Card issuing sits at the foundation of every card payment. Without an issuer, there is no card to swipe, tap, or enter at checkout. Understanding how card issuing works—and who controls each layer—is essential for any merchant, fintech founder, or payments engineer building a modern payment stack.
How Card Issuing Works
The card issuing process involves multiple regulated parties coordinating in real time. From program setup to a cardholder completing a purchase, each step must satisfy both card-network rules and local regulatory requirements before a single transaction can clear.
Establish a Bank Sponsorship or License
A company wishing to issue cards must either obtain its own banking license or partner with a licensed sponsor bank through a banking-as-a-service arrangement. The sponsor bank holds the regulatory relationship with the card network and assumes ultimate liability for the card program.
Secure a BIN Range
The card network assigns a Bank Identification Number (BIN)—the first six to eight digits of every card number—to the issuer. This BIN routes authorization requests back to the correct issuer processor for every transaction made with that card.
Configure Spending Controls and Program Rules
The program manager defines the card product: credit, debit, or prepaid; single-use or multi-use; merchant category restrictions; spending limits; and currency support. These rules are loaded into the issuer processor before any cards are activated.
Onboard Cardholders with KYC Verification
Before issuing a card, the issuer must verify cardholder identity to satisfy Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements. The depth of verification varies by card type: prepaid low-value products may require minimal checks while credit products demand full credit underwriting.
Produce and Deliver the Card
Physical cards are manufactured by card bureaus and personalized with the cardholder's name, card number, expiry, and CVV before delivery. Virtual cards are generated instantly via API and delivered digitally—as a card number, expiry, and CVV—without any physical production.
Authorize and Settle Transactions
When a cardholder makes a purchase, the merchant's acquirer sends an authorization request through the card network to the issuer. The issuer approves or declines in milliseconds based on available balance, spending rules, and fraud signals. Funds are settled—typically within one to two business days—net of interchange fees.
Why Card Issuing Matters
Card issuing is not a niche banking function—it underpins trillions of dollars in global commerce every year. The scale and economics of card programs make issuing one of the most commercially significant activities in the payment industry.
According to the Nilson Report, global card payment volume surpassed $45 trillion in 2023, with cards accounting for more than 40% of all consumer payment transactions worldwide. US card issuers collectively earn an estimated $90 billion annually in interchange revenue, making interchange the largest single revenue stream in retail banking. Meanwhile, the virtual card market is projected to grow at a compound annual rate above 20% through 2030, driven by corporate expense management platforms and B2B accounts payable automation—segments where instant card issuance offers decisive operational advantages over legacy payment methods.
These figures reflect a structural shift: card issuing is no longer the exclusive domain of large banks. Fintech platforