Security in Midtrans

Security is our top priority in Midtrans. We monitor both internal and external factors to ensure the security of your payment is going to Midtrans.

Midtrans Security

  1. PCI DSS
    PCI-DSS (Payment Card Industry Data Security Standard) is a certificate or license issued by the PCI Security Standards Council to maintain the security of all transaction activities through Midtrans payment systems. Midtrans have implemented all security standards set by the PCI Standard Council on network and payment systems to minimize any security risk that could interfere with transaction processes in our system.

    Midtrans has been audited by the QSA (Qualified Security Assessor) certified by PCI Council and currently Midtrans is PCI compliant with PCI Service Provider Level 1 certification. This is the most stringent level of certification available in the payments industry.

  2. ISO 27001
    ISO27001 (or commonly known as ISO / IEC 27001) is a certificate or license issued by the Internal Standards Organization (ISO) which regulates security management information system. We have implemented the ISO27001 standard on our system and network to maintain the security of our information.

  3. AES 256
    AES (Advanced Encryption Standard) is an encryption standard that was issued by the National Institute of Standards and Technology (NIST) it is generally used to maintain the confidentiality of data. Midtrans uses AES-256 as a standart of encryption of all transaction data that goes into and out of our system.

  4. Fraud Detection System
    Midtrans analyzes, processes, and manages each transactions in detail with our machine learning tool. After these steps, Midtrans will analyze the behavior patterns using the payment location,email detail, time, etc.


HTTPS for secure connections

Midtrans forces HTTPS for all services using TLS (SSL), including our public website and Merchant Administration Portal.

  • midtrans.min.js is served only over HTTPS and is hosted in our server (production). We suggest merchants not to host midtrans.min.js themselve.
  • snap.js is served only over HTTPS and is hosted in our server (production). We suggest merchants not to host snap.js themselve.

Sensitive data Encryption

Security always become a primary concern in PT Midtrans and all transactions processed by our system will always be securely encrypted. Midtrans never store any sensitive information in the system and all transactions are transmitted and processed via secure network.

All encryption and security procedure are following PCI-DSS standards to ensure that we achieved highest security protection.

Vulnerability disclosure

​Midtrans is always open to any input or suggestion related to our security from. If you believe you have found a bug in Midtrans, please contact or and we will respond as soon as possible. We thank you for your cooperation in not disclosing these issues publicly.