Inside Gnosis Pay | How Crypto Payment Cards Work

If you’re building a payments system, considering launching a crypto card, or researching modern blockchain-based payment solutions — this post is for you.
We’ll break down how Gnosis Pay leverages a Gnosis Safe multisig wallet to power a Visa debit card, enforce permissions and limits, and handle transactions from on-chain stablecoins to off-chain settlement — all while keeping users fully in control of their funds.
Oh, and before we start, make sure to follow us on X for more deep dives.
So, What Is Gnosis Pay
Gnosis Pay is a decentralized payment system — basically, a bridge between crypto and traditional finance that lets you pay with crypto anywhere Visa is accepted.
At the center of it is the Gnosis Pay Card, a Visa-issued debit card connected directly to your on-chain balance.
Now, you’ve probably seen crypto cards before — from Crypto.com, Coinbase, and a few others. But Gnosis Pay plays a different game. While most of those cards run through centralized processors that convert crypto to fiat before every transaction, Gnosis Pay keeps the logic on-chain.
Here’s what happens at a high level:
- You have an on-chain account (we’ll break down what kind later) that’s linked to your Gnosis Pay card.
- It holds stablecoins — euro, dollar, or pound equivalents.
- When you tap your card at a terminal, the system deducts those stablecoins directly from your blockchain account.
- To the merchant, it looks like a normal Visa payment — they get fiat in the end.
From your side, though, you’re spending stablecoins straight from the blockchain.
It feels like Web2, but runs on Web3 rails.
Before We Dive In
On paper, it sounds great — a regular Visa card that lets you pay with crypto. Feels like one of those “finally bridging TradFi and DeFi” moments – a step toward lowering the entry barrier for new users, something the industry’s been chasing for years. The simpler and more familiar the process, the more people are likely to actually use it. After all, anything that makes crypto payments feel familiar and frictionless should, in theory, help adoption.
But let’s be honest — we’ve seen many “crypto cards” before. So the real question is: does Gnosis Pay actually lower the entry barrier, or is it just another wrapper around the same idea?
Still, the interesting part isn’t the card itself, but how it works. What’s happening behind the scenes when you tap it at a terminal? How does crypto on-chain turn into fiat on the merchant’s side?
Let’s take it step by step.
Self-Custody: How Gnosis Pay Payment System Works
Gnosis Pay is self-custodial. That means the cardholder — and only the cardholder — controls their funds. Gnosis Pay itself never holds or manages them.
If you think about the simplest way to implement a crypto card:
- You build a backend that creates a wallet for each card and stores the keys.
- When the card is used at a terminal, the backend moves stablecoins from that wallet to pay the merchant.
This works, but it’s custodial. Storing keys centrally is risky — if the backend loses access, the user loses their funds. Even if the system never touches the money, holding keys in one place is a single point of failure.
Gnosis Pay avoids this by separating fund control from transaction execution. The system can deduct stablecoins from the user’s on-chain account during a payment without ever holding the funds itself.
This design is what makes Gnosis Pay different from other crypto cards and is the reason it’s called a self-custodial decentralized payment system.
Next, we’ll look at the actual architecture and see how the Gnosis Pay payment system executes transactions on-chain.
How the Gnosis Pay Payment System Handles Funds On-Chain
If you were wondering about the “abstract blockchain account” mentioned earlier, this is where it comes together: that account is actually a Gnosis Safe multisig wallet. This is the core of why the system can be called self-custodial.
Here’s how it works in practice:
- You own the multisig — and only you do. Technically, an externally owned account (EOA) acts as the owner of the Safe. This gives you full access to the funds as long as you control that EOA.
- The Gnosis Pay system is authorized to deduct stablecoins from your Safe, but you remain in control of the wallet.
It might sound contradictory — how can Gnosis Pay move funds if only I control the Safe? The key is that access is strictly limited:
- The system can only send transactions to a predefined treasury address within the Gnosis Pay infrastructure.
- Only the stablecoin associated with your card can be moved.
- Each transaction is bound by parameters and limits, including a daily spending cap set by the user.
In other words, the system cannot perform arbitrary transactions, and you retain ultimate control. It can only execute the specific transfer function needed to process card payments within the limits you set.
This design is what allows Gnosis Pay to operate as a self-custodial decentralized payment system: stablecoins are spent for transactions, but fund management and ownership always remain in the hands of the user.
How you control your Gnosis Pay multisig
First, this proves the point: the solution really is self-custodial. Second, and just to repeat, you are the owner, and at any moment you can revoke the system’s permission to move funds from your multisig. In other words, you can prevent Gnosis Pay from taking anything from your account whenever you want.
Looking ahead, it’s worth noting that as the owner, you will have some practical limits on interacting with your account. But to conclude on the self-custody point, and to show that it really works this way: you can always reconfigure your account, remove all restrictions for yourself, revoke all permissions granted to the system — that possibility exists.
Keep in mind, though, that if you reconfigure your multisig this way, the card will stop working until the account is set up again.
