Transport Layer Security (TLS) encrypts data in flight between clients and servers. Every payment API call, webhook delivery, and Secure Fields session must use modern TLS versions (1.2 minimum, 1.3 preferred) with strong cipher suites. Deprecated protocols (SSLv3, TLS 1.0) fail PCI and browser requirements.
TLS protects against passive eavesdropping on networks; it does not by itself keep PAN out of merchant scope if the TLS terminator is your application. That is why hosted fields pair TLS with JWE to the tokenization endpoint.
Certificate management matters: monitor expiry, use automated renewal (ACME), and pin expectations for webhook endpoints receiving Veliro deliveries. Misconfigured TLS on your webhook URL is a top cause of lifecycle event backlog.
Veliro enforces TLS on all public APIs and publishes cipher requirements in the security documentation. Scheme connectivity (VTS, MDES, AETS) uses mutual TLS with network-issued certificates, a stricter profile than browser HTTPS.
Pin minimum TLS versions in integration tests against sandbox endpoints; legacy Java or mainframe adapters occasionally negotiate down unless explicitly configured for TLS 1.2+.