Security & trust

Banking-grade defense.
Crypto-grade privacy.

Card balances sit at a PCI DSS Level 1 regulated issuer, in segregated accounts. Every authorisation hits 3-D Secure. Anti-fraud monitoring runs in real time. And we never ask for KYC — your spend, hardened by the controls a tier-one bank uses, minus the bank.

PCI DSS Level 1 issuer 3-D Secure native HMAC-signed events 99.99% uptime · 90d
Defense layers

Six controls between
your funds and a bad actor.

Every authorisation passes through six independent checks. Any single failure declines the transaction — no exceptions, no fallbacks.

3-D Secure on every charge

Visa Business and Visa Gold clear full 3-D Secure authentication natively. Every authorisation is challenged in-app — Face ID, Touch ID, push notification, or one-time code. No CNP fraud surface, no fallback to static CVV.

Real-time anti-fraud

Velocity rules, geofencing, merchant-category controls, device fingerprinting. Every decline carries a structured reason code so you know exactly what to fix — never a silent failure.

Segregated card balances

Funds sit at the issuer in your account, ring-fenced from operating capital. Even in the worst-case scenario where Cryptocardium ceases operations, your balance is yours — the issuer is the custodian.

Programmable per-card rules

Per-card spend ceilings, MCC allow-lists, merchant denylists, geo-locks — set per card, revisable in one API call. Limit a card to aws.amazon.com at $500/mo and nothing else can touch it.

Freeze & reissue in seconds

One API call (or one click in the panel) freezes the card immediately — pending authorisations are declined within 200 ms. Reissue spins a fresh PAN, provisioned to Apple Pay and Google Pay before the old one cools.

HMAC-signed webhooks

Every lifecycle event is delivered with an HMAC-SHA256 signature and a per-event unique ID. Replay-protected, deduplicatable, verifiable in three lines in any language — no chance of a spoofed event reaching your back-end.

Account-level controls

You hold the keys.
We hold the cipher.

What you control directly from the panel — independent of what we do server-side.

Privacy & no-KYC

The only thing we know about you
is the email you typed.

No identity verification, no document upload, no selfie. The card programme runs under our compliance umbrella — your privacy is the default, not an enterprise upgrade.

What we never ask for

  • Government ID, passport, driving licence, residence permit
  • Selfie, liveness check, real-name attestation
  • Proof of address, utility bill, lease, bank statement
  • Source of funds, employer verification, income declaration
  • Phone number (the panel works fine without one)

What we do keep

  • Your email (for sign-in and account recovery)
  • A bcrypt hash of your password
  • Your USDT balance and top-up / spend records (for audit + your own statements)
  • Card metadata (BIN + last 4 + status) — never the full PAN at rest
  • If you enabled 2FA, your TOTP secret (encrypted at rest)
  • Sign-in IPs (for fraud defence, kept 90 days)
Issuer & compliance

Regulated where it matters.
Invisible where it shouldn't.

The card programme is sponsored by a licensed BIN-issuer in a tier-one jurisdiction. Cryptocardium is the technology layer; the card itself runs on regulated rails.

PCI DSS Level 1

The issuing partner is PCI DSS Level 1 certified, audited annually. No cardholder PAN ever touches Cryptocardium infrastructure unencrypted.

SOC 2 Type II

Cryptocardium's operational controls are SOC 2 Type II audited. Continuous monitoring, change management, vendor reviews.

TLS 1.3 Everywhere

All traffic is TLS 1.3 with forward secrecy. Older protocols are refused. HSTS preloaded across cryptocardium.com.

99.99% Uptime · 90d

Multi-region active-active. Card auth path is replicated across three data centres. Median auth latency: 47 ms.

Responsible disclosure

Find a vulnerability? Get paid.

Cryptocardium runs a bug bounty programme. Report through our coordinated disclosure channel and we'll triage within 24 hours.

Critical up to $25,000 RCE, auth bypass, fund extraction
High up to $7,500 SQLi, privilege escalation, IDOR
Medium up to $2,500 XSS, CSRF, info disclosure
Low up to $500 Best-practice gaps, hardening

Open a support ticket tagged security — we route directly to the security team.

Open the programme

Spend hardened by a tier-one bank.
Identity untouched by anyone.

Sign up, fund with crypto, issue a card. Six layers of defense, zero KYC questions.

FAQ

Security, answered.

Everything people actually ask. Last updated .

Does every Cryptocardium charge go through 3-D Secure?

Yes. Every authorisation is challenged through 3-D Secure, typically as an in-app approval. There is no static-CVV-only fallback. Cardholder-Not-Present fraud surface is therefore reduced to near zero.

Who holds my card balance?

Card balances are held by Cryptocardium's licensed card-issuing partner in segregated accounts ring-fenced from operating capital. The issuer is PCI DSS Level 1 and BIN-sponsor regulated. Funds are not commingled with Cryptocardium's own balance sheet.

How are passwords stored?

Passwords are hashed with bcrypt at work factor 12 (~250 milliseconds per hash). Plaintext passwords are never stored, never logged and never visible to staff. Password resets use single-use tokens expiring in thirty minutes.

Does Cryptocardium support two-factor authentication?

Yes. TOTP (RFC 6238) is supported with any standard authenticator: Google Authenticator, Authy, 1Password, Bitwarden, Aegis. Codes rotate every thirty seconds. Disabling 2FA requires the current password plus a valid code.

Are webhooks authenticated?

Yes. Every webhook event is signed with HMAC-SHA256 using a per-subscription secret. Idempotency keys are included so receivers can safely deduplicate replays. Signing keys can be rotated on demand without downtime.

Can I limit a card to specific merchants or countries?

Yes. Each card supports a programmable MCC allow-list and denylist (merchant category codes), geo-locks restricted to specific countries, plus per-transaction, daily and monthly spend ceilings. All settings are revisable in a single API call.

How do I freeze a card immediately?

Press the Freeze button in the panel, or call POST /v1/cards/{id}/freeze (REST) or freeze_card (MCP). Freezing is instant; subsequent authorisations are declined at the network level. Unfreezing is symmetric.

How do I report a security vulnerability?

Coordinated vulnerability disclosure is documented at https://cryptocardium.com/.well-known/security.txt (RFC 9116). Reports are routed through the authenticated ticket system at /contact and qualify for the bug bounty programme described on this page.