5 mins read

How secure is it to send card information to Omise?

Woraprat

Have you ever wondered what actually happens after you have filled out your card information on the payment form? Is the data being securely transmitted, processed, and stored?

As mentioned in the Omise documentation Collecting Cards and Security Overview, once the data enters into Omise server, it can be ensured it is safe with highest security certified by PCI-DSS 3.2 standard. Basically, this is how a customer sends card information to Omise:

(1) Even though our merchants have full customization of their checkout page, the card information will never be submitted through merchant’s server, but is end-to-end encrypted from the client browser and sent directly to the Omise server.

(2) Having reviewed the card information, Omise will generate a ‘Token’, which is used instead of the card, and return it to the client browser. As we can see, the card information will not be running through merchant’s server. Rest assured that card information will always be secure, even in the case that merchant’s server is hacked.

(3) The client browser will use the received token to send it to the merchant’s server to confirm the order. The merchant will use the token to confirm the charge with the Omise server.

However, in step (1) — transmitting cards, how can the client browser and the Omise server trust each other? To ensure data security, let’s explore how data is being transmitted (1).

To give a better understanding of the scene, imagine if the browser and the server can talk. Keeping in mind that the whole conversation happens within a matter of milliseconds, the below conversation is between:

🧙‍ Alice the Client — the client browser, a mobile app etc.

💂‍ Bob the Server — the Omise server (vault.omise.co)

🧛‍ Eve the Thief — the hacker or eavesdropper

Alice and Bob will decide what language (protocol — SSL/TLS) they want to use to talk to each other. Once decided, Alice will request to see Bob’s certificate to ensure that she is talking to the right and trustworthy Bob (the Omise server). However, before sending the credentials to Bob, they need to decide how they want to secure (encrypt) it.

Let’s say, Alice and Bob decide to use a kind of technique (algorithm) that’s called “ECDHE-ECDSA-AES256-GCM-SHA384” to agree on encryption method, a key computation and a key exchange. Basically, what Alice and Bob want to do is to have the same key for each other, but it’s not simple because there’s Eve trying to get the key, too. Alice needs a key to lock (encrypt) the card information, while Bob needs the same key to unlock (decrypt) it.

With this technique (algorithm), Bob and Alice have set value of ‘p’ and ‘g’, which Eve also can know because she’s listening to the conversation.

Then, Alice and Bob will choose a number for their own use without letting each other know, but which Eve will not know.

Alice and Bob apply all the values in the special formula (from the chosen algorithm) as agreed.

Alice and Bob will then come to the values of A and B.

Then, A and B are to be sent between them, which also allows Eve to know.

Alice and Bob will apply all the values again in the formula to get the value of “s”, which is to be equal between them.

Eve, without having “a” and “b” values, cannot apply the formula to get the value of “s”. This means Alice and Bob have finally got the matching key to be used without Eve knowing.

However, for highest security, Alice and Bob always select random numbers to be combined with the key. These numbers are one-time use and changed every time they talk.

Finally, Alice and Bob are good to go with the card information as they now have a matching key to lock and unlock it without Eve knowing about it.

So, how secure is it to send a card information to Omise? This is only the first part of transmitting, let alone how secure it is to process and store. With Omise, merchants will never have to concern about data security as the risk for merchants is zero. Omise is fully responsible for all the sensitive data and the compliance of international data security standard (PCI-DSS 3.2 in all 3 scopes).

Clients are safe. Merchants are worried-free. Payments done right with Omise.

More from us

6 mins read

Adapting to life at Omise

12 mins read

The power of terminology in codebase

5 mins read

The evolution of whales and software

Subscribe to receive the latest updates from Omise
Thank you!

You are subscribed.