Security guide for Control Center
Pismo is committed to providing you with a trusted set of financial services. We have used our cloud industry experience building enterprise software and running some of the world’s largest online services to create and implement a robust set of security technologies and practices. These practices help reduce the cost, complexity, and risk associated with security in the financial services cloud. Our mission is to deliver the highest levels of security, privacy, compliance, and availability to the financial sector and help you protect your business assets. Pismo invests annually in cybersecurity and employs a dedicated cybersecurity professional. Pismo helps you strengthen your security posture, streamline your compliance efforts, and enable digital transformation. Pismo takes a defense-in-depth approach to security in our Platform.
The Pismo platform follows an API-driven architecture. This design allows for seamless integration with various systems and services that you may have. Many of our clients chose to build their own UI on top of the Pismo platform. This method allows you to control all access and authentication to the Pismo platform, including single sign-on (SSO) and multi-factor authentication (MFA) policies. You can also access the Pismo platform through the Pismo Control Center.
Security and access for Control Center
Pismo Control Center is a Web application that enables business users to perform various tasks on the Pismo platform. It is designed to enable business users to use the platform without having to understand the platform's REST APIs. You can use it to perform a variety of tasks, from managing financial transactions to overseeing customer accounts, all through an intuitive and accessible interface.
The Control Center UI currently supports English and Portuguese.
Authentication
User authentication and access
Authentication validates the identity of a user. It is typically handled by checking credentials, such as usernames and passwords. Pismo enforces strong password policies in Control Center. Refer to Best practices for passwords in Control Center for requirements and tips to create a secure password. It also includes multi-factor authentication (MFA) through email.
When a client creates an organization (Org) in Control Center, they will be given an Admin user for that Org. That user will receive two separate emails that will allow them to create their password. Once established as an Admin user, that Admin can then go into Control Center to create all users and give those users the correct roles. If there are multiple organizations, the Control Center Admin can assign users different roles for different organizations. New users will be sent the two emails to set their own password and access Control Center.
If a user has access to more than one organization in Control Center, they can switch to the one they want to view from Control Center header. When a user switches organizations, their permissions for the current Org are applied and they will only be able to access features in Control Center based on their roles for that current organization.
Multi-factor Authentication (MFA) in Control Center
Control Center allows for MFA through email only. MFA is managed at the organization level in the test (EXT) environment and the multi-tenant production environments. It can also be turned on for the whole environment. MFA can also be managed directly by the client if they are using Enterprise Authentication.
With MFA, after entering your username and password, the platform sends a code to the email address linked to the user account. You must enter this code to complete the user registration process and log in.
Emailing the registration code requires that everyone logging in to use the application has their valid email address registered with Pismo. If the registered email address is inactive or invalid, you will be unable to access the authentication code and therefore will be unable to log into the platform.
Enterprise authentication
An optional feature allows clients to add Single Sign-On (SSO) authentication to Control Center for a fee. This gives you the ability to have your organization’s users sign in to Pismo Control Center through an Identity Provider (IdP) using a single set of credentials. Pismo supports SSO with the Security Assertion Markup Language (SAML) 2.0 protocol. Any identity provider that supports SAML 2.0 works with Pismo. The advantage of this is that your IdP acts as a trusted service that manages user accounts and their authentication.
Single sign-on (SSO) is only available to customers who have purchased it. Contact your Pismo representative for more information.
Note: If your company wants to maintain IP restrictions for Control Center, you can manage that using SSO.
For full details of SSO for Control Center, refer to the Get started with SSO for Control Center.
Authorization
Once a user is authenticated, authorization defines the access rights for that user and limits access to only the resources permitted for that specific user. Authorization follows the concept of least privilege, where users receive the minimum access rights that are necessary for their jobs. Pismo uses role-based access control (RBAC) to enforce least privilege.
Within the Control Center, Admins and User managers can assign and manage user roles. Role management is limited to the defined roles within Control Center as custom roles are not supported. For a list of available roles, go to User Management in Control Center.
Dual approval
Dual approval is an optional feature that requires agreement from two individuals to finalize certain changes to platform data. It provides an additional layer of oversight, which reduces the potential for errors and fraud.
Dual approval is applied at the organization level. Rather than making a change directly, Control Center saves the operation as a pending approval request and starts an approval workflow. When Dual approval is active, rather than making a change directly, Control Center displays a popup message asking the user if they want to submit an approval request. Anyone with permission to make changes can request dual approval, but users must have specific roles to be an approver in this workflow.
For details about the dual approval feature, workflow, and approver roles, refer to the Dual approval guide for Control Center.
Audit log
The Pismo platform maintains a history of all operations that users perform in Control Center. Use the Audit feature within the Control Center to access this data. There is an export option for reporting purposes.
In addition, you can monitor system status through the Status Page in Control Center. To subscribe to status page updates refer to the Pismo operations status guide.
Data retention policy
At Pismo, we follow defined policies regarding retention of records and information. This is summarized as follows:
- Records and information are retained and disposed of in accordance with a retention schedule.
- Records remain readable, immutable, retrievable, and accessible throughout their required retention period.
- Records are protected in safe and secure conditions.
- Once a record has been finalized, drafts and working copies become non-record information and are not retained as records unless instructed by the Legal Department that destruction has been suspended, such as for active or anticipated litigation, audit, or government investigation (“Legal Hold”).
- Records and information are kept for no longer than necessary for their identified business purpose unless subject to additional legal or regulatory requirements.
- Personal information that has been de-personalized or otherwise rendered unusable and unidentifiable pursuant to applicable privacy regulations is presumed to be compliant with the policy.
- All records and information created pursuant to our business activities are proprietary information and do not belong to an individual. All employees are required to return records and information upon request or when leaving the company. Staff also ensures that third parties return all records and information upon request or termination of contract.
Personal Identifiable Information (PII)
Pismo is continuously monitoring data privacy legislation and will continue to comply with relevant data privacy legislation. At Pismo, we adhere to regional data protection restrictions for the physical location of where the data is stored.
Toward that end, we match the following global privacy rules for data stored in the associated regions:
| Regulation | Compliance notes |
|---|---|
| General Data Protection Regulation (GDPR) | The Pismo platform supports data retention policies and is designed to ensure GDPR compliance to address regulatory requirements. |
| General Personal Data Protection Law (LGPD) | Personal data protection law for Brazil, equivalent to GDPR. |
| Digital Personal Data Protection (DPDP) | Data protection policy for India. |
| Personal Data Protection Act (PDPA) | Data protection policy for Singapore and the Philippines. |
| Information Security Manual (ISM) | Australian government’s primary Cloud compliance and security regulation. It is enforced through the Infosec Registered Assessors Program (IRAP). |
| Consumer Privacy Act (CCPA) | Data privacy act for the state of California, United States. |
Updated 3 days ago