Security Overview

As an international online payment gateway service provider, we consider our partner’s security a top priority.

HTTPS/TLS

With Omise, card data is always transmitted from the cardholder’s browser (or merchant server if PCI DSS certified) to our servers using TLS encryption. Due to SSL 3.0’s security issues, we have disabled the protocol and do not allow it in our load balancers. All communication between application servers, load balancers, proxy and databases are encrypted using SSL/TLS —all within private and highly monitored subnets. And as required by PCI DSS 3.2, we only support TLS v.1.2 and above connection.

Our servers only accepts HTTPS/TLS connections for API operations. It's also enabled on Omise’s dashboard interface.

Visit our SSL Labs test page for live results: www.ssllabs.com/ssltest/analyze.html?d=api.omise.co

Encryption

Omise encrypts cards using the highest grade encryption (AES-256). The length of the key (256 bits) and number of hashes (14) makes it iteratively more difficult for any of the encrypted data to be revealed. All sensitive data is stored in our encrypted database which is protected under a highly secured environment. Even our staff are unable to get their hands on it.

Data can only be decrypted by Omise’s application and is performed when the card is sent to the bank for charging.

PCI Compliance

Omise is certified PCI-DSS Version 3.2. Every year, we undergo an audit by the Payment Card Industry (PCI) which is an integral process to comply for the PCI-DSS certification. The purpose of this certification is to ensure that Omise adheres to the set of industry-mandated requirements which assures that cards are processed, stored and transmitted in a secure environment.

Visit Visa’s Global Registry of Service Providers to confirm validity of our certification or find out more about PCI-DSS by visiting www.pcisecuritystandards.org/pci_security

Transmitting cards

Credit card details entered into checkout forms on websites are directly sent from the cardholder’s browser to Omise’s servers using one of our libraries Card.js or Omise.js via a secured HTTPS (TLS) communication channel. A token, which could be used to create a charge or saved as a Customer for later use, is generated and returned to the cardholder’s browser.

Note: All credit cards that enter our system are tokenized.

Processing cards

This is where Omise connects with the acquiring bank to charge cards. This is a multiple step process depending whether the cards is a first-time use or if it has already been stored in our vault.

Scenario 1: First-time use

A CVV check is attempted with the bank by charging the card with a minimal fee (THB 30), if successful the charge is void and the card data proceeds for storage. At this stage, multiple fraud detection checks are performed by Omise in partnership with leaders in the market. By PCI requirements, the card’s CVV cannot be stored so it is only forwarded to the bank for authentication.

Scenario 2: Saved card

All cards that are stored in our vault have already passed the CVV and fraud checks. They are decrypted and sent to the bank for charging the desired amount.

Note that charges can still be rejected if the card has been canceled, is reported lost/stolen or lacks sufficient funds.

Storing cards

Once card details are entered into the checkout form on websites, they’re directly sent from the cardholder’s browser to Omise’s servers via a secure HTTPS (TLS) communication channel. Merchants never see or have the chance to access any of the details. Omise then encrypts cards using the highest grade encryption (AES-256) and symmetric encryption before storing it in our encrypted database which is protected under a highly secured environment. (Even our staff aren’t able to get their hands on it!)

Cards are only decrypted when they’re sent to the bank for charging.

Tokens

Tokens are used as a transport layer for credit cards. Each token represents a card and can be used wherever a card is required just by using the token ID. Tokens are much safer to handle than credit card data as they are useless without your secret key.

A token's lifecycle:

  • Your customer enters their credit card data in their browser.
  • Credit card data is sent directly from the browser to our server.
  • We return a token that represents the card.
  • The token is sent from the customer's browser to your server.
  • You can then send us the token to charge your customer.

Example:
Credit card: 4242-4242-4242-4242, Joe Doe, 10/2020
Omise Token: tokn_51rcpwcdbe2etrgydpb

A token can be used to create a charge or to save as a Customer for later charging, i.e. to perform recurring payments or for express checkouts.
For more detailed information, read our documentation on Omise.js.

Note: To create Tokens you must use Omise.js javascript library. You are not allowed to send credit card data to your servers, unless you are PCI-DSS compliant. Sending credit card data from your server will increase fraud and will result in temporary or permanent account suspension.

Related articles:
Fraud Protection
Where can I find Omise PCI-DSS Certificate?