Security at GeraCash

GeraCash is a digital wallet for cross-border money movement, so security is the product. This page describes the controls in place today and the standards we hold ourselves to. It is intentionally specific — we would rather be useful than vague.

Encryption

All traffic between your device and GeraCash uses TLS 1.2 or higher with modern ciphers; older protocols are disabled at the load balancer. Sensitive data at rest (wallet balances, transaction history, KYC documents, payment-method tokens) is stored in encrypted databases and object storage with provider-managed keys (AES-256 under the hood). Backups are encrypted with the same posture and replicated across at least two regions.

PCI DSS posture

Card numbers, CVVs and expiry dates never reach GeraCash servers in raw form. Card entry happens inside a PCI-certified payment processor's hosted fields; we hold only an opaque token tied to the wallet. This keeps GeraCash's scope narrow and lets us inherit the processor's annual Level 1 attestation. As we onboard new processing partners we re-validate scope and update the security overview.

Two-factor authentication

2FA is mandatory. We support TOTP (any standard authenticator app), FIDO2/WebAuthn hardware keys, and SMS as a fallback for markets where neither is widely available. You will be prompted on every new-device login, every withdrawal, every transfer that exceeds your daily threshold, and any change to a security setting (password, email, phone, recovery key). High-risk events trigger step-up authentication regardless of recent 2FA.

Device fingerprinting

Every session is bound to a device profile (browser, OS, screen, network characteristics). New devices appear in your account's device list and trigger an email and push alert. You can revoke a device at any time from your security settings; revocation invalidates the refresh token immediately and forces re-auth.

Transaction limits

Limits are tiered to your KYC level and country. Unverified accounts can hold and receive funds but cannot withdraw or send beyond a low daily ceiling. Verified individuals get higher daily and monthly limits; verified businesses have configurable limits set during onboarding. Exceeding a limit triggers a hard stop, not a silent reject — you see exactly what is blocked and how to lift it.

Fraud monitoring

Every transaction is scored in real time against device, IP, geolocation, velocity, behavioural patterns, sanctions lists and known-fraud signals. Low-risk transactions clear instantly. Medium-risk transactions trigger step-up authentication. High-risk transactions are held for manual review with an SLA of one business hour. We never auto-approve transactions that fail our risk model.

PSD2 strong customer authentication

For payments initiated from EU and UK users, we apply Strong Customer Authentication (SCA) under PSD2 and the FCA equivalent: two factors from knowledge (password), possession (device with TOTP or WebAuthn), and inherence (biometric on supported devices). Low-value and recurring exemptions are applied only where the regulation explicitly permits.

Reporting a vulnerability

Security researchers can report findings to [email protected]. We acknowledge within one business day, triage within five, and publish a fix timeline. We will not pursue good-faith security research that respects user privacy and avoids service disruption.

Frequently asked questions

Related

• How GeraCash works
• Pricing & fees
• Privacy policy
• Identity verification (KYC)