Upon request, Pismo will provide all necessary information to demonstrate compliance with contractual obligations and Data Protection Laws. Customers may contribute to audits and inspections to verify Pismo’s compliance, provided reasonable notice is given. All audit participants must sign a non-disclosure agreement.

Governance, Risk, and Compliance (GRC)

In the fast-evolving fintech landscape, Pismo understands that trust, resilience, and regulatory alignment are essential. Our Governance, Risk, and Compliance (GRC) program is designed to help financial technology providers operate securely and confidently, while meeting global standards and regional data protection laws.

Governance

Security and compliance are embedded into Pismo’s strategic and operational processes. Our policies are reviewed and approved by senior leadership and are continuously updated to reflect evolving regulatory expectations and industry best practices.

Pismo maintains a strong governance posture through:

• A formal security program aligned with ISO/IEC 27001—Supporting structured and accountable information security management
• Independent audits and internal reviews—To validate our controls and maintain transparency
• Certification in SOC 2 Type II—Demonstrating our commitment to safeguarding data across security, availability, and confidentiality dimensions
• Cyber Essentials Plus certification—Reinforcing our protection against common cyber threats

Risk Management

Pismo’s security maturity is reflected in our proactive and structured approach to risk management, aligned with the NIST Cybersecurity Framework (CSF). This includes:

• Identify—Continuous asset and risk identification across our infrastructure and services
• Protect—Implementation of layered security controls to safeguard data and systems
• Detect—Real-time monitoring and alerting to identify potential threats
• Respond—Documented incident response procedures to contain and mitigate risks
• Recover—Business continuity and recovery plans to ensure service resilience

Pismo also maintains:

• PCI DSS compliance—Ensuring secure handling of cardholder data
• PCI PIN Security certification—Validating our secure management of PIN data in payment environments

In addition, Pismo aligns its internal risk practices with the Visa Enterprise Risk Management Program, which promotes a structured approach to identifying, assessing, and mitigating risks across the payment ecosystem. This includes:

• Proactive vulnerability management and remediation
• Risk-based prioritization of security controls
• Ongoing collaboration with partners to strengthen the overall security posture

Compliance

Pismo’s platform is designed to support fintech clients in meeting their own regulatory obligations, including:

• LGPD (Lei Geral de Proteção de Dados)—Pismo ensures that personal data of Brazilian users is processed lawfully, transparently, and securely, with clear data subject rights and consent mechanisms.
• GDPR (General Data Protection Regulation)—For clients operating in or serving the EU, Pismo supports compliance with GDPR principles such as data minimization, purpose limitation, and lawful processing. We offer mechanisms for data subject access requests, consent management, and data breach notification.

Our data protection practices include:

• Encryption of sensitive data both at rest and in transit
• Tokenization of cardholder data to reduce exposure and simplify compliance
• Granular access controls to ensure that only authorized personnel can access sensitive information

These measures are part of a mature and continuously evolving security program that enables fintechs to innovate confidently, knowing their data and operations are protected by globally recognized standards.

Regulations and regulatory groups compliance

Pismo maintains compliance for the following regulations or regulatory groups.

Anti-fraud assessment and compliance

Fraud monitoring and risk assessment

Pismo has pre-integrated with some of the Fraud Risk Management (FRM) systems globally, such as FICO and Feedzai. Pismo can also integrate into a customer’s fraud-management tool, or other third-party tools for fraud monitoring service, upon request.

As part of FRM integration, Pismo will forward all the online authorization requests from Network / Scheme to the FRM tool using the anti-fraud webhook. The webhook request will consist of complete network ISO fields except the PAN and other sensitive data. PAN is replaced with a Pismo card ID when we route the transaction to an external anti-fraud system. Pismo also shares the status of card validation such as CAM, CVV2, PIN, etc., along with the rules’ validation pre-configured by the issuer at the product / account / card level. The anti-fraud system can then use the above information and scan the transaction against the fraud rules in the anti-fraud system and decide to approve or reject the transaction. Pismo host forwards the decision to the Network / Scheme with an appropriate response code.

