RD Virtual Card
RD Virtual Card

Security is the baseline of RDVCC Virtual Card, not a marketing line

We take no shortcuts with users' identity data, card numbers or funds ledgers. Below is what we actually do today, not vague promises.

Encryption

  • Sensitive fields like card number / CVV: AES-256-GCM field-level encryption
  • Passwords: bcrypt 12-round one-way hashing, irreversible
  • Transport: TLS 1.2+ enforced, HSTS preload
  • Keys stored separately + versioned (key_version), rotation supported

Authentication & Sessions

  • Two-layer JWT sessions: database sid + JWT payload
  • Password change / account close → all sessions revoked immediately
  • Separate admin cookie: sameSite=strict, 8-hour TTL
  • TOTP 2FA coming (user side + admin side)

Funds Safety

  • Standard double-entry bookkeeping: assets + expenses = liabilities + equity + revenue
  • PostgreSQL BEFORE INSERT trigger enforces debit-credit balance
  • user_balance trigger forbids negative values (prevents over-deduction)
  • Real-time reconciliation on the admin dashboard, automatic alerts on fund drift
  • Daily automatic reconciliation of sub-accounts + card limits + ledger integrity
  • Account balance refundable to USDT on request anytime; on-chain fees covered by the platform

Compliance Boundaries

  • Upstream licensed issuers
  • Cardholder information completed before card issuance (compliance requirement)
  • Cash-out / prohibited industries / grey business / money laundering strictly forbidden (violations frozen immediately)
  • On-chain top-up addresses that hit blacklists are blocked immediately
  • We cooperate with lawful law-enforcement investigation requests

Audit

  • Tamper-proof audit logs for all admin actions (reason required)
  • Sensitive user actions (password change, KYC submission, card close) written to user_activity_log
  • Full logs of upstream API calls (api_logs table)
  • Audit logs kept 18 months, KYC 5+ years, transactions 7 years

Infrastructure

  • Hong Kong CN2 servers (accelerated access from mainland China)
  • Cloudflare DNS + Bot Management
  • ufw firewall: only SSH 47131 / 80 / 443 open
  • SSH key-auth only + fail2ban
  • Automatic system security updates; critical services auto-restarted by PM2

5 things you can do

The platform covers 80%; do these last 5 things and your account will rarely run into trouble.

  1. Use a password of 8+ characters mixing letters, digits and symbols; don't reuse it across sites;
  2. Use your primary email (no throwaway email) — 3DS codes are delivered there;
  3. Enable 2FA (once it launches);
  4. Split cards by use: separate cards for ad accounts / subscriptions / overseas shopping to reduce single-point risk;
  5. Support will never ask for your password / OTP / card number — anyone who does is a scammer.

Report a security issue

If you find any security vulnerability, privacy issue or compliance risk in RDVCC Virtual Card, please report it via [email protected]. We promise:

  • First response within 24 hours, a handling timeline within 48 hours;
  • A public acknowledgement list after the fix (optional);
  • No legal action over responsible disclosure (malicious attacks excluded);
  • Extra thanks for critical vulnerabilities (amount negotiated by severity).

Related documents:Privacy Policy ·AML Policy ·KYC Policy

Data storage & backup strategy

RDVCC's data storage uses a three-tier "primary / replica / backup" architecture, balancing availability, disaster recovery and compliance:

  • Primary: PostgreSQL 16 on a Hong Kong CN2 node. Sustains 100+ tps writes, AES-256-GCM field-level encryption.
  • Read replicas: one on the same node + one off-site. Used for reporting and reconciliation, reducing primary load.
  • Encrypted backups: automatic daily backups to cloud storage, kept off-site for 90 days + monthly archives for 5 years. Backup files are encrypted separately (keys independent from the primary), so even a cloud-storage breach cannot decrypt them.
  • RTO / RPO: target RTO ≤ 4 hours (disaster recovery), RPO ≤ 15 minutes (maximum data loss). A full disaster-recovery drill every quarter.

User best practices for account security

Platform security is only part of the picture — user-side practice matters just as much. We strongly recommend:

  • ① Enable 2FA (two-step verification). Account Settings → Security → enable TOTP verification (Google Authenticator / Authy). Once on, an attacker cannot log in even with a leaked password.
  • ② Use a strong password + never reuse it. Your RDVCC password should differ from your passwords elsewhere. Use a password manager (1Password / Bitwarden) to generate 16+ character random passwords.
  • ③ Set an independent limit per card. Set daily / monthly limits at 1.2× your actual budget. Even if a card number leaks, losses stay capped.
  • ④ Review transactions regularly. Check your in-account transaction details weekly; on anything unusual, freeze the card immediately and contact support.
  • ⑤ Beware of phishing. RDVCC will never ask for your password / SMS code via email / SMS. The only login entry is rdvcc.com — verify the URL and the HTTPS certificate.

Start your global spending on compliant, secure rails

1 USDT per card · field-level encryption · 7-year audit retention