M2P Fintech
Fintech is evolving every day. That's why you need our newsletter! Get the latest fintech news, views, insights, directly to your inbox every fortnight for FREE!
In today's interconnected world, our digital lives are a complex web of data and transactions. From online banking to managing business operations, we are constantly accessing and exchanging sensitive information. This raises a critical question: how do we ensure that only the right people have access to the right information at the right time? The answer lies in a foundational element of cybersecurity: Access Control.
M2P Fintech is at the forefront of building the secure financial infrastructure of tomorrow. Our core mission is to empower banks, fintechs, and businesses across more than 20 markets to rapidly deploy digital banking, lending, payment and other value-added solutions.
A deep understanding of access control is essential for anyone building or using payment(card) solutions. This post will demystify the core models of access control, explore the critical challenges in modern payments, and show how advanced systems like M2P's own Access Control Server (ACS) turn security from a checkpoint into a revenue engine.
What is Access Control? The Gatekeeper of the Digital World
At its core, access control is a security process for managing who is authorized to access corporate data and resources . It functions much like a digital gatekeeper, ensuring that every request for access is legitimate and permissible . This process is built on two key pillars:
Authentication: This is the act of verifying a user's identity to ensure they are who they claim to be. Common methods include passwords, PINs, biometric scans, or security tokens.
Authorization: Once a user is authenticated, authorization determines the specific level of access they are granted. This dictates what data they can see and what actions they can perform.
Together, these principles form the basis of a secure digital environment, protecting everything from personal files to critical enterprise systems and forming a key part of security standards like PCI-DSS.
The Evolution of Access Control Models
Over the years, several models have been developed to implement access control, each with its own strengths and ideal use cases.
Discretionary Access Control (DAC): In this flexible model, the owner of a resource has the discretion to decide who can access it. While simple, its decentralized nature can become a security risk in larger organizations.
Mandatory Access Control (MAC): In stark contrast, the MAC model is highly restrictive and centrally managed. Access is granted based on security labels assigned to both users and resources, making it the model of choice for government and military organizations.
Role-Based Access Control (RBAC): As the standard for most businesses, RBAC grants access based on a user's defined role within an organization (e.g., 'Sales Representative,' 'HR Manager'). This simplifies administration and enhances security through the Principle of Least Privilege.
Attribute-Based Access Control (ABAC): Representing the next leap forward, ABAC is a highly granular and context-aware model that grants access by evaluating rules against the attributes of the user, the resource, the environment, and the requested action. By evaluating attributes like time of day, location, or device type in real-time, ABAC can make highly intelligent and dynamic access decisions.
The Challenge: Balancing Security and Experience in CNP Payments
The world of financial payments, particularly Card-Not-Present (CNP) transactions, perfectly illustrates why advanced, attribute-based access control is so critical. The convenience of online shopping has led to explosive growth in CNP payments; in the U.S., CNP debit card transaction volume grew at an 8.2% annual rate between 2021 and 2023.
However, this growth has been shadowed by a costly surge in fraud.
Massive Financial Losses: In the U.S. alone, CNP fraud losses were projected to hit $10.16 billion in 2024, accounting for nearly three-quarters of all card payment fraud. Globally, online payment fraud losses could reach a staggering $362 billion by 2028.
High Merchant Costs: The impact on merchants extends beyond the initial loss. For every $1 of fraud, merchants can lose up to $3.75 when factoring in chargebacks, fees, and operational costs.
Poor Customer Experience: Overly restrictive security can lead to "false declines," where legitimate transactions are mistakenly rejected, frustrating customers and leading to lost sales. The original 3-D Secure 1.0 protocol was notorious for this, using disruptive browser redirects that led to high cart abandonment rates.
The Solution: EMV 3-D Secure 2.x and M2P's Intelligent ACS
To combat this, the industry evolved to EMV 3-D Secure 2.x (3DS2), a paradigm shift in authentication that M2P's Access Control Server (ACS) is engineered to master.
A Leap Forward in Data and Intelligence
The most profound advancement of 3DS2 is its ability to exchange over 150 data points between the merchant and the card issuer—a tenfold increase from the 15 data elements in the 1.0 version. This rich data includes device information, transaction history, shipping details, and other behavioral patterns.
This massive data exchange is the engine behind the "frictionless flow," which is powered by sophisticated Risk-Based Authentication (RBA) engines. M2P's ACS is a real-world application of this intelligent, attribute-based security, designed to maximize both safety and sales.
Risk-Based Authentication (RBA): ABAC in Action
At the heart of our ACS is a powerful, hybrid risk-based authentication (RBA) engine that combines a configurable rules engine with AI and machine learning. This engine is a sophisticated form of ABAC that analyzes hundreds of data points from the 3DS2 protocol in real-time, with response times under 400 milliseconds.
Transaction Signals: The engine scrutinizes the payment context, including transaction history, merchant risk profile, transaction value, and purchase frequency.
