How Secure is Omise?

Omise is a new Payment Gateway in Thailand focused in providing best security, a restfull API, complete documentation and extensive libraries support. At Omise we strive to provide full support for developers, startups and most popular e-commerce platforms. A full introduction about Omise can be found on this blog post: Introducing Omise Payment Gateway in Thailand

Nowadays we are seeing a lot of credit card data leaks, hackers are getting into corporations and stealing card data, not only by simple hacking, but also with social engineering. Sometimes even own employees can be the weak points data leaks. The stolen credit card database is part of a massive black market, specially in the hidden onion domains, with hackers on a intensive task of fiddling security holes on your servers and application in order to get in. For this reason, there are the security standards developed by the PCI Security Standards Council.

Omise has been certified with PCI-DSS Version 3.0 in 2014, a very detailed and extensive auditing, and currently Omise holds a PCI-DSS 3.2 certificate. This allows Omise to store, process and transmit credit card data securely.

The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

Omise PCI-DSS 3.2 Certificate: Omise PCI Certificate

Going into the details, how secure Omise really is?

There are 3 scopes covered in PCI for a payment gateway such as Omise:

  1. Card Data Transmission
  2. Card Data Processing
  3. Card Data Storage

Which I will describe each one in details.

1. Card Data Transmission

Card data is always transmitted from the user browser (or merchant server) to Omise servers using TLS high encryption. Weak encryption protocols such as SSL-3.0 are disabled and not allowed in Omise load balancers.

Since Omise is already PCI compliant, merchants are not required to be compliant, card data never have to pass through their servers. The card is exclusively sent from the client browser or mobile application directly to Omise Vault servers. Thanks to various Omise libraries for Web and Mobile applications.

When the card is sent from the browser to Omise Vault, a Token is returned which can then be used for charging the card on the server side, this is also called Credit Card Tokenization.

The following chart illustrate this procedure when using Omise.js library to exchange a card for a token. Note that the token can only be used once with the secret key from the merchant server. Or, this token can instead be used to create a permanent Customer record in Omise Vault (customer with a default card), and then charged at a later time, such as recurring payments, scheduled bills and express checkout.

Omise Load Balancers only allows high grade encryption ciphers. All comunication between Application Server, Load Balancers, Proxy and Database are encrypted using SSL/TLS. All within private and highly monitored subnets.

For a live result, visit our SSL Labs test page:

Omise SSL Labs

2. Card Data Processing

Card data processing is the step where Omise connects with the acquiring bank and charges the card.

This is a multiple step process depending if the card is a first-time use or if the card is already stored in Omise Vault and later authenticated.

The following are the two possible case scenarios:

1) Card is being used first time by the merchant: A CVV check is attempted with the bank by charging the card with a minimal fee (30 THB), if successful the charge is void, then the card data proceeds for storage. At this stage multiple fraud detection checks are performed by Omise in partnership with leaders in the market. By PCI requirements, CVV is not allowed to be stored, so it is only forward to the bank for authentication.

2) Card already belongs to a customer from the Merchant, already passed the CVV check and Fraud detection checks. The card details which are in Omise Vault are decrypted and sent to the bank for charging the desired amount. Note that this step can still be rejected by the acquiring bank, for example if the card has been cancelled, reported stolen, or no fund are available for some type of cards.

This process has been reviewed by a qualified PCI-DSS auditor which passes all requirements for processing.

3. Card Data Storage

Card Storage is the most difficult and dangerous part of a payment gateway. There are many requirements which must be implemented in order to store a card on Omise Vault Database and to protect it against the most avid hackers.

When Omise receives the card via HTTPS, it is first encrypted using AES-256 and Symmetric Encryption, then stored on the database servers which are PCI-DSS Level 1 certified.

The card data and encryption keys are highly secured with multiple layers of protection. The full credit card data is never accessed by any individual employe. It always requires multiple factor authentication by a second authorized personnel. This is one of the many PCI requirements.

All Omise servers are compliant with PCI DSS, in the Application and OS layers by Omise Security Team, and physically protected with AWS PCI Level 1 certified data centers.

Servers are always protected by multiple layers of security for access and threat detection, including multi-factor authentication, immediate alerts to Omise security team whenever an action occurs, strong firewall and ddos protection, detailed logging and live analysis of the logs by advanced tools.

Tips and Recommendations for Merchants and E-commerce sites:

  1. Use HTTPS high grade ciphers on your website checkout pages, disabling SSLv3 altogether. This will protect the data for your clients and gives more confidence to users when seeing the HTTPS lock on the address bar. Communication with Omise are always HTTPS regardless of merchant configuration.

  2. Keep very safe your Omise API Secret Keys. They can be rolled anytime you feel they have been compromised, which will render the previous keys inoperable.

  3. Never transmit credit card data directly to your server. You will need PCI DSS certification to do so, even if you don't plan to store the card data. Use Omise Javascript library or mobile SDKs for sending card data directly to Omise Vault endpoint.

  4. If you would like to charge the credit card at a later time without having the customer typing it again, you can use the first token for saving the customer with the credit card given, then use the Omise API endpoint to charge the customer whenever necessary, no CVV required. You only have to save the card fingerprint on your database in order to identify it for later usage. Remember, full card data information is never retrievable, except for last 4 digits, cardholder name and issuing bank.

  5. Don't forget to Periodically check Omise Documentation for updated libraries and security news.

Omise links: