Security
As a services provider in , is obligated to meet security standards during s to avoid suspicious activity that can harm any parties, both s and s. The following are regarding security of services available in .
already has local security certifications and licenses, such as PJP (Penyedia Jasa Pembayaran) Category 2 permit related to Payment Gateway and Category 3 permit related to PTD (Penyelenggara Transfer Dana) from , Domestic PSE from Kominfo, as well as international compliance certifications, namely PCI DSS Level 1 and PCI 3DS.
Transaction protection becomes responsibility and role of all parties, not only . responsible on maintain transmission data security, identify users and authenticate access to component.
The following is list of responsibility on maintain security.
- Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
- Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented
- PAN is protected with strong cryptography during transmission.
- Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
- Only trusted keys and certificates are accepted.
- Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
- The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
- The encryption strength is appropriate for encryption methodology in use.
- An inventory of entity’s trusted keys and certificates used to protect PAN during transmission is maintained.
- Identify Users and Authenticate Access to System Components
- User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
- All users are assigned a unique ID before access to components or cardholder data is allowed
- Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
- Account use is prevented unless needed for an exceptional circumstance.
- Use is limited to time needed for exceptional circumstance.
- Business justification for use is documented.
- Use is explicitly approved by management.
- Individual user identity is confirmed before access to an account is granted.
- Every action taken is attributable to an individual use
has used HTTPS on all endpoints to maintain security of data transmission in transactions between s and s, s with , and other parties connected to .
has special authentication in verifying data in for SNAP and non-SNAP s. In SNAP s, authentication uses Request Access Token API - SNAP by following provisions of Indonesian Payment Association. While in non-SNAP s, authentication uses a Merchant Token with SHA-256 hashing method.
Callback Handling is used by s to verify of s to .
Every process that runs on has an automatic notifications which contain and that varies according to stage of a . We suggests s to check notifications sent and using Status Inquiry regularly to avoid injection from irresponsible parties.
List of Status Inquiry :
API Version | API Link |
---|---|
SNAP Version | |
Version 2 | |
Version 1 |
Notification Injection is one of security vulnerabilities when an attacker sends a that is not supposed to be sent to systems.
appreciates all forms of regarding security issues submitted. However, does not have a Bug Bounty program and does not provide any rewards. Though does not currently have a Bug Bounty program for public participation, we may consider it in future.
will continue to evaluate and improve security of our based on national and international standards as a top priority to protect confidentiality of for every that runs in our . For further regarding Bug Bounty program and security of in future, please visit official website and social media.