As part of the product setup in the Pismo core, the issuer can use Pismo’s Flex Control and create rules such as restriction control or cumulative control. These rules are validated during the authorization stage (card validation and rules validation). The results are passed on to the Issuer’s anti-fraud system through the anti-fraud webhook for anti-fraud tool validation.

Pismo core is integrated into products and offerings owned by Visa (such as 3DS (ACS), authorization scoring, and VAAVRM), to automated rule writing and anti-enumeration software.

Webhook authentication

Pismo can connect to a customer’s webhook via mTLS connectivity or via PrivateLink if hosted on AWS. Pismo signs the payload using our private key and customers can ensure message integrity using our public keys. For details, refer to the Verifying webhook requests guide.

Fraud detection

Rules can be configured on the anti-fraud partner systems or Visa VRM to decline transactions based on customers’ risk rules.

Anti-money laundering compliance

Our platform integrates with any modern anti-money laundering (AML) platform via a real-time API call. We have pre-integrated AML, Anti-Fraud, and ID&V partners.

Pismo has partnered with specialized vendors to service AML as well as ongoing transaction monitoring checks throughout the customer journey. These vendors can carry out Office of Foreign Assets Control (OFAC) checks.

Fraud management services

Cards can be whitelisted to bypass authentication using rules configured on the anti-fraud systems. Pismo would invoke the anti-fraud integration for every authorization with the transaction context. Decisions from the anti-fraud layer is honored by Pismo's transaction authorization process.

Fraud data reports

The Pismo platform offers a range of data events to support any reporting requirements of the bank. This can be supplied as raw data to the bank or a reporting partner to generate the appropriate reports, or we can curate the relevant data events in a pre-set format for the reports to be created.

Pismo triggers data events in real-time via data streams or as files. Customers consume this data and share it with their own applications as required.

Pismo's platform provides real-time alerts for potentially compromised cards based on our integration with an appropriate fraud monitoring solution. The data will be provided to the bank on a real-time basis via an event that can be consumed into an appropriate case management system.

Certifications

Pismo maintains the following certifications.

Pismo security teams

Pismo Blue Team – defensive security excellence

The Pismo Blue Team exists to safeguard the organization’s digital ecosystem by proactively defending against cyber threats and ensuring operational resilience. Its purpose extends beyond reactive incident handling—it is a strategic function designed to:

• Protect customer trust—Guarantee the confidentiality, integrity, and availability of customer data and financial transactions
• Ensure regulatory compliance—Maintain adherence to global standards such as PCI DSS, SOC 2, ISO 27001, and GDPR through robust security controls and documented processes
• Enable business continuity—Minimize downtime and financial impact by rapidly containing and mitigating security incidents
• Drive security maturity—Continuously improve detection, response, and prevention capabilities through automation, threat intelligence, and alignment with frameworks like MITRE ATT&CK
• Collaborate across teams—Act as the central defensive hub, working with Red Team, DevSecOps, Governance, and Engineering to embed security into every layer of operations

Roles and responsibilities

The Blue Team operates as a multi-disciplinary defense unit, covering several critical domains:

Threat detection and monitoring

• Operates advanced SIEM platforms to monitor billions of logs and events across cloud, application, and network layers
• Implements behavioral analytics and anomaly detection to identify suspicious activities early

Incident response and containment

• Executes predefined playbooks for rapid containment of threats such as credential compromise, fraud attempts, and cloud misconfiguration
• Coordinates with OpsGenie for automated escalation and task assignment during critical incidents

Threat intelligence and analysis

• Maps adversary behaviors to MITRE ATT&CK tactics and techniques for structured threat hunting
• Analyzes indicators of compromise (IoCs) and shares intelligence internally to strengthen preventive measures

Vulnerability management

• Collaborates with DevSecOps to remediate vulnerabilities identified through AWS Security Hub, IaC scans, and SBOM analysis
• Participates in monthly Vulnerability Committee meetings to prioritize fixes based on risk and compliance impact

Governance and communication

• Maintains clear documentation for incident reporting and escalation via Jira and Service Desk
• Provides client-facing guidelines for security incident handling and participates in tabletop exercises to validate readiness

Automation and tooling

• Leverages Cloudflare automation scripts for IP blocking and WAF rule updates
• Integrates IaC security checks and SBOM generation into CI/CD pipelines for proactive risk reduction

