The PSE: What is it? Do I need it? How do I get it?

Published
PSE certificate

Introduction of PSE Certificate

The internet economy is booming in Indonesia. According to the 2020 Indonesia Digital Report published by WeAreSocial, there are currently 175.4 million Internet users in Indonesia (approximately 64% of the population). Last year (2019) the digital industry was estimated to be worth the US $40 billion, and in 2025 the market is estimated to grow to a whopping US $130 billion. Given the enormous potential of the Indonesian digital industry, investors and entrepreneurs need to be aware of the regulations in place to enter the market. One of the most important regulatory requirements for companies operating online in Indonesia is the PSE certificate (“Penyelenggara Sistem Elektronik” or “Electronic System Provider”) issued by the Ministry of Information and Communication (“Menkominfo” or “MOI”). 

This article will explain what the PSE certificate is, how to obtain it, and what the consequences of non-compliance may be.


PSE certificate for Establishing Your Tech Business in Indonesia:

The MOI issues the PSE certificate to certify that a company’s electronic system is secure and complies with Indonesian data protection standards. By requiring certification from companies that operate online, the MOI hopes to improve public trust in using the internet.

The PSE certificate is a prerequisite for companies who collect information online from Indonesian users in their ordinary course of business. Although a company may not identify itself as a “digital” or “online” business, the MOI defines any company that collects any user information online as an online business, therefore, requiring a PSE certificate to operate.

According to Indonesian law, the following companies require a PSE certificate in order to operate:

  1. Companies that offer goods or services to the public through websites or applications.
  2. Companies that facilitate online transactions.
  3. Companies that process information regarding fund deposits.
  4. Companies that store or process data related to trade and/or financial transactions.
  5. Companies whose electronic systems send paid digital goods to users’ devices.


Types of PSE certificate
:

Once the MOI verification team has approved the company’s submission the company will receive one of two kinds of licenses:  

  1. A five-year PSE Certificate. This is issued if the company already possesses a valid information security certificate.
  2. A one-year temporary PSE Certificate. This is issued if the company does not yet have an information security certificate; in this case, the company must receive an information security certificate before the first anniversary of the temporary PSE in order to receive the full 5-year license. Note that if the information security certificate is not obtained the PSE certificate will be cancelled and the application process will need to be restarted.

Note that the MOI does not charge any fees for issuing the PSE, however, if you choose to engage a consultant to assist you during the process the consulting firm will likely charge fees.


Obtaining an Information Security Certificate:

During the PSE application process, if a company does not have an information security certificate, the applicant will be required to fill in an MOI questionnaire to help assess which kind of information security certificate the company will be required to obtain. Companies that are deemed to be low risk (based on the questionnaire) will need to obtain a KAMI Index rating and certificate (issued by the Indonesian National Cyber Security Agency, BSSN). Companies that are deemed to be medium or high risk will need to obtain an ISO 27001 certification. Note that high-risk companies may also be subject to additional regulatory requirements from their respective industry-specific regulatory bodies (e.g. OJK or BI for the financial services industry).


Sanctions for Non-Compliance:

For companies operating online within certain sectors, a PSE certificate is often a prerequisite for the company to obtain other mandatory permits required to do business. For instance, companies which operate online in the financial sector will not be able to receive their operating license from OJK unless they have received a PSE certificate. Unfortunately, historically enforcement of the PSE has varied widely across the various regulatory bodies governing different industries.

Predictably, this has resulted in inconsistent enforcement of PSE certificate requirements and confusion about the necessity of the certificate to do business. In recognition of this the MOI has decided to take ownership of enforcement efforts and in 2020 will begin formally enforcing PSE certificate requirements by rebuking, fining, cutting access to, and/or terminating companies that operate in Indonesia and require a PSE certificate but fail to obtain one.

Related Article: “PSE Regulation: Beware of 3 Things Leading to Sanctions”


Conclusion:

If you need end-to-end assistance in applying for the PSE certificate or perhaps need more focused help in a few specific parts of the process please do reach out to us at anita@permitindo.com or on our website via this link. In addition to helping companies obtain a PSE license we can also guide businesses through the process of obtaining an information security certificate, or any other certificates if required. Find more about our services here. If you have any comments, questions, or feedback on the content of this article, please do reach out as well, we would love to hear from you.

Endnotes:

https://datareportal.com/reports/digital-2020-indonesia, page 17, published on February 18th, 2020,
https://www.thinkwithgoogle.com/intl/en-apac/tools-resources/research-studies/e-conomy-sea-2019-swipe-up-and-to-the-right-southeast-asias-100-billion-internet-economy/, page 18, published on October 3rd, 2019
Government Regulation, Number 82, Year 2012, https://jdih.kominfo.go.id/produk_hukum/view/id/6/t/peraturan+pemerintah+republik+indonesia+nomor+82+tahun+2012
Regulation of the Minister of Communications and Information (Permenkominfo) Number 36 Year 2014, Article 5
Government Regulation, Number 82, Year 2012, https://jdih.kominfo.go.id/produk_hukum/view/id/6/t/peraturan+pemerintah+republik+indonesia+nomor+82+tahun+2012
Government Regulation, Number 71, Year 2019, on Organizing Electronic Systems and Transactions


Privacy Statement Regarding Data Collection

Your privacy is of utmost importance to us. When you reach out to us for assistance or with any queries:

  1. Information Collection: We only collect the necessary data to assist your inquiries. This may include your name, email address, contact number, and any details you provide about your requirements.
  2. Usage of Data: Your personal information is used solely to address your queries and provide the necessary services. We will not use your information for unsolicited marketing unless you express permission.
  3. Data Sharing: We respect your privacy and will never share, sell, or distribute your personal information to third parties unless required by law.
  4. Data Protection: We employ robust security measures to protect your personal information from unauthorized access, alteration, or destruction.
  5. Access & Corrections: At any point, you can request to view the personal information we hold about you. If you find any inaccuracies, we will correct them promptly.
  6. Retention: We will hold onto your data only for as long as necessary to serve you or as applicable laws require.

You acknowledge and consent to our data collection and use practices outlined in this privacy statement by providing your contact information. If you have any concerns or questions about our privacy practices, please don’t hesitate to contact us.

Photo by Yura Fresh

Any questions? Contact us!