Security
As a services provider in , is obligated to meet security standards during s to avoid suspicious activity that can harm any parties, both s and s. The following are regarding security of services available in .
already has local security certifications and licenses, such as PJP (Penyedia Jasa Pembayaran) Category 2 permit related to Payment Gateway and Category 3 permit related to PTD (Penyelenggara Transfer Dana) from , Domestic PSE from Kominfo, as well as international compliance certifications, namely PCI DSS Level 1 and PCI 3DS.
Transaction protection becomes responsibility and role of all parties, not only . responsible on maintain transmission data security, identify users and authenticate access to component.
- Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
- Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented
- PAN is protected with strong cryptography during transmission.
- Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
- Only trusted keys and certificates are accepted.
- Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
- The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
- Identify Users and Authenticate Access to System Components
- User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
- Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
- Account use is prevented unless needed for an exceptional circumstance.
- Business justification for use is documented.
- Use is explicitly approved by management.
- Individual user identity is confirmed before access to an account is granted.
- Every action taken is attributable to an individual use
has used HTTPS on all endpoints to maintain security of data transmission in transactions between s and s, s with , and other parties connected to .
has special authentication in verifying data in for SNAP and non-SNAP s. In SNAP s, authentication uses Request Access Token API - SNAP by following provisions of Indonesian Payment Association. While in non-SNAP s, authentication uses a Merchant Token with SHA-256 hashing method.
Every process that runs on has an automatic notifications which contain and that varies according to stage of a . We suggests s to check notifications sent and using Status Inquiry regularly to avoid injection from irresponsible parties.
API Version | API Link |
SNAP Version | |
Version 2 | |
Version 1 |
appreciates all forms of regarding security issues submitted. However, does not have a Bug Bounty program and does not provide any rewards. Though does not currently have a Bug Bounty program for public participation, we may consider it in future.
will continue to evaluate and improve security of our based on national and international standards as a top priority to protect confidentiality of for every that runs in our . For further regarding Bug Bounty program and security of in future, please visit official website and social media.