Compliance & Security
Security certifications, encryption standards, and compliance posture of the M2P Prepaid Platform.
The M2P Prepaid Platform is built with security at its core. All card data handling, storage, and transmission meets the highest industry standards.
Certifications
PCI-DSS Level 1
Certified compliant with the Payment Card Industry Data Security Standard at the highest level (Level 1), covering all card data handling and storage.
PCI SSF
PCI Software Security Framework certified, ensuring secure software development lifecycle and code security practices.
ISO 27001
Certified Information Security Management System (ISMS) covering all organizational security controls and processes.
SOC 2 Type II
Independent audit of security, availability, processing integrity, confidentiality, and privacy controls — validated over an extended observation period.
Encryption & Key Management
| Layer | Standard | Details |
|---|---|---|
| Data at Rest | AES-256 | All sensitive data encrypted in storage |
| Data in Transit | TLS 1.2+ | All API communications use HTTPS with TLS 1.2 or higher |
| Key Management | HSM | Hardware Security Modules for cryptographic key storage and operations |
| PIN Encryption | RSA + AES Envelope | Gateway-level envelope encryption for PIN and sensitive card operations |
| Network Tokenization | VTS / MDES / NPCI TKM | Card network-level tokenization for digital wallet provisioning |
Data Isolation
The platform operates as a multi-tenant architecture with strict data isolation:
Each tenant operates with:
- Dedicated configuration — BIN ranges, limits, fees, and templates
- Isolated customer data — Encryption at rest with tenant-specific keys
- Independent routing — Configurable bank partner routing per tenant
- Separate webhook endpoints — Dedicated callback URLs per event type
M2P undergoes regular third-party security audits and penetration testing. Contact your account manager for the latest audit reports.