Protecting payments: How Moss secures spend execution and fights fraud

This article is part of our “Built for Trust” series, where leaders from Moss share how we approach security, reliability, and compliance across the platform—from card payments to data protection.

So far in this series, we’ve shared how Moss earns customer trust through regulatory strength and platform-level security design. But there’s another side to securing spend management. And it’s arguably the most visible one: payments.

Every day, thousands of card transactions, invoice approvals, and money transfers run through Moss. It’s our job to ensure each one is safe, legitimate, and properly authorised. That means keeping customer funds secure, minimising fraud risk, and educating users on the role they play in staying protected.

Step one: Keeping customer funds safe

Moss is a licensed electronic money institution under BaFin, Germany’s federal regulator. This license requires us to separate customer funds from Moss’ own assets, so your money is never exposed to business risk.

We hold customer funds securely with Deutsche Bank, in dedicated escrow accounts. That setup is reviewed not only by our own teams, but by:

• Our external auditors
• Deutsche Bank itself
• BaFin and the German Bundesbank
• The European Banking Authority

We often say, if we could monitor funds 25 hours a day, we would. But with this structure, we’re as close to that as possible.

Step two: Securing every card and transfer

Moss customers don’t just store funds with us, they spend them. This means that security has to extend to every transaction. We protect spend execution in a number of different ways:

• Two-factor authentication for sensitive actions and card usage
• Real-time controls like card limits, merchant category blocking, and spending thresholds
• Configurable approval flows that ensure no one spends outside policy
• Detailed transaction logs to support audits and detect anomalies
  

And importantly, all of this is backed by our partnership with Mastercard, which brings world-class security features to every Moss-issued card.

“We don’t just give customers tools to spend—we give them tools to stay in control.”

Step three: Fighting fraud in real time

Once money is in motion, our job is to make sure every transaction stays legitimate, from authorisation to settlement. That means building defences that move as fast as the fraudsters do, combining automation, analytics, and human insight.

Behind the scenes, our risk team works hand-in-hand with Mastercard and Marqeta to monitor transactions and adapt to new threats in real time. The result is a system that stops fraud before it reaches the customer, while keeping genuine payments as seamless as ever.

Here’s how we do it:

• End-to-end protection: All payment data is encrypted, tokenised, and protected by role-based access controls, meeting the highest standards of SOC 2, ISO 27001, and GDPR compliance.
• Intelligent monitoring: Our fraud detection engine continuously scans transaction patterns using data from our back office, Metabase, and Marqeta to identify anomalies before they escalate.
• Adaptive fraud rules: Real-time controls can automatically block risky merchants, restrict transactions by region, or apply short time delays that frustrate rapid, high-volume attacks.
• App-based verification: Wallet tokenisation is now possible only through the Moss app, ensuring strong authentication when adding cards to Apple Pay or Google Pay.
• Mastercard protection: Every Moss card benefits from Mastercard’s global fraud and liability safeguards, offering customers additional assurance at the point of payment.
• Industry-leading performance: Moss maintains a fraud rate of just 0.01 percent—well below the market average, allowing us to reduce friction for trusted users without lowering our guard.

Fraud prevention at Moss is not about adding barriers. It’s about designing smarter guardrails. Ones that stay out of your way until they’re needed most.

Step four: Addressing the human factor

Most fraud doesn’t start with a system failure. It starts with a human mistake: clicking a phishing link, reusing a password, approving a fake invoice.

That’s why technical security is only part of the equation. At Moss, we take education and awareness seriously:

• We help customers set strong access policies from day one
• We explain how to use MFA and secure password tools
• We advise teams on how to avoid common phishing and social engineering attacks
• We offer documentation and resources to upskill non-technical users

No matter how strong the platform is, it’s only as secure as the people using it. And our job is to make those people better protected and better prepared.

Scaling security with AI and automation

As Moss grows, we’re investing heavily in scalable fraud detection. That means using AI and machine learning not as buzzwords—but as real tools to surface anomalies, automate transaction review, and respond to threats faster than human teams could.

Just as important, we’re building out transparent guardrails and control layers around these systems—so that automation doesn’t come at the cost of clarity.

Because whether it’s AI, payments infrastructure, or user permissions, our goal is always the same: protect the customer, and protect the trust they’ve placed in us.

Choose security you can trust and verify

If you’re evaluating spend management tools, don’t just ask “Is it secure?” Ask how. Ask where your data is hosted. Ask how funds are safeguarded. Ask what controls are in place to prevent mistakes or fraud.

At Moss, we’re proud that we don’t just answer those questions—we back them up. With certifications. With transparency. And with a platform built from the ground up to keep your business protected.