Mutual Transport Layer Security (mTLS) is an end-to-end security protocol that verifies the identity of both sides of a communication stream—the client and the Pismo platform. It provides mutual authentication between client and server, ensuring that both parties verify each other's identities before establishing a secure connection.

mTLS is mandatory for all API calls to the Pismo platform. This protocol keeps the platform in compliance with legal requirements, such as the European Union's Electronic Identification, Authentication, and Trust Services (eIDAS) regulation and the revised Payment Services Directive (PSD2).

To configure mTLS, contact your Pismo representative. There are two ways to configure the signed certificate:

1. Pismo generates and signs a private and public key and sends the public key to you through a secure channel.
2. You generate a private and public key and send the public key to Pismo through a Certificate Signing Request (CSR). Pismo sends back a signed public certificate.

📘

The Program Manager or Service Provider must provide the following details to Pismo before the mTLS can be issued:

• Company name
• Document number (for example, Tax ID)
• City
• State
• Country

How the mTLS process works

The following is an overview of how the authentication process works on the Pismo platform. During the process, if either side fails to present a valid certificate, the connection drops and no data is transmitted in either direction.

1. You connect to the platform.
2. The platform sends its TLS certificate.
3. You verify the certificate.
4. You send your certificate to the platform.
5. The platform verifies the certificate.
6. The platform grants access to you.
7. Data exchange occurs securely over the encrypted TLS connection.

Important security details

The Pismo platform enforces strict security controls for all API communications.

⚠️

Security notes

• mTLS is mandatory for all API calls to the Pismo platform.
• Client certificates are required for authentication and must be valid and trusted.
• Certificates have a defined validity period of two years and must be renewed before expiration.
• Additional security layers are in place to monitor and protect traffic against unauthorized access and malicious activity.

Requests that do not meet authentication or security requirements will be rejected.

For security reasons, detailed error responses and specific validation rules are not publicly documented. If needed, please contact support for troubleshooting assistance: report the incident to Pismo.