Turkey has introduced a voluntary certification system for e-commerce websites and intermediary service providers, allowing them to easily show consumers that the website meets minimum security requirements for payment processing. The standards address technical and procedural elements, as well as the information which customers must receive during transactions.

The Communiqué on Security Stamp in Electronic Commerce (“Communiqué”) was published in Official Gazette number 30088 on 6 June 2017, entering into force on the same day.

Obtaining a Security Stamp

To obtain a Security Stamp, e-Commerce service providers and intermediaries will be required to meet the following minimum standards:

  • All transactions containing personal data and payment information should be processed via either:
    • EV SSL for websites and mobile sites.
    •  SSL for applications.
  • Have processes which comply with legislation regarding e-commerce transactions, internet, e-commerce and payment systems.
  • Take measures against any information used during transactions which could adversely affect children.
  • Present supply and logistics processes to customers in a clear and understandable manner.
  • For services sold via e-commerce, present information about who will provide the service, as well as the service’s scope and duration.
  • Provide dedicated systems to efficiently receive and address customer requests and complaints.

The Role of Security Stamp Providers

Security Stamps will be granted by Security Stamp Providers (“Providers”), which are authorised by the Ministry of Commerce and Custom (“Ministry”).

The Communiqué states that Providers are authorised to:

  • Confirm whether applicants meet the minimum standards (above).
  • Annually audit whether service providers and intermediaries continue to meet the minimum standards.
  • Track validity of EV SSL and SSL.
  • Take any measures necessary to prevent unfair use of security stamps.
  • Notify authorities and the Ministry about any matters identified during audits which require judicial or administrative sanctions.
  • Provide an activity report to the Ministry by the end of March each year.

Institutions which obtained an activity certificate under Banking Law number 5411 and The Law on Payment and Instrument Settlement Systems, Payment Services and Electronic Money Institutions number 6493 are excluded from the Communiqué.

Please see this link for the full text of the Regulation (only available in Turkish)