So, to sum it up: yes, at this stage it’s clear that the solution is truly self-custodial. That’s an important technical advantage in the implementation.
Breaking Down the Gnosis Pay Payment Process
Let’s go into a bit more detail on how a payment works, before looking at the technical implementation.
- Tap the card
You place your Gnosis Pay card on a terminal. - Transaction approval
The system checks several things:- Are you really the cardholder? (authorization)
- Are the transaction details correct?
- Do you have enough stablecoins in your Gnosis Safe?
- Have any daily or other limits been reached?
- All of these checks must pass for the transaction to be approved. If any fail, the operation is rejected.
- Stablecoin transfer
Once approved, the Gnosis Pay system — with your permission — initiates a transfer of stablecoins from your Gnosis Safe to the system’s treasury address. This treasury is also a Gnosis Safe, but system-managed. - Off-chain fiat settlement
Visa handles delivering regular money to the merchant. Gnosis Pay reimburses Visa for the funds spent. The exact mechanics aren’t publicly detailed — from what I could gather, settlement seems to happen at the end of each day, but the exact process remains unclear.
This flow shows how the Gnosis Pay payment system connects on-chain funds to off-chain fiat payments, while keeping your account self-custodial.
Technical Challenges Behind Gnosis Pay
Now that we’ve looked at the payment process in more detail, let’s dig into the technical implementation and how the team arrived at it.
If you take a standard Gnosis Safe multisig as the blockchain account for the card — unmodified, as-is — a few problems appear.
Problem 1: Enforcing permissions and limits
What do we need from this account?
- It should store stablecoins.
- It should only allow the system to transfer those stablecoins, and only to a specific address.
- It should enforce daily limits.
Out of the box, a standard Safe doesn’t have this functionality. But these controls are necessary to make the system secure and functional.
Problem 2: Double-spending risk
Imagine this scenario: you tap your card, the transaction is approved, and then before the on-chain transfer completes, you move funds out of your Safe.
- Off-chain, the payment is already approved.
- On-chain, the transfer to the treasury fails because the funds are gone.
This creates a double-spending problem — the system needs to prevent it to ensure both safety and proper operation.
How Gnosis Pay Handles These Challenges
To solve these two issues, Gnosis Pay uses modules, smart contracts that sit on top of your Gnosis Safe multisig and extend its functionality.
The Safe itself covers the basics: storing funds, interacting with other contracts, verifying signatures, and more. As the owner, you can configure it further by adding modules with custom logic. This approach isn’t unique to Gnosis Pay — any self-custodial Safe account can be extended this way.
Modules allow a decentralized payment system, to enforce rules like limiting transfers to specific addresses or setting daily spending caps, all without altering the underlying Safe.
What Modules Does a Safe Account Need for a Gnosis Pay Card?
The first module is called the Roles Module. Its purpose is to enable detailed permissions management — defining exactly what a given address can do, which method it can call, and with which parameters.

You don’t have to limit this to Gnosis Pay — the use cases can vary. For example, a subscription service: you might allow it to withdraw a specific number of tokens from your account every month.
Here’s how the process works on a technical level: the contract tracks roles. As the Safe owner, you can create multiple roles (they are simply numbered, so you need to map which number corresponds to which role — not very intuitive, but it works).
For each role:
- You can add members — addresses assigned to that role.
- You can define targets — the addresses these members are allowed to interact with.
When defining a target, you can specify additional parameters: function selectors, allowed arguments, whether standard transactions or only native transfers are allowed, and even whether delegatecall is permitted.
In the case of Gnosis Pay:
- When the Safe account is created, a role is assigned.
- Gnosis Pay is a member of that role.
- The target is the stablecoin contract, with all the parameters we discussed earlier.
With this module, the system can enforce fine-grained control over the Safe account while keeping it self-custodial.
How Does Gnosis Pay Prevent Double-Spending?
The double-spending problem is handled by another module called the Delay Module.
Its job is to prevent instant transactions from going through your Safe account. Gnosis Pay enforces a rule: there must be at least a 3-minute delay between registering a transaction and executing it. These are the restrictions we mentioned earlier — the ones you have to accept if you want to use the card.
Here’s how it works:
If you, as the Safe owner, want to move funds from your wallet, you don’t send the transaction directly to the Safe contract. Instead, you send it to the Delay Module. This registers the transaction — including collateral, target address, and your signature — and starts the 3-minute timer. Once the timer expires, the transaction can be executed.
It doesn’t have to be you who executes it; anyone can trigger the transaction, since it’s already signed.
Another important point: the Delay Module queues transactions sequentially. Execution happens in order — anyone can execute a transaction once its timer ends, but only the first transaction in the queue can be executed at a time. This ensures that, when paying with the card, the system can always check whether there are pending transactions in the queue, preventing double-spending.
Why Is the Delay Module Necessary?
