Last updated: 19 May 2026
ExCards is a card-issuance service backed by a licensed BIN-sponsor partner. Security is split between three layers: the card network layer (Visa and Mastercard rails), the issuer partner layer (where card balances are held), and the ExCards platform layer (account, KYC, top-up flows). This page describes the controls at each layer.
Every card authorization above $1 routes through 3D Secure 2.0 with the issuer's authentication flow. Suspicious patterns trigger step-up authentication via your registered contact channel. Card-not-present fraud rules follow current Visa Core Rules and Mastercard Standards. Chargeback rights apply to ExCards transactions exactly as they apply to any other Visa or Mastercard card.
Card balances are held by our card issuer partner in segregated accounts compliant with the issuer's regulatory regime. The card itself is provisioned and credentialed by the issuer; ExCards does not store full PAN, CVV, or expiry data outside of one-time provisioning workflows.
All traffic to and from excards.io and app.excards.io uses TLS 1.3. KYC data (passport scan, personal details) is encrypted at rest using AES-256-GCM with rotating keys. Access to KYC data is role-restricted and logged.
Every applicant is screened at issuance against UN, EU, US OFAC SDN, UK HMT, and Swiss SECO lists, plus PEP databases. Every transaction is screened against the same lists (merchant country, BIN routing, IP origin) before authorization. Matches trigger automatic decline. See /aml.html for the full AML control description.
Set a unique, strong password on your ExCards account. Enable 2FA on the linked email or Telegram. Never share full card details over chat or email. Report lost card credentials immediately via app.excards.io so we can freeze the card within minutes.
We do not claim PCI DSS Level 1, SOC 2 Type II, or ISO 27001 certifications. The card issuer partner holds the relevant card-industry certifications under their own programs. We do not offer cold-storage custody of customer crypto outside of the active card-funding wallet.
In the event of a confirmed data incident, affected customers are notified within 72 hours via their registered contact channel, in line with GDPR Article 33. Public communications are posted via app.excards.io.
Security questions: /contact.html. Suspected fraud: app.excards.io with the word "fraud" at the start of the message.