Device Signals: We utilize device fingerprinting and analyze data points like OS, screen size, IP reputation, and geolocation to recognize trusted devices and flag high-risk attempts.
Behavioral Signals with Transaction Behavioural Intelligence (TBI): Through our acquisition of Goals101, a leader in Transaction Behavioural Intelligence (TBI), our capabilities are significantly enhanced. The platform uses advanced AI/ML to provide deep insights into consumer transaction patterns, allowing our ACS to build detailed behavioral profiles, more accurately detect anomalies, and enable hyper-personalized experiences.
Based on the real-time risk score, the ACS makes an instant, intelligent decision:
Frictionless Flow (Low-Risk): For low-risk transactions, the payment is approved seamlessly without any cardholder interaction. Industry data shows that with RBA, over 90-95% of transactions can be processed this way, dramatically reducing cart abandonment.
Challenge Flow (Medium/High-Risk): If attributes flag a potential risk, the ACS initiates a "step-up challenge" using multi-factor authentication (MFA). This ensures legitimate but unusual transactions can still be approved securely.
Decline (High-Risk): In clear cases of fraud, the transaction is proactively declined.
This intelligent approach also provides a crucial liability shift: for transactions authenticated through 3DS2, the financial liability for fraudulent chargebacks typically shifts from the merchant to the card-issuing bank.
A Multi-Layered Approach to Step-Up Authentication
When a challenge is necessary, our ACS employs a range of modern, user-friendly MFA methods:
One-Time Passwords (OTP): Delivered via SMS and email.
Biometric Verification: Seamless facial recognition and fingerprint scanning native to the user's device.
Out-of-Band (OOB) Authentication: Secure push notifications ("swipe to pay") to a trusted, pre-registered banking app for approval.
Soft Tokens: Application-generated codes for an added layer of security.
Built on a Bedrock of Modern Architecture and Compliance
Our ACS is engineered from the ground up for performance, flexibility, and reliability.
API-First Design: A 100% API-driven, microservices-based architecture allows for flexible integration and rapid deployment.
Cloud-Native Infrastructure: Fully cloud-hosted with built-in redundancy to ensure high availability and scalability for any transaction volume.
EMV 3DS Compliance: The server is fully compliant with the latest EMV 3DS 2.X standards.
PCI Certified and Pre-Certified: Our ACS is compliant with PCI-DSS and PCI-3DS standards and comes pre-certified with major card networks like Visa, Mastercard, American Express, and RuPay, allowing partners to go live up to five times faster.
The M2P Impact: Quantifiable Business Improvements
By harnessing the power of EMV 3DS2, M2P's ACS delivers tangible results. A senior manager at major Bank reported a "significant improvement in our authentication success rate" and "higher customer satisfaction" after migrating to our platform. Another case study with a client in Mauritius highlighted a 90% faster merchant onboarding and a 60% reduction in operational inefficiency, demonstrating the platform's broad ecosystem benefits.
These client experiences are reflective of the powerful industry-wide impact of this technology:
Checkout times reduced by 85%
Cart abandonment rates lowered by up to 70%
95% of transactions approved straight away in a frictionless flow
Fraud reduced by 40%
Conclusion
Access control has evolved from simple Discretionary (DAC) and Mandatory (MAC) models to the business-standard Role-Based Access Control (RBAC) and now to the highly intelligent Attribute-Based Access Control (ABAC). In the high-stakes world of Card-Not-Present (CNP) payments—where fraud losses have already exceeded $10 billion annually in the U.S. alone—ABAC is not just a security measure, but a core revenue driver.
As one of the largest Banking infrastructure company, M2P Fintech operationalizes ABAC through our Access Control Server (ACS), which is built on the EMV 3-D Secure 2.x protocol. This protocol enables the exchange of over 150 data points per transaction, a tenfold increase over its predecessor.
Our ACS uses a hybrid risk-based authentication (RBA) engine that combines a rules engine with AI, machine learning, and Transaction Behavioural Intelligence (TBI) to analyze these data points in real-time. This intelligent analysis enables a frictionless flow for over 95% of legitimate transactions, combating cart abandonment and false declines. For riskier scenarios, it triggers a multi-layered step-up challenge using methods like:
OTP (SMS/email)
Biometric Verification (Face/Fingerprint)
Out-of-Band Authentication (Push notifications)
This approach delivers significant, quantifiable results, including improved authentication success rates, higher customer satisfaction, and dramatic reductions in cart abandonment and fraud. Built on a 100% API-driven, cloud-native architecture and pre-certified for PCI-DSS, PCI-3DS, and major card networks, M2P's ACS empowers our partners to protect their customers while maximizing revenue.
Curious to see our Risk-Based Authentication in action? Request a personalized demo of M2P's ACS.
Follow us on LinkedIn and Twitter for insightful fintech bytes curated for curious minds like you.