GPOS Payment System
.NET/C# backend for PIX and cards with mTLS authentication
The GPOS product needed a robust backend to process payments via PIX and cards, with mutual authentication between terminals and the server, and remote registration of new devices.
- 01Implementing mTLS for mutual authentication between physical terminals and the server
- 02Ensuring compliance with BACEN rules for PIX transactions
- 03Eliminating the manual physical device shipping process for registration
- 04Maintaining transactional consistency in unstable connection scenarios on terminals
mTLS for bilateral terminal-server authentication
Physical terminals cannot depend on user-rotatable credentials. Client certificates installed on the terminal ensure device identity without human intervention.
Remote terminal registration
The previous process required physically sending the device for configuration. The new flow allows registration via authenticated API during onboarding, significantly reducing logistics costs.
.NET as the primary runtime
Already established stack at the company with mature libraries for PIX (BACEN SPI) and card brand integrations via ISO 8583.
mTLS adds complexity to certificate lifecycle management (expiration, revocation). It was necessary to implement an automatic renewal process before expiry.
.NET 8 with ASP.NET Core, Kestrel configuration for mTLS with private CA validation. PIX implemented following the BACEN SPI specification. Terminal registration via authenticated endpoint with multiple verification factors.
Complete .NET/C# payment system with PIX, cards, mTLS, and remote terminal registration — eliminating the need to ship physical devices.
- ›BACEN's PIX documentation is extensive but precise — following it exactly avoids rejections during integration
- ›Implementing a circuit breaker on PSP calls prevents cascade failures during bank unavailability
- ›Immutable transaction logs are mandatory for auditing — never UPDATE payment records