Security Overview
Topics covered on this page
As an international online payment gateway service provider, we consider our partner’s security a top priority.
HTTPS/TLS
With Omise, card data is always transmitted from the cardholder’s browser (or merchant server if PCI DSS certified) to our servers using TLS encryption. Due to SSL 3.0’s security issues, we have disabled the protocol and do not allow it in our load balancers. All communication between application servers, load balancers, proxy and databases are encrypted using SSL/TLS —all within private and highly monitored subnets. And as required by PCI DSS 3.2, we only support TLS v.1.2 and above connection.
Our servers only accepts HTTPS/TLS connections for API operations. It's also enabled on Omise’s dashboard interface.
Visit our SSL Labs test page for live results: www.ssllabs.com/ssltest/analyze.html?d=api.omise.co
Encryption
Omise encrypts cards using the highest grade encryption (AES-256). The length of the key (256 bits) and number of hashes (14) makes it iteratively more difficult for any of the encrypted data to be revealed. All sensitive data is stored in our encrypted database which is protected under a highly secured environment. Even our staff are unable to get their hands on it.
Data can only be decrypted by Omise’s application and is performed when the card is sent to the bank for charging.
PCI Compliance
Omise is certified PCI-DSS Version 3.2.1. Every year, we undergo an audit by the Payment Card Industry (PCI) which is an integral process to comply for the PCI-DSS certification. The purpose of this certification is to ensure that Omise adheres to the set of industry-mandated requirements which assures that cards are processed, stored and transmitted in a secure environment.
Visit Visa’s Global Registry of Service Providers to confirm validity of our certification or find out more about PCI-DSS by visiting www.pcisecuritystandards.org/pci_security
Transmitting cards
Credit card details entered into checkout forms on websites are directly sent from the cardholder’s browser to Omise’s servers using one of our libraries Card.js or Omise.js via a secured HTTPS (TLS) communication channel. A token, which could be used to create a charge or saved as a Customer for later use, is generated and returned to the cardholder’s browser.
Note: All credit cards that enter our system are tokenized.
Processing cards
This is where Omise connects with the acquiring bank to charge cards. This is a multiple step process depending whether the cards is a first-time use or if it has already been stored in our vault.
Scenario 1: First-time use
Card information entered by the cardholder is used for pre-authorization, in which the information including CVV is validated. This process is attempted with the bank by charging the card with a minimal fee (up to 1 THB) and if successful, the charge is voided. The card data then proceeds for storage. By PCI requirements, the card’s CVV cannot be stored so it is only forwarded to the bank for authentication. The actual payment of the check-out amount takes place right after and multiple fraud detection checks are performed by Omise in partnership with leaders in the market.
Scenario 2: Saved card
All cards that are stored in our vault have already gone through the pre-authorization. When the saved card is charged, it is decrypted and sent to the bank for charging the desired amount. At this stage, fraud checks are also performed.
Note that charges can still be rejected if the card has been canceled, is reported lost/stolen or lacks sufficient funds.
Storing cards
Once card details are entered into the checkout form on websites, they’re directly sent from the cardholder’s browser to Omise’s servers via a secure HTTPS (TLS) communication channel. Merchants never see or have the chance to access any of the details. Omise then encrypts cards using the highest grade encryption (AES-256) and symmetric encryption before storing it in our encrypted database which is protected under a highly secured environment. (Even our staff aren’t able to get their hands on it!)
Cards are only decrypted when they’re sent to the bank for charging.
Tokens
Tokens are used as a transport layer for credit cards. Each token represents a card and can be used wherever a card is required just by using the token ID. Tokens are much safer to handle than credit card data as they are useless without your secret key.
A token's lifecycle:
- Your customer enters their credit card data in their browser.
- Credit card data is sent directly from the browser to our server.
- We return a token that represents the card.
- The token is sent from the customer's browser to your server.
- You can then send us the token to charge your customer.
Example:
Credit card: 4242-4242-4242-4242, Joe Doe, 10/2020
Omise Token: tokn_51rcpwcdbe2etrgydpb
A token can be used to create a charge or to save as a Customer for later charging, i.e. to perform recurring payments or for express checkouts.
For more detailed information, read our documentation on Omise.js.
Note: To create Tokens you must use Omise.js javascript library. You are not allowed to send credit card data to your servers, unless you are PCI-DSS compliant. Sending credit card data from your server will increase fraud and will result in temporary or permanent account suspension.
Related articles:
Fraud Protection