M2P Fintech API documentation

What is Real-Time Card Payments?

Modern payment rails such as VISA Direct and MasterCard Send enable real-time push and pull transactions directly to and from payment card accounts (debit, credit, and prepaid cards). Unlike traditional acquiring flows where a merchant initiates a charge, these OCT and AFT rails allow licensed participants — banks, fintechs, and payment facilitators — to move money to or from a cardholder's account in near real-time, 24×7×365.

OCT — Original Credit Transaction

A 'push' payment that credits funds directly to a recipient's card account. Used for disbursements, P2P transfers, bill payments, refunds, and cross-border remittances.

AFT — Account Funding Transaction

A 'pull' payment that debits funds from a sender's card account. Used for PPI loading, wallet top-ups, and funding transfers. Requires cardholder authentication (3D Secure).

Concept	Description
VISA Direct	Visa's real-time push (OCT) and pull (AFT) payment network, accessible via VisaNet APIs.
MasterCard Send	Mastercard's real-time push payment network (OCT equivalent) accessible via the Send 2.0 API platform.

Industry Context

Traditional fund transfers (NEFT, RTGS, SWIFT) carry delays and operational friction. Card-rail-based transfers solve this with:

Speed: Near-instant settlement to the recipient's card account (often within 30 minutes; Fast Funds in under 30 seconds).
Global Reach: Visa and Mastercard networks span 200+ countries with billions of cards in circulation.
Ubiquity: Recipients don't need a bank account number — only a card (debit/credit/prepaid).
Cross-Border: Native support for international remittances without correspondent banking chains.

The CardPay Platform

CardPay is M2P's switching and middleware platform that enables banks and partners of sponsor banks to leverage VISA Direct, MasterCard Send rails. It acts as the certified integration layer:

CardPay abstracts the complexity of network-level integrations — mutual TLS, Message Level Encryption, OAuth 1.0a, JWE, Retrieval Reference Number generation, BIN-level eligibility checks — and provides a simple, unified API surface for partners.

Use Cases

OCT (Push to Card)

Use Case	Business Application ID	Description
Credit Card Bill Payment	`CP`	Enables partners to push funds to a credit card to pay outstanding balances.
Funds Disbursement	`FD`	General-purpose fund disbursement — payouts, insurance claims, salary.
Person-to-Person (P2P)	`PP`	Individuals send money directly to another person's debit/credit/prepaid card.
Account-to-Account (A2A)	`AA`	Internal account-level transfers within the same institution.
Merchant Disbursement	`MD`	Merchants disbursing refunds, loyalty cashback, or marketplace seller payouts.
Prepaid Top-Up	`TU`	Reload/top-up prepaid cards with funds.
Government Disbursement	`GD`	Government-to-citizen payments (subsidies, tax refunds, stimulus).
Merchant Payment (mVisa)	`MP`	Face-to-face QR-code-based merchant payment via mVisa.
Cash Out	`CO`	mVisa cash-out at agent locations.
Cash In	`CI`	mVisa cash-in at agent locations.
Loan Disbursement	`LO`	Loan proceeds disbursed directly to a borrower's card.
Cross-Border Remittance	`FD` / `PP`	International money transfer with multi-currency support.

AFT (Pull from Card)

Use Case	Description
PPI Loading	Pull funds from a customer's card to load their prepaid payment instrument. Requires 3DS.
Wallet Top-Up	Fund a digital wallet by debiting the customer's linked card.
Account Funding	Pull funds from a card to fund a bank or investment account.

Supporting Capabilities

Capability	Description
Eligibility Check	Verify if a card is eligible for OCT/AFT before initiating. Returns card type, issuer info, and eligibility flags.
Transaction Status Check	Query the network for the final status of a submitted transaction. Critical for timeout/pending scenarios.
Balance Check	For prefunded partners, check available pool balance before authorizing an OCT.
Card Tokenization	PCI-compliant tokenization to avoid raw PAN handling by partner systems.
Transaction Reversal	Reverse a previously successful AFT pull transaction within the allowed window (typically 24 hours).

Supported Networks

Network	Push (OCT)	Pull (AFT)	Eligibility	Status Check
VISA Direct	✅	✅	✅ (Funds Transfer Attributes Inquiry)	✅ (Transaction Query)
MasterCard Send 2.0	✅	❌ (not currently enabled)	✅ (Transfer Eligibility)	✅ (Payment Search)
mVisa	✅ (QR-based)	❌	✅	✅

Platform Architecture

Module Responsibilities

Module	Role
Gateway	API gateway — routes requests, handles partner authentication (Basic Auth), request/response encryption.
CardPay Core	Core business engine — partner/entity management, wallet management, pool balance checks, transaction lifecycle, and orchestration.
Network Gateway	Network integration layer — integration with VISA Direct APIs and MasterCard Send 2.0 APIs. Handles mutual TLS, MLE, OAuth, and eligibility checks.
Auth Service	Authentication service — partner API key management, token service for PCI-compliant card tokenization.

Key Differentiators

Multi-Tenant Architecture

Single deployment serves multiple sponsor banks and their partners. Tenant isolation at DB schema level via tenant context isolation.

Network Agnostic

Unified API abstracts VISA Direct, MasterCard Send — partners choose the network or CardPay auto-routes from BIN.

Sponsor Bank Model

Banks onboard as tenants; their downstream partners are configured as entities with specific default values and custom fields.

PCI DSS Compliance

Card data is encrypted at rest and in transit. Card tokenization service available for partners to avoid handling raw PANs.

Message Level Encryption

Support for Visa's JWE-based MLE for enhanced security on V2 APIs.

3D Secure Integration

AFT pull transactions integrate with 3DS providers for cardholder authentication (CAVV/TAVV) — both platform-managed and partner-provided.

Background & Context