Security Best Practices

Topics covered on this page

Security best practices for merchants

Companion document: This guide describes your responsibilities as a merchant when accepting payments online. For foundational concepts — tokenization, encryption, and PCI DSS compliance — see the Security Overview.

If you have any questions after reading this document, contact Omise Support.

1. Send card details from the client device

Omise is a certified PCI DSS Compliant Service Provider. PCI DSS is a set of industry-mandated requirements ensuring that card details are processed, stored, and transmitted securely.

To comply with these requirements, you must send card details directly from the user's client device to Omise's encrypted vault server using one of the provided client-side libraries or plugins. These libraries return one-time-use tokens, which your backend server uses to create charges and perform other card operations. Actual card details never pass through your servers.

Token overview — card details flow from the client device to Omise's vault, returning a one-time-use token to your server

Exception: Merchants who are themselves PCI DSS Certified are still required to notify Omise before handling card details directly.

Use the appropriate client-side integration for your platform:

Platform Integration
Web (browser) Omise.js and its pre-built payment form
iOS Omise iOS SDK
Android Omise Android SDK
Plugin An approved Omise plugin — do not modify its source code

Avoid accidentally capturing sensitive card details

When building payment forms, ensure that form parameters containing card details are not inadvertently sent to your server or captured in server logs.

Disable analytics and tracking tools — such as Mixpanel and Google Analytics — on your checkout page. These tools collect page data, which may include sensitive user information, and transmit it to third parties.

2. Enable HTTPS on your website

HTTPS is required for your checkout page and highly recommended for your entire website.

Enabling HTTPS on your checkout page protects your users' sensitive data, prevents account compromise, and increases user confidence — which can lead to higher conversion rates. Search engines also rank HTTPS-enabled sites higher.

Transport Layer Security (TLS) is the successor to SSL. You are required to use TLS version 1.2 or later, together with a supported cipher suite, to enable HTTPS on your web servers. Omise recommends Let's Encrypt for obtaining certificates.

Note: HTTPS is also required for your webhook endpoint URL if webhooks are enabled on your account.

Supported TLS cipher suites

The following cipher suites are supported. Other, less secure TLS ciphers may not be accepted:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384

3. Store and transmit your secret key securely

Every Omise account has a public key and a secret key. See API Authentication for details.

  • Your public key can be used only for limited, safe operations such as tokenizing credit cards.
  • Your secret key grants access to all other API operations — including creating charges, issuing refunds, initiating transfers, and retrieving customer data.

Take the following steps to keep your secret key secure:

  • Do not commit your secret key to a code repository. Use environment variables instead. See Heroku's Config Vars documentation for an example.
  • Do not share accounts. To review who has accessed your account, visit dashboard.omise.co/sessions.
  • Use strong passwords and enable Two-Factor Authentication (2FA) on your Omise dashboard and any other e-commerce or administrative backend you use.

If your secret key is compromised, you are required to log in to your dashboard immediately and roll your keys. It is also recommended that you notify Omise as soon as possible so the team can verify your account security.

4. Follow recommendations for minimizing fraud

Omise's fraud protection system requires detailed transaction data to calculate a risk score for each transaction.

In addition to providing a secure payment form, Omise.js automatically collects supplementary signals — including the user's client IP address, browser agent, and browser history — which the fraud protection system uses to assess risk. For example, transactions originating from server hosting providers, Tor exit nodes, or public proxies carry a higher risk score than those originating from residential connections in the card issuer's country.

To maximize the effectiveness of automated fraud protection, it is recommended that you:

  • Capture billing address details, especially for customers based in the United States and Canada.
  • Supply the charge.ip, charge.description, and customer.email parameters in your charge requests.
  • Provide supplementary purchase details such as the number of items, item types, and expected delivery date.
  • Supply the customer's actual IP address rather than a proxy or server IP.

For a full list of recommended parameters, see the Fraud Protection guide.

5. Monitor your logs

Certain business types are inherently more susceptible to fraud. See Omise's list of prohibited businesses for reference.

Example: Services such as mobile top-ups allow a malicious actor to extract cash value before a refund or void can be processed.

If any aspect of your business falls into a higher-risk category, monitor your transaction logs regularly for suspicious activity. To access logs, log in to your Omise Dashboard and select Logs from the navigation menu.

6. Stay updated

Security threats evolve continuously. Omise regularly releases updated versions of its client libraries to address bugs and potential vulnerabilities.

  • Keep all Omise libraries and plugins updated to their latest versions.
  • Review this page periodically for the most current recommendations on securely accepting payments online.
  • Monitor status.omise.co for API availability and incident updates.

7. FAQ

Q: Why can't I just send card details directly to my own server?

Sending card details through your own server brings your infrastructure into scope for PCI DSS compliance — a costly and complex certification process. By sending card details directly from the client device to Omise's encrypted vault using Omise.js or the mobile SDKs, your servers never handle raw card data, which greatly reduces your compliance burden.

Q: What is a one-time-use token and how does it work?

When a user enters their card details into the Omise.js payment form or a mobile SDK, those details are transmitted directly to Omise's servers, which return a short-lived, single-use token. You pass this token from the client to your backend server and use it to create a charge via the API. The token cannot be reused and is valid for one merchant only, so intercepting it provides no usable card data.

Q: Do I need HTTPS if I am using a hosted payment page?

Yes. HTTPS is required on your checkout page regardless of whether you host the payment form yourself or use a hosted solution. It is also required on any webhook endpoint URL you configure. Omise strongly recommends enabling HTTPS across your entire website.

Q: What should I do if I suspect my secret key has been exposed?

Log in to your Omise Dashboard immediately and roll your API keys. Rolling your keys invalidates the compromised key and issues a new one. It is also recommended that you notify Omise Support promptly so the team can investigate and verify your account security.

Q: Can I use my secret key on the client side?

No. Your secret key must never be exposed in client-side code, public repositories, or browser environments. Use only your public key (pkey_) in client-side integrations. Your secret key (skey_) must be stored securely on your server and accessed only via environment variables or a secrets management service.

Q: What analytics tools are safe to run on my checkout page?

No third-party analytics or tracking tools should be active on your checkout page. Tools such as Google Analytics and Mixpanel collect page-level data that may inadvertently capture sensitive card details and transmit them to a third party. Disable all such tools on your checkout and payment confirmation pages.

Q: What happens if Omise detects suspicious transactions on my account?

Omise's fraud protection system continuously monitors transactions using IP geolocation, tokenization, pre-authorization checks, and real-time machine learning models. If suspicious activity is detected, the system may block the transaction and mark the charge as failed fraud check in your dashboard. In cases of repeated suspicious activity, excessive disputes, or policy violations, Omise may suspend or restrict your account. See the Fraud Protection guide for details.

Q: What is the minimum TLS version I need to support?

You are required to use TLS 1.2 or later on all servers that process payment data — including your checkout page and webhook endpoint. TLS 1.0 and 1.1 are not supported. Ensure your web server is configured to use only the cipher suites listed in this document.

Next steps

  • Security Overview — Core concepts including tokenization, encryption, and PCI DSS compliance
  • Fraud Protection — How Omise's fraud detection system works and how to configure it
  • Omise.js — JavaScript library for securely collecting payment details in the browser
  • Prohibited Businesses — Categories of businesses that are not permitted to use Omise
Omise uses cookies to improve your overall site experience and collect information on your visits and browsing behavior. By continuing to browse our website, you agree to our Privacy Policy. Learn more