Clarification (May 18, 2016)

security banner

This article is also available in Thai.

Regarding the recent incident which resulted in the leak of credit card data, there have been rumours and some erroneous information floating around. We’d like to clarify that none of the cards came from Omise or from our merchants.

As an international online payment gateway service provider, we consider all of our partners’ security a top priority. Our card vault is PCI-DSS 3.1 compliant, ensuring that our service adheres to a set of industry-mandated requirements. Every card that comes through our system is processed, stored and transmitted in a secure environment. You can confirm the validity of our certification by visiting Visa’s Global Registry of Service Providers.

Read More: How secure is my credit card with Omise? and Omise PCI-DSS 3.1 Certificate of Compliance

How do breaches like these occur?

Simply transmitting card data through non-compliant servers can result in breaches. For example, credit card information can easily end up in multiple log files on a server, making it an easy target for hackers. With Omise, all partnering merchants are required to use Omise.js or Card.js (unless PCI-DSS certified) to securely send sensitive data from the cardholder’s browser directly to our servers via a secured HTTPS (TLS) communication channel. Using either one of these libraries means that merchants never see any of the card information, reducing greatly the chance for a man-in-the-middle attack.

The following is the latest SSL/TLS test by SSL-Labs of our Vault endpoint.

SSL labs report

We are committed to protecting all of our partners against fraud with security best practices that detect, analyse and prevent suspicious transactions that inevitably come along. Every card that is processed through our system is run through multiple fraud prevention measures that work in conjunction with each other, including pre-authorization, tokenization, IP geolocation and behaviour analysis. The process is done automatically, does not require extra coding and is free of charge.

3-D Secure is a common means of protection against some types of fraud attacks. As the service is beneficial only to merchants dealing with certain businesses such as mobile top up services, prepaid cards, game money and digital services, enabling 3-D Secure is not mandatory. We recommend 3-D Secure only when merchants have lost many fraud-related disputes or have experienced many cases of fraud. We allow merchants to choose to enable 3-D Secure during the first steps in registration.

If you have any question with regards to our security or fraud protection, feel free to get in touch with our support team at any time!