Trust Stamp Obligation on E-Commerce Sites

What Is The Trust Stamp?

The trust stamp clearly indicates the existence of a “minimum security and service quality standard”. The Trust Stamp is described as “The electronic sign given to the service provider and intermediary service provider complying with the minimum security and service quality standards stipulated in the Communique hereby”.

With the Communique about the Trust Stamp in E-commerce published in the Official Newspaper dated 6 June 2017, a new system has introduced for -e-commerce sites. The Trade Ministry has authorized The Union of Chambers and Commodity Exchanges of Turkey as the only trust stamp provider in Turkey.

Features of the trust stamp;
 

1. The symbol which will placed in the homepage of the site, will be used for showing to the consumers that the site has taken particular security precautions and is secured.
2. Existence of the Trust Stamp doesn’t mean that TOBB is the guarantor of the e-commerce site.
3. The Trust Stamp can not be interpreted as a guarantee for the quality of the goods and services on the page.
4. It can not be interpreted as The Trust Stamp Provider gives guarantee for the web pages in no country that The Trust Stump is used as well.

Where and how to get?

Companies gives online shopping service are able to get the trust stump from The Union of Chambers and Commodity Exchanges of Turkey (TOBB).

Also with the new application The Trade Ministry might test the online shopping sites. Sites whom past the test are able to use The Trust Stamp. The symbol which will be placed on homepages of the e-commerce sites is used as to show to the users that, that site has taken particular security precautions and is secure.

How to apply for getting the trust stamp?

E-commerce firms whom wants to obtain the trust stamp might apply on the GDS’s (Trust Stamp Providers) web site www.guvendamgasi.org.tr

Later on, the GDS will check the existence of the conditions designated on the communique. If missing items on the site are detected, the process will continue by giving additional time.

GDS’s are required to finalize the application within 30 days.

If the application is succesful, a symbol linked with the GDS site can be placed on the site.

What to do to get The Trust Stamp;

• Websites that gives online shopping service, have to get the “penetration test” maximum 3 months before the application. All transactions that includes personal information and payment systems are performed with SSL. In addition to the content, stock information, materials and measurement information of the product sold, its technical specifications, warranty and terms of use should also be included on the site.

• Which Companies Can Perform the Trust Stamp Penetration Test?

The most important condition for obtaining The Trust Stamp is that The Trust Stamp Penetration Test is performed before the application.

The Trust Stamp Penetration Test is a study to prove that the service giving e-commerce site and platforms are safe. The Trust Stamp Penetration Test service must be performed at least once a year, depending on business volume. Firms who offers The Trust Stamp Penetration Test service must be titled as “TSE Approved Penetration Test Firm”. Otherwise applications will rejected is stated on communique document.

After Penetration Test(pentest) study, correction tests must be performed as well. It shouldn’t be forget that the penetration test must be performed for mobile apps either. Today, the statistic of shopping done by mobile apps percentage is much more than shopping done by websites draw attention.

• It should ensure that all transactions involving personal data and payment information are carried out with EV SSL on the website and mobile site, and with SSL on the application.
• Extended Validation SSL (EV SSL): Certificate that provides ID validation of real persons and legal entities according to legal documents and enables the security and integrity of data flowing between the server and the client.
• Maximum 3 month before this application and at least once a year penetration tests should be performed by Turkish Standard Institute approved penetration test firms and validation test performed to verify that necessary precautions are taken.
• In order to receiver person get informed about its order, conduct its demands and complaints it should be provided at least one of the communication ways on the internet or a customer service is reached thorough phone.
• In accordance with the communique, a test should be made by A or B class penetration testing companies approved by the Turkish Standards Institute, at maximum three months before applying for the trust stamp and at least once in each calendar year. This classification is done as below:

The point to be noted here is that the infrastructure provider company will have a security test performed according to the annual transaction volume of the e-commerce sites it serves (based on the e-commerce site with the highest transaction volume within its structure).