We prompt you to validate online and offline transactions and we push instant notifications to your mobile device alerting you of all account activity.
All Xapo Bank personnel are subject to background checks by an accredited service provider that specializes in this activity.
We constantly monitor the industry threat landscape around the clock with a follow-the-sun model using dedicated security tools and people.
We are committed to continuously improve and we encourage the security community to inform us about security issues or vulnerabilities in accordance with the principles outlined in our Responsible Disclosure Policy.
Your account is only associated with a single mobile device at any given time and is protected by your PIN, password and biometric authentication. We also use multi-factor authentication to add an extra layer of protection to your account and transactions.
We employ a global team of experts in financial crime and use the latest in blockchain analysis technologies to ensure that your life savings are kept secure against fraud schemes. To top it off, your account is fully protected up to the USD equivalent of €100,000 by Gibraltar’s Deposit Guarantee Scheme.
Your Xapo Bank card is protected by the following controls so you can transact securely and stay on top of your card’s activity:
Xapo Bank Limited ("Xapo Bank") is committed to protecting consumer credit card data in compliance with the Payment Card Industry Data Security Standard (PCI DSS). Our alignment with this standard is reflected in the people, technologies and processes we employ. We conduct regular vulnerability scans and penetration tests in accordance with the PCI DSS requirements and our PCI compliance is attested to annually by a PCI Qualified Security Assessor (QSA). Our most recent Attestation of Compliance (AOC) was issued by Coalfire Systems, Inc. in July, 2021.
Xapo Bank is a licensed bank and Xapo VASP Limited ("Xapo VASP") is a licensed Virtual Asset Service Provider (VASP). Both these entities are regulated by the Gibraltar Financial Services Commission (GFSC) and subject to integrated financial audits performed annually by an independent accounting firm. As a Distributed Ledger Technology Provider, Xapo VASP is compliant with and regulated under Gibraltar’s DLT Provider Regulatory framework including but not limited to the Distributed Ledger Technology Provider - Guidance Notes designed for Risk Management, Protection of Client Assets, Corporate Governance, Cyber Security, Financial Crime, and Resilience.
We encourage the use of robust passcode, screen lock, and data protection security configurations on your mobile device in order to limit the risk of account compromise.
Make sure that you’re accessing our website via the secure https:// address in your browser window:
It should look like this: https://www.xapo.com/
If you spot a Xapo webpage which is using an unsecure http:// address, please avoid using it and report it to our customer support team because it may be an illegitimate and malicious website.
Do not write down your sensitive information (e.g. your password, PIN and card number) and avoid the local unencrypted (plain text) storage of this information on your devices in order to avoid compromise in case of a lost or stolen device.
We discourage the use of publicly accessible WiFi and Bluetooth connections and we recommend verifying that private WiFi connections are enforcing wireless encryption security standards such as WPA2 and WPA3.
Bad actors may try to obtain your password or login credentials through fraudulent emails, SMS or forged websites. This type of malicious activity typically includes links that redirect to a simulated website, which may prompt you to provide sensitive information. These sites often replicate the design of the original legitimate service and are purposely designed to steal your sensitive information: