Manage Cards
Once a card is issued, the card holder and the business owner maintains full control over its lifecycle and security settings. This includes handling replacements, managing PINs, controlling activation, and applying fraud risk limits—all designed to align strictly with Saudi Central Bank (SAMA) regulatory requirements.
1. Replace or Cancel a Card
If a card is reported lost, stolen, damaged, or compromised, follow this standardized flow to issue a replacement securely.
SAMA Notification Rules
Saudi regulations require issuers to suspend compromised cards immediately upon receiving a report and to notify the customer via SMS with a reference number.
If a card is lost, stolen, damaged, or compromised in any other way, it can be replaced or permanently canceled. To replace a compromised card, first receive the request through an approved channel and securely authenticate the user via OTP, biometrics, or device binding. Immediately suspend the existing card by blocking all POS, e-commerce, ATM, and digital wallet transactions. Next, issue a replacement card with a new PAN, CVV, and expiry date, ensuring it remains linked to the existing account balance and retains the previous card controls. Following SAMA regulations, you must notify the customer of the reissuance via a real-time SMS alert. Finally, ensure the new card remains completely locked until the customer explicitly activates it through an authenticated channel.
2. Change PIN
Secure PIN management is a critical feature, especially for mada debit, prepaid, and payroll cards.
HSM Encryption Standards
PIN-related operations must never expose sensitive authentication data at the endpoint. PINs must be encrypted and stored exclusively inside secure HSM infrastructure.
To securely change a card PIN, the customer first authenticates into your mobile app or web portal and selects the PIN update option from the card management interface. They must then pass a step-up authentication challenge, such as an OTP or biometric scan, before entering a new 4-digit PIN that adheres to local Saudi banking standards (excluding sequential, reused, or obvious personal numbers). Once submitted, the new PIN is securely updated across the mada host, issuer, and card processors using a secure HSM encryption flow, followed immediately by a notification to the customer detailing the timestamp, device, channel, and a brief security reminder.
3. View Card Details
Because Primary Account Numbers (PANs) and CVVs are highly sensitive, Vrtx provides secure methods to display this information to your users.
PCI DSS Standards
Card data must be handled strictly in accordance with PCI DSS requirements to prevent unauthorized exposure.
- Vrtx UI Elements: Use our drop-in SDKs to securely render the PAN and CVV directly within your application. Sensitive data never touches your backend servers.
4. Card Statuses
A card's operational status dictates whether it can successfully authorize transactions.
| Status | Description |
|---|---|
ACTIVE | The card is open, active, and ready to transact. |
FROZEN | Temporarily disabled by the user or platform. All transactions will decline. |
BLOCKED | Disabled by Vrtx due to suspected fraud, compliance issues, or risk triggers. |
CANCELED | Permanently deactivated and closed. This action cannot be undone. |
5. Limits and Controls
Vrtx enables platforms to programmatically configure advanced spending controls. These features help mitigate fraud, enforce internal corporate policies, and maintain comprehensive oversight. Controls can be applied globally at the Card Program level or granularly on an individual Card level.
Velocity Limits
Set strict transaction amount and frequency caps within defined timeframes (e.g., maximum SAR 5,000 per day, or 5 transactions per hour) to prevent excessive spending.
MCC Blocking
Automatically approve or decline transactions based on Merchant Category Codes (MCC), ensuring cards are only used at authorized business types.
Transaction Controls
Restrict card usage to Saudi Arabia or specific international regions. You can also toggle specific channels on or off (e.g., e-commerce, contactless, or card-present).