss Guard: Detects and blocks app tampering, rooting, and malicious apps. When a threat is confirmed, it can restrict functions or block execution.
    • Fraud Detection System (FDS) & Abuse Detection System (ADS): Identifies abnormal transaction patterns and blocks them at the account, device, or IP level.
    • Malicious App Detection Solution (Toss Phishing Zero): Scans customer devices running the Toss app for malicious apps and helps users remove them. As of June 2025, it has detected 73,000 malicious apps and blocked 1.34 million threat attempts.
    • End-to-End Encryption: Secures all communications and data storage by encrypting everything from device-to-server transmissions to stored information.
    • Dynamic Anti-Tampering Module: Prevents hidden manipulations of the app and blocks attempts to disguise malicious requests as if they were from legitimate users.
    "We study potential hacker scenarios, develop detection strategies to block them, and embed those strategies into our live service environment. This is how systems like Toss Guard and Phishing Zero were born. The Purple Team designs the strategies, and the Green Team integrates them into the company-wide security infrastructure, enabling automation and real-time response. Users may not notice it, but from the very moment the Toss app launches, countless strategies and systems are already at work.” - Jongho Lee, Toss Security Green/Purple Team Leader

    Security Features in the Reach of Users

    • Toss Customer Protection Program: The industry’s first financial accident compensation program. It provides up to ₩50,000,000 per incident for voice phishing damages and up to ₩500,000 per incident for secondhand fraud damages.
    • Fraud Siren: Before money is sent in a transfer, the system automatically checks the recipient’s account and contact information for fraud history. If there is a history of fraud, a warning message is displayed.
    • Scam Guard for Family: When a suspicious transaction is detected, an instant notification is sent via an in-app notification or KakaoTalk to family members designated by the user.
    • Asset Protection Alert: Sends an immediate alert if a new financial product (such as a deposit, loan, or credit card) is opened under the user’s name. If the user did not open it, the service provides guidance on how to respond, including suspending transactions with the institution or reporting the incident to the Financial Supervisory Service.

    Building Trust Beyond Industry and Global Standards

    Toss’ commitment to putting security first goes beyond simply saying “the Toss app is safe.” Toss demonstrates this through the investments in international standards, earned certifications and industry-recognized awards, and its annual public information security disclosures.

    Korean/Global Certifications

    • ISO/IEC 27001·27701·27017: International security standard certifications for information security, personal data protection, and cloud management systems, issued by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
    • ISMS-P: Korea’s highest-level certification for information security and personal data protection management systems.
    • CBPR: Global certification for personal data protection frameworks.
    • PCI-DSS: Global data security standard certification, the PCI-DSS (Payment Card Industry Data Security Standard).

    Awards

    • Grand Prize at the Information Security Awards (hosted by the Ministry of Science and ICT and organized by the Korea Internet & Security Agency): Toss in 2018, Toss Securities in 2023, and Toss Bank in 2024 each won the grand prize, making Toss the first in the Korean financial sector to be recognized for both service innovation and security excellence.
    • Four-time consecutive winner of the Financial Security Institute’s FIESTA International Division (2021–2024): Since its first entry in 2021, Toss has continued to secure the top spot every year, proving its technological leadership.

    Disclosure of Security Investment

    In 2018, Toss became the first in the financial industry to voluntarily adopt an information security disclosure system. Since then, it has published details each year on its security investments and workforce, making its commitment to security fully transparent.

    Branding with Social Trust at the Core

    Toss’ security philosophy extends beyond its own services to raise safety awareness across society and help customers feel secure in their everyday lives through brand-level initiatives. To protect personal information, Toss has established five core principles, strengthened transparency and accountability through a Data Protection Compliance Advisory Committee that includes external experts, and publishes an annual Personal Data Protection Report detailing its activities and results. Toss also runs a Bug Bounty Challenge with external security specialists to identify and fix potential vulnerabilities across Toss and its affiliates before they become issues. *Participants who discover and report security vulnerabilities in products or services are rewarded

    These efforts also expand into brand campaigns. In 2023, Toss released two documentaries, <Hellsonic>, featuring the white-hat hacker team, and <Block Busters>, on secondhand trading fraud as part of a security campaign. In 2024, Toss partnered with the Korean National Police Agency on a campaign to combat youth online gambling, raising public awareness of the issue. Since 2023, Toss has also hosted its own security conference, “GUARDIANS,” to share its knowledge and contribute to strengthening information protection capabilities across the industry.

    Evolving Ahead of Tomorrow’s Threats

    “Threats continue to evolve. Toss’ security will have to always stay a step ahead.” - Jungho Chi, Toss CISO (Chief Information Security Officer)

    Security at Toss does not stop at protecting the present. The company is already investing in next-gen strategies such as advanced AI-driven threat detection, quantum cryptography, and global threat intelligence integration. Internally, Toss is building a generative AI security control system to manage emerging technologies safely, with features like prompt guards, personal data detection, and log monitoring.

    To the long standing question, “Can convenience and safety truly coexist?” Toss has always answered with action, through a steadfast security framework. And in the years ahead, security will remain at the very heart of Toss’ philosophy.