You might wonder: why even bother with the timer? Couldn’t someone just create a withdrawal transaction, wait for the timer, and then try the same trick we were trying to prevent?
Gnosis Pay handles this by blocking the card if there’s a non-empty queue of on-chain transactions for your Safe wallet. During transaction approval, the system checks two things:
- Is the balance sufficient?
- Is the transaction queue empty?
If either check fails — as it would in the scenario above — card transactions are paused. This ensures the system isn’t vulnerable to simple timing attacks.
Another point: some transactions depend on the exact moment in time. They might be valid at one point, and invalid later. To handle this, Gnosis Pay sets a 30-minute expiration for each queued transaction. If a transaction hasn’t been executed within 30 minutes of becoming available, it expires and can be skipped.
This keeps the queue clean, prevents bottlenecks, and ensures no operations get permanently stuck.
Linking the Safe to the Traditional Banking System
This is what the on-chain implementation of a Gnosis Pay card account looks like. There’s another side of the system that makes the card actually usable — the off-chain integration with Visa and bank transfers.
In short: the Safe is linked to your unique bank identifier, the IBAN (International Bank Account Number). According to Gnosis, once the card is issued, it is automatically linked to your Safe wallet.
This means that when euros arrive at your IBAN via a bank transfer, equivalent euro stablecoins are minted in your Safe wallet.
The card isn’t just for payments: like any debit card, you can withdraw cash from ATMs. All operations are subject to fees and limits. There are also features like cashback and referral programs, just like in traditional banking.
Check out our related article, “Crypto Payment Gateway: How Modern Payment Systems Actually Work”: Read the deep dive.
So, Does Gnosis Pay Really Lower the Barrier to Crypto?
This is the core question: can Gnosis Pay really bridge the gap between DeFi and traditional finance, and make crypto more accessible? On paper, it looks like it — everyone uses cards, after all.
To answer properly, we looked at what a user actually has to go through to get a Gnosis Pay card.
Step 1: EOA Setup
You need an EOA (Externally Owned Account) to manage your Safe wallet. That means you must have MetaMask or another wallet installed and connected. Nothing changes here — it’s standard crypto setup.
Step 2: Country Selection
You pick your country from the available list. If your country isn’t listed, you can request it be added. In practice, this may not matter much, because there’s a “Restricted Countries for Card Usage” section — your country must be allowed to use the card.
Step 3: KYC
KYC is handled through Gnosis Pay’s partner Fractial. The process requires:
- Registering via phone or email.
- Providing proof of residence (utility bills, insurance documents, property deeds — any document showing your address).
- Uploading your passport and a selfie for verification.
Approval can take from a few minutes to several hours. Once approved, you’re redirected back to the Gnosis Pay flow to verify your data, particularly your physical address, and confirm delivery details for the card.
Step 4: Card Payment
There’s a card issuance fee: your EOA must hold €30.23 to cover the card and delivery. If you don’t have it, you’re redirected to a crypto-to-stablecoin exchange.
So, while the setup process still requires a basic understanding of crypto and wallet management, the end result is seamless: once the card is active, you can use it like a normal debit card — even withdraw crypto instantly at an ATM. That’s the tangible bridge between decentralized finance and the everyday financial system.
Key Takeaways
- Self-custody: Funds remain entirely under the user’s control via a Gnosis Safe multisig wallet. Gnosis Pay does not hold or manage user funds.
- Stablecoin transactions: Payments are deducted directly from the user’s Safe on-chain. The system interacts with off-chain fiat networks (Visa) for settlement.
- Roles Module:
- Defines granular permissions for addresses interacting with the Safe.
- Limits the system to specific contracts and functions.
- Supports configuration of transaction types, allowed arguments, and delegatecall permissions.
- Delay Module:
- Introduces a minimum time delay between transaction registration and execution.
- Queues transactions sequentially to prevent double-spending.
- Automatically expires transactions after 30 minutes if unexecuted.
- Modular architecture:
- Core Safe handles fund storage and signature verification.
- Modules extend functionality without modifying the base contract.
- Additional modules can implement rules like daily limits or automated withdrawals.
- Transaction control:
- Only predefined transfers (e.g., to a treasury address) are permitted.
- Daily spending limits and role-based permissions are enforced on-chain.
- Users can revoke permissions at any time.
- Technical workflow:
- Card tap triggers an authorization check.
- System verifies cardholder, balance, and transaction limits.
- Stablecoins are transferred to the treasury address via the modules.
- Off-chain settlement occurs through Visa.
- Limitations:
- Users must manage an EOA and Safe wallet.
- KYC is required for card issuance.
- Delay Module introduces a mandatory time buffer, affecting instant withdrawals.
About Rock’n’Block
We’re a Web3-native development studio. We help founders launch products faster, serve millions of users, and compete in the rapidly evolving blockchain space.
Follow us on X for more deep dives
We deliver production-grade systems that combine deep technical knowledge with hands-on execution, ensuring your product works reliably at scale and meets both user and market expectations.
We ❤️ Development