Security at Omise

Our customers trust Omise with sensitive information and expect us to act responsibly and safeguard their information with the highest levels of security. As a payments infrastructure provider, our commitment to maintaining the highest levels of security is unwavering, and we consistently adapt to meet the demanding requirements of the global financial sector.

Compliance and Standards

PCI DSS

Omise complies with the highest PCI standard level - Level 1. This is the most demanding tier of security accreditation available within the payment processing sector.

To confirm the validity of our certification, visit Visa’s Global Registry of Service Providers. To know more about PCI-DSS, visit www.pcisecuritystandards.org/pci_security

NIST

At Omise, our information security program adheres to the guidelines established by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our commitment to maintaining robust security practices meets the stringent requirements of our enterprise customers.

Data protection

Our organization consistently integrates advanced privacy and data protection methodologies, protocols, and industry-leading practices, following every relevant regulatory framework such as PDPA, GDPR, etc. To learn more about our ongoing efforts, please consult the privacy page.

To lessen the chances of compromise, we have data retention policies that minimize the data we collect while complying with regulatory and business requirements.

Secure Products

Security is a critical consideration that guides all our product design and infrastructure decisions at Omise.

Authentication

Our dashboard supports multi-factor authentication (MFA) and onboards team members through secure account provisioning. Support requests from users must be verified before a support response is provided.

Access restriction

Users can assign multiple detailed roles from the dashboard to enable least-privilege access for their employees.

From the dashboard, users can also view audit logs of important account changes and activity, such as handling their sessions, and see if anyone has logged in to their account, from where, and when.

Secure connections

At Omise, we strictly enforce the utilization of HTTPS for all services employing Transport Layer Security (TLS), including our public website and user dashboard. We diligently evaluate every aspect of our implementation, such as the certificates issued, certificate authorities employed, and supported ciphers.

All server-to-server communication is secured through mutual transport layer security (mTLS). Our systems proactively block requests made using outdated or less secure versions of TLS, mandating the use of TLS 1.2 at a minimum for seamless connectivity.

Development

Our engineers work with security experts early in a project’s life cycle. They gather security requirements and then perform tasks such as threat modeling and reviewing checklists of security best practices to ensure that new products are developed securely.

All of our code goes through multi-party review and automated testing.

We utilize a secure development pipeline that scans any change for security vulnerabilities. We use static code analysis, dependency scanning, and automated vulnerability scanners to ensure that any change doesn't introduce bugs.

Vulnerability disclosure and reward program

We maintain a bug bounty program that compensates independent security researchers who help us secure our products. For more information on how to participate and submit bug reports, refer to our page at HackerOne.

Infrastructure and Processes

We consistently perform periodic vulnerability scans and penetration tests and engage security firms for third-party assessments that help us promptly address any identified issues. Our systems are constantly monitored. We proactively upgrade our server operating systems before their security end-of-life dates, ensuring we remain protected against potential threats.

Card Data Environment

Our systems encrypt sensitive data, both in transit and at rest. The infrastructure for storing, decrypting, and transmitting primary account numbers (PANs), such as credit card numbers, runs in an isolated environment and doesn’t share credentials with the rest of our services.

Access to this isolated environment is restricted to a limited number of engineers and is reviewed regularly.

All card numbers are encrypted at rest with AES-256 and tokenized. Decryption keys are stored in a separate encryption module. None of the other internal servers can obtain plain text card numbers.

Corporate security

We leverage SSO, two-factor authentication (2FA) using a hardware-based token, and mTLS using VPN from Omise-issued machines to authenticate employees. After connecting to the network, sensitive internal systems and those outside the scope of the employee’s standard work require additional access permissions.

We monitor audit logs to detect abnormalities and watch for intrusions and suspicious activity. We constantly collect information about Omise-issued laptops to look for malicious processes, connections to fraudulent domains, and intruder activity.

Access control

We have a formal process for granting access to systems and information; we regularly review and remove inactive access. We also continuously monitor activity to determine what has been accessed and by whom.

Security Culture and Awareness

We mandate that every employee completes a monthly security awareness program, and we provide secure software development training to engineers. We run internal phishing campaigns to test everyone so that employees can recognize phishing attempts. We also offer other internal resources, such as a security champion program and more, to strengthen the company's security culture.

If you have any further questions or want to know more about how we handle security at Omise, do not hesitate to contact us at security@omise.co