Security

9min

About Services Security of NICEPAY



As a services provider in , is obligated to meet security standards during s to avoid suspicious activity that can harm any parties, both s and s. The following are regarding security of services available in .



Security Standards and Regulations

Security Features

 has FDS and 3Ds systems as a security features for secure using .



Compliance

 already has local security certifications and licenses, such as PJP (Penyedia Jasa Pembayaran) Category 2 permit related to Payment Gateway and Category 3 permit related to PTD (Penyelenggara Transfer Dana) from , Domestic PSE from Kominfo, as well as international compliance certifications, namely PCI DSS Level 1 and PCI 3DS.



Role and Responsibility on Protection

Transaction protection becomes responsibility and role of all parties, not only . responsible on maintain transmission data security, identify users and authenticate access to component.

The following is list of responsibility on maintain security.

  1. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
    • Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented
    • PAN is protected with strong cryptography during transmission.
    • Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
      • Only trusted keys and certificates are accepted.
      • Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
      • The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
      • The encryption strength is appropriate for encryption methodology in use.
    • An inventory of entity’s trusted keys and certificates used to protect PAN during transmission is maintained.
  2. Identify Users and Authenticate Access to System Components
    • User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
    • All users are assigned a unique ID before access to components or cardholder data is allowed
    • Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
      • Account use is prevented unless needed for an exceptional circumstance.
      • Use is limited to time needed for exceptional circumstance.
      • Business justification for use is documented.
      • Use is explicitly approved by management.
      • Individual user identity is confirmed before access to an account is granted.
      • Every action taken is attributable to an individual use



NICEPAY Products Security

Data Transmission

 has used HTTPS on all endpoints to maintain security of data transmission in transactions between s and s, s with , and other parties connected to .



Authentication

 has special authentication in verifying data in for SNAP and non-SNAP s. In SNAP s, authentication uses Request Access Token API - SNAP by following provisions of Indonesian Payment Association. While in non-SNAP s, authentication uses a Merchant Token with SHA-256 hashing method.



Callback Handling

Callback Handling is used by s to verify of s to .



Whitelist IP

Merchants can Whitelist IPs to increase their system security if needed. Please contact NICEPAY Customer Service to get list of NICEPAY IP.




Notification and Transaction Status

Every process that runs on has an automatic notifications which contain and that varies according to stage of a . We suggests s to check notifications sent and using Status Inquiry regularly to avoid injection from irresponsible parties.

List of Status Inquiry :

Notification Injection is one of security vulnerabilities when an attacker sends a that is not supposed to be sent to systems.



Security Maintenance

Bug Bounty Program

 appreciates all forms of regarding security issues submitted. However, does not have a Bug Bounty program and does not provide any rewards. Though does not currently have a Bug Bounty program for public participation, we may consider it in future.

 will continue to evaluate and improve security of our based on national and international standards as a top priority to protect confidentiality of for every that runs in our . For further regarding Bug Bounty program and security of in future, please visit official website and social media.