Best-in-class security

Instant notifications

We prompt you to validate online and offline transactions and we push instant notifications to your mobile device alerting you of all account activity.

Xapo Bank App Notification
Xapo Bank App Notification
Xapo Bank App Notification
lock icon

Data Privacy

We go to great lengths to protect the privacy of customer data and we apply defense in depth techniques to safeguard your information in accordance with our Privacy Policy.

id icon

Background Checks

All Xapo Bank personnel are subject to background checks by an accredited service provider that specializes in this activity.

clock icon

24/7 Security Operations

We constantly monitor the industry threat landscape around the clock with a follow-the-sun model using dedicated security tools and people.

glass icon

Responsible Disclosure Program

We are committed to continuously improve and we encourage the security community to inform us about security issues or vulnerabilities in accordance with the principles outlined in our Responsible Disclosure Policy.

fingerprint icon

Secure authentication

Your account is only associated with a single mobile device at any given time and is protected by your PIN, password and biometric authentication. We also use multi-factor authentication to add an extra layer of protection to your account and transactions.

eye icon

Fraud prevention

We employ a global team of experts in financial crime and use the latest in blockchain analysis technologies to ensure that your life savings are kept secure against fraud schemes. To top it off, your account is fully protected up to the USD equivalent of €100,000 by Gibraltar's Deposit Guarantee Scheme.

Xapo Bank App

Card security

Your Xapo Bank card is protected by the following controls so you can transact securely and stay on top of your card's activity:

Self-activate your card only when the card is delivered to you

Control online activity by enabling and disabling online payments

Manage your payments abroad by turning cross-border payments on and off

Report a lost or stolen card at the click of a button

Validate your online payments with 3D Secure authentication for your purchases with 3DS enabled merchants

Accreditation & Certifications

Payment Card Industry Data Security Standard (PCI DSS)

Xapo Bank Limited ("Xapo Bank") is committed to protectingconsumer credit card data in compliance with the Payment Card Industry Data Security Standard (PCI DSS). Our alignment with this standard is reflected in the people, technologies and processes we employ. We conduct regular vulnerability scans and penetration tests in accordance with the PCI DSS requirements and our PCI compliance is attested to annually by a PCI Qualified Security Assessor (QSA). Our most recent Attestation of Compliance (AOC) was issued by Coalfire Systems, Inc. in July, 2021.

Banking License

Xapo Bank is a licensed bank and Xapo VASP Limited ("Xapo VASP") is a licensed Virtual Asset Service Provider (VASP). Both these entities are regulated by the Gibraltar Financial Services Commission (GFSC) and subject to integrated financial audits performed annually by an independent accounting firm. As a Distributed Ledger Technology Provider, Xapo VASP is compliant with and regulated under Gibraltar’s DLT Provider Regulatory framework including but not limited to the Distributed Ledger Technology Provider - Guidance Notes designed for Risk Management, Protection of Client Assets, Corporate Governance, Cyber Security, Financial Crime, and Resilience.

Security tips

Please remain vigilant and follow all security tips outlined on this page in order to maximize the security of your account.

Software Security

  • Ensure that you’re running the most recent version of the Xapo Bank mobile application downloaded directly from either the Apple App Store or the Google Play Store.
  • Ensure that your mobile device and computer are up to date with current operating system and malware protection software.

Device Security

We encourage the use of robust passcode, screen lock, and data protection security configurations on your mobile device in order to limit the risk of account compromise.

Browser Security

Make sure that you’re accessing our website via the secure https:// address in your browser window:

It should look like this: https://www.xapo.com/

If you spot a Xapo webpage which is using an unsecure http:// address, please avoid using it and report it to our customer support team because it may be an illegitimate and malicious website.

Secure Storage

Do not write down your sensitive information (e.g. your password, PIN and card number) and avoid the local unencrypted (plain text) storage of this information on your devices in order to avoid compromise in case of a lost or stolen device.

Wireless Connections

We discourage the use of publicly accessible WiFi and Bluetooth connections and we recommend verifying that private WiFi connections are enforcing wireless encryption security standards such as WPA2 and WPA3.

Phishing and Smishing

Bad actors may try to obtain your password or login credentials through fraudulent emails, SMS or forged websites. This type of malicious activity typically includes links that redirect to a simulated website, which may prompt you to provide sensitive information. These sites often replicate the design of the original legitimate service and are purposely designed to steal your sensitive information:

  • Ensure that the website you’re browsing is in fact part of the xapo.com domain and secured by https://. For more information about this check our Safe Communication section.
  • Remain cautious about your online activity and avoid clicking on suspicious links in emails or text messages. We will never ask you for sensitive information such as your password, your PIN or your card number by email or SMS. If you are unsure about the legitimacy of a communication sent to you, please contact our customer support team before proceeding.
  • Pay attention and look for small typos in the URL of a web address. A common practice by criminals is to run websites with URLs that at a quick glance may seem legit but inspected closely include minor variations of the original web address.
  • If you detect a Xapo Bank impersonator who may be asking for your sensitive information, please take a screenshot and report them to our customer support team so that we can take action and prevent other customers from being targets of the same malicious activity.

Safe Communication

We only communicate with you via email or in-app chat support. Our customer support team does not provide account support via social media. If you are offered support by someone posing as a Xapo Bank employee in a social media site, please report them to our customer support team.

This is our official website: https://www.xapo.com/

In the event that you have additional questions about security or about our services, more valuable information is available to you in our support page.