B2B and accounts payable
Single-use virtual cards are eating into ACH and check volume for supplier payments. B2B is projected to make up only 1% of virtual credit card transaction count by 2026 but 71% of the total transaction value, according to Versapay's research. The dollars are where the action is.
Interchange revenue drives adoption from the AP automation side. A 2025 Omega Venture Partners guide puts virtual card interchange at 1.5% to 3% of transaction value, with AP automation vendors keeping 0.5% to 1% as their share. On a billion dollars of processed volume, that's $7.5 million in pure software-margin revenue for the platform, on top of subscription fees. AvidXchange and Bill.com run programs on this economic logic.
Embedded finance and BaaS
Non-financial platforms now embed virtual card issuing to give their users branded cards without becoming a bank. Vertical SaaS for clinics and gig platforms for delivery drivers use the same building blocks. Shopify Balance and Lyft Direct are public examples. The platform owns the user relationship and the card-level data. Regulatory exposure sits with the BIN sponsor, while the processor runs the rails.
For these companies, virtual card issuing operates as a product surface. It deepens the customer relationship and turns interchange into a margin line that subsidizes the rest of the software.
Security and compliance considerations
A virtual card issuing program sits inside a stack of obligations that don't disappear just because the card is digital. PCI DSS scope is the foundation. If the program manager never touches the PAN, scope shrinks dramatically. If it does, the audit covers every system that handles cardholder data, from applications to the vault.
Know Your Customer (KYC) and Know Your Business (KYB) requirements come from the sponsor bank and apply to every cardholder. Network rules from Visa and Mastercard add another layer for branding and chargeback handling. The fintech program manager owns the customer-facing parts. The processor owns transaction processing and PCI controls on the vault. The sponsor bank owns the regulatory license and ultimate liability.
Fraud controls run on top of all of this:
-
3D Secure (3DS) authentication for card-not-present transactions, which shifts chargeback liability to the issuer. Visa data shows authenticated transactions have roughly 45% lower fraud than non-authenticated eCommerce transactions.
-
Velocity rules that decline based on transaction count, amount, or geography over a rolling window
-
Dynamic CVVs that rotate on a schedule, so a leaked card record expires before it gets used
-
MCC blocklists and merchant allowlists enforced at authorization
Visa CNP fraud data, reported by the Kansas City Fed, shows card-not-present fraud rates climbing from 14.3 basis points in 2013 to 16.9 basis points in 2015 on dual-message networks. That trend is what made tight authorization-time controls table stakes for virtual card programs.
Choosing an issuing partner
Picking a provider is where most fintech teams underestimate the long-term cost. The API demo is the easy part. The hard part is what happens 18 months in, when you've built around a processor's quirks and you want to renegotiate or switch.
The criteria that actually matter:
-
API quality and documentation depth, including sandbox parity with production and webhook reliability
-
Supported geographies and currencies, because expanding from the US to the EU means a new BIN and a new sponsor bank, with processor coverage determining the route
-
BIN ownership, which determines who controls the program if the partnership ends
-
Settlement terms and how funding flows between your operating account, the sponsor, and the network
-
Interchange share and rebate structure, especially for B2B programs where this is the revenue model
-
Compliance support, including how the processor handles disputes, chargebacks, and regulator inquiries
Lock-in is the quiet risk. Migration of an active card portfolio between processors requires new card issuance and wallet credential retokenization, and it can take a year once sponsor-bank renegotiation is included. Ask vendors directly what a migration off their platform looks like. The answer reveals more than any pitch deck.
Good evaluation questions to bring to a vendor call: What's your authorization latency at the 99th percentile? Who holds the BIN? What's the rebate split on commercial spend? How do you handle PCI scope for our application? Which sponsor banks are you certified with, and can we switch sponsors without leaving your platform?
Where virtual card issuing is headed
The next phase pushes virtual card issuing further into programmable territory. Cross-border issuing is becoming routine as processors stitch together multiple BIN sponsors under one API. Stablecoin-funded cards are scaling fast. Crypto-funded cards processed roughly $18 billion annualized by late 2025, more than double the year-earlier level, and Visa carried over 90% of that volume.
Agentic AI is the more disruptive shift. Autonomous agents that purchase on behalf of users need scoped, single-use credentials with tight controls, and that's exactly what virtual card issuing produces. Mastercard's Agent Pay and Visa's Trusted Agent Protocol both treat the virtual card as the trust boundary between the user and the agent. Network tokenization tightens further so each agent session can be authenticated and revoked independently.
The through-line is that cards are becoming payment primitives. Programmable, scoped, disposable, and addressable through an API. If your team is evaluating where virtual card issuing fits, ask whether your funding stack and compliance posture are ready to treat payments as software, with engineering bandwidth in place to support that shift.
Conclusion
Virtual card issuing has moved from a payments curiosity to a core piece of fintech infrastructure because it lets product teams build payment behavior the same way they build the rest of their software. The decisions that matter are about scope, partners, and what you're willing to own versus outsource. Get those right, and the cards themselves become the easy part.
EGS provides resilient fintech infrastructure that supports virtual card issuing programs, from processor integration and PCI scope reduction to sponsor bank coordination and ongoing compliance. If your team is scoping a new card program or rethinking an existing one, reach out to our team for a working session on architecture and vendor selection, with go-live planning covered in the same discussion.