3-D Secure on every charge
Visa Business and Visa Gold clear full 3-D Secure authentication natively. Every authorisation is challenged in-app — Face ID, Touch ID, push notification, or one-time code. No CNP fraud surface, no fallback to static CVV.
Card balances sit at a PCI DSS Level 1 regulated issuer, in segregated accounts. Every authorisation hits 3-D Secure. Anti-fraud monitoring runs in real time. And we never ask for KYC — your spend, hardened by the controls a tier-one bank uses, minus the bank.
Every authorisation passes through six independent checks. Any single failure declines the transaction — no exceptions, no fallbacks.
Visa Business and Visa Gold clear full 3-D Secure authentication natively. Every authorisation is challenged in-app — Face ID, Touch ID, push notification, or one-time code. No CNP fraud surface, no fallback to static CVV.
Velocity rules, geofencing, merchant-category controls, device fingerprinting. Every decline carries a structured reason code so you know exactly what to fix — never a silent failure.
Funds sit at the issuer in your account, ring-fenced from operating capital. Even in the worst-case scenario where Cryptocardium ceases operations, your balance is yours — the issuer is the custodian.
Per-card spend ceilings, MCC allow-lists, merchant denylists, geo-locks — set per card, revisable in one API call. Limit a card to aws.amazon.com at $500/mo and nothing else can touch it.
One API call (or one click in the panel) freezes the card immediately — pending authorisations are declined within 200 ms. Reissue spins a fresh PAN, provisioned to Apple Pay and Google Pay before the old one cools.
Every lifecycle event is delivered with an HMAC-SHA256 signature and a per-event unique ID. Replay-protected, deduplicatable, verifiable in three lines in any language — no chance of a spoofed event reaching your back-end.
What you control directly from the panel — independent of what we do server-side.
Hashed with bcrypt at cost 12 on every account. The plaintext never touches disk, never leaves the request lifecycle. Change at any time from Security → Change password.
Standard RFC 6238 TOTP — works with Google Authenticator, Authy, 1Password, Bitwarden, any TOTP-compatible app. 10 single-use backup codes for recovery, regeneratable at any time.
Each API key is shown once at creation and stored only as a sha256 hash. Revocation is instant — old keys stop authenticating the moment you click Revoke. Per-key activity is audited.
Every authentication event is logged with timestamp, IP, and outcome. Visible in Activity → Account events. Failed attempts trigger automatic rate-limiting (5 attempts per 15 min per IP).
Session bearers expire after 30 days of inactivity. Sign out from any device revokes the session everywhere; sign-in invalidates older sessions if you opt in to single-device mode.
Spend ceilings (transaction / daily / monthly), MCC allow-lists (e.g. only SaaS merchants), country geo-locks, and a freeze toggle — all programmable per card, no cool-off between changes.
No identity verification, no document upload, no selfie. The card programme runs under our compliance umbrella — your privacy is the default, not an enterprise upgrade.
The card programme is sponsored by a licensed BIN-issuer in a tier-one jurisdiction. Cryptocardium is the technology layer; the card itself runs on regulated rails.
The issuing partner is PCI DSS Level 1 certified, audited annually. No cardholder PAN ever touches Cryptocardium infrastructure unencrypted.
Cryptocardium's operational controls are SOC 2 Type II audited. Continuous monitoring, change management, vendor reviews.
All traffic is TLS 1.3 with forward secrecy. Older protocols are refused. HSTS preloaded across cryptocardium.com.
Multi-region active-active. Card auth path is replicated across three data centres. Median auth latency: 47 ms.
Cryptocardium runs a bug bounty programme. Report through our coordinated disclosure channel and we'll triage within 24 hours.
Open a support ticket tagged security — we route directly to the security team.
Sign up, fund with crypto, issue a card. Six layers of defense, zero KYC questions.
Everything people actually ask. Last updated .
Yes. Every authorisation is challenged through 3-D Secure, typically as an in-app approval. There is no static-CVV-only fallback. Cardholder-Not-Present fraud surface is therefore reduced to near zero.
Card balances are held by Cryptocardium's licensed card-issuing partner in segregated accounts ring-fenced from operating capital. The issuer is PCI DSS Level 1 and BIN-sponsor regulated. Funds are not commingled with Cryptocardium's own balance sheet.
Passwords are hashed with bcrypt at work factor 12 (~250 milliseconds per hash). Plaintext passwords are never stored, never logged and never visible to staff. Password resets use single-use tokens expiring in thirty minutes.
Yes. TOTP (RFC 6238) is supported with any standard authenticator: Google Authenticator, Authy, 1Password, Bitwarden, Aegis. Codes rotate every thirty seconds. Disabling 2FA requires the current password plus a valid code.
Yes. Every webhook event is signed with HMAC-SHA256 using a per-subscription secret. Idempotency keys are included so receivers can safely deduplicate replays. Signing keys can be rotated on demand without downtime.
Yes. Each card supports a programmable MCC allow-list and denylist (merchant category codes), geo-locks restricted to specific countries, plus per-transaction, daily and monthly spend ceilings. All settings are revisable in a single API call.
Press the Freeze button in the panel, or call POST /v1/cards/{id}/freeze (REST) or freeze_card (MCP). Freezing is instant; subsequent authorisations are declined at the network level. Unfreezing is symmetric.
Coordinated vulnerability disclosure is documented at https://cryptocardium.com/.well-known/security.txt (RFC 9116). Reports are routed through the authenticated ticket system at /contact and qualify for the bug bounty programme described on this page.