As a services provider in , is obligated to meet security standards during s to avoid suspicious activity that can harm any parties, both s and s. The following are regarding security of services available in .
Security Standards and Regulations
Security Features
has FDS and 3Ds systems as a security features for secure using .
Compliance
already has local security certifications and licenses, such as PJP (Penyedia Jasa Pembayaran) Category 2 permit related to Payment Gateway and Category 3 permit related to PTD (Penyelenggara Transfer Dana) from , Domestic PSE from Kominfo, as well as international compliance certifications, namely PCI DSS Level 1 and PCI 3DS.
Role and Responsibility on Protection
Transaction protection becomes responsibility and role of all parties, not only . responsible on maintain transmission data security, identify users and authenticate access to component.
The following is list of responsibility on maintain security.
Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented
PAN is protected with strong cryptography during transmission.
Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
Only trusted keys and certificates are accepted.
Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
The encryption strength is appropriate for encryption methodology in use.
An inventory of entity’s trusted keys and certificates used to protect PAN during transmission is maintained.
Identify Users and Authenticate Access to System Components
User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
All users are assigned a unique ID before access to components or cardholder data is allowed
Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
Account use is prevented unless needed for an exceptional circumstance.
Use is limited to time needed for exceptional circumstance.
Business justification for use is documented.
Use is explicitly approved by management.
Individual user identity is confirmed before access to an account is granted.
Every action taken is attributable to an individual use
NICEPAY Products Security
Data Transmission
has used HTTPS on all endpoints to maintain security of data transmission in transactions between s and s, s with , and other parties connected to .
Authentication
has special authentication in verifying data in for SNAP and non-SNAP s. In SNAP s, authentication uses Request Access Token API - SNAP by following provisions of Indonesian Payment Association. While in non-SNAP s, authentication uses a Merchant Token with SHA-256 hashing method.
Callback Handling
Callback Handling is used by s to verify of s to .
Whitelist IP
Merchants can Whitelist IPs to increase their system security if needed. Please contact NICEPAY Customer Service to get list of NICEPAY IP.
1<!-- <p>paste iframe code here</p> --> Merchants can Whitelist IPs to increase their system security if needed. Please contact <astyle="color:blue;text-decoration-line:underline"href="mailto:cs@nicepay.co.id">NICEPAY Customer Service</a> to get list of NICEPAY IP.
Notification and Transaction Status
Every process that runs on has an automatic notifications which contain and that varies according to stage of a . We suggests s to check notifications sent and using Status Inquiry regularly to avoid injection from irresponsible parties.
Notification Injection is one of security vulnerabilities when an attacker sends a that is not supposed to be sent to systems.
Security Maintenance
Bug Bounty Program
appreciates all forms of regarding security issues submitted. However, does not have a Bug Bounty program and does not provide any rewards. Though does not currently have a Bug Bounty program for public participation, we may consider it in future.
will continue to evaluate and improve security of our based on national and international standards as a top priority to protect confidentiality of for every that runs in our . For further regarding Bug Bounty program and security of in future, please visit official website and social media.