Pismo Red Team – offensive security excellence

The Pismo Red Team is a specialized cybersecurity unit focused on simulating real-world attacks to identify weaknesses before adversaries do. Our mission is to strengthen your security posture by testing systems, processes, and people under realistic threat scenarios. The Red Team objectives include:

• Validate security controls—Ensure that implemented defenses work as intended
• Measure organizational resilience—Assess how quickly and effectively teams respond to attacks
• Expose hidden risks—Identify vulnerabilities in applications, infrastructure, and operational workflows
• Enhance Blue Team readiness—Provide actionable insights to improve detection and response capabilities

Core services include:

Red Team Engagements

• Simulate advanced persistent threats (APTs) and targeted attacks
• Operate stealthily under predefined objectives (such as data exfiltration, privilege escalation)
• Deliver comprehensive reports with remediation guidance

Penetration Testing

• Exploit vulnerabilities to demonstrate real-world impact
• Assess technical and business risks across APIs, applications, and networks
• Use both manual and automated techniques for thorough coverage

Development Process Assessments

• Test security controls from API development to deployment
• Identify gaps such as protected branch bypass, pipeline enforcement failures, and Dockerfile manipulation risks
• Provide prioritized remediation plans for critical findings

Methodology

• Framework Alignment—Exercises follow industry best practices and standards
• Attack Narrative Simulation—Realistic scenarios such as CI/CD pipeline bypass and container privilege escalation
• Continuous Improvement—Findings feed into SSDLC and DevSecOps processes for long-term resilience.

Customer benefits

• Proactive Risk Reduction—Identify and fix vulnerabilities before they become incidents
• Regulatory Compliance Support—Align with PCI DSS, SOC 2, and ISO 27001 requirements
• Tailored Engagements—Custom scenarios based on your business context and threat landscape
• Collaboration with Blue Team—Joint exercises to improve detection and response capabilities

Pismo Security Architecture team - Defense-in-depth

The Pismo Security Architecture Team is a cornerstone of our defense-in-depth strategy, ensuring security is embedded into every layer of our platform. Similar to leading global payment networks, we combine multi-layered security, operational resilience, and ecosystem integrity to protect sensitive data and maintain trust.

The team’s mission is to design and maintain a secure, scalable, and resilient architecture that meets global compliance standards such as PCI DSS, ISO 27001, SOC 2, and GDPR, while enabling innovation and operational efficiency.

Core principles

• Defense-in-depth—Multiple layers of security controls across infrastructure, applications, and data
• Zero trust—Continuous identity validation and least-privilege access
• Operational resilience—Architected for high availability and disaster recovery
• Continuous innovation—Integration of AI-driven security solutions and proactive threat modeling

Key responsibilities

Security Architecture Reviews

• Conduct in-depth assessments of applications, APIs, and cloud environments
• Perform threat modeling and design secure frameworks for new projects

Identity and Access Management (IAM)

• Implement strong authentication flows, including mTLS, key rotation, and least-privilege design for APIs

Reference Architecture Development

• Maintain Security-by-Design blueprints aligned with compliance and industry standards
• Integrate security controls into CI/CD pipelines and IaC templates

Cloud Security Posture Management

• Monitor AWS multi-region environments for misconfigurations
• Validate compliance using automated IaC checks and CSPM tools

Secure Development Lifecycle Support

Enforce SSDLC practices:

• Static and dynamic code analysis (SAST/SCA)
• IaC security reviews
• SBOM generation for supply chain transparency.

Collaboration with Red Team and Governance

• Support penetration testing and vulnerability remediation
• Align architecture decisions with risk management and compliance objectives

Advanced practices inspired by Visa

• AI-driven security—Use machine learning for anomaly detection and fraud prevention
• Dynamic risk assessment—Apply real-time analytics to evaluate threats during transaction and API calls
• Operational resilience—Architect systems for 99.999% uptime, leveraging multi-region redundancy and chaos engineering tests

Customer Benefits

• Proactive risk mitigation—Vulnerabilities addressed before deployment
• Regulatory assurance—Architecture aligned with global compliance standards
• Operational transparency—Clear governance and documented processes
• Resilience and scalability—Secure design supports multi-region, high-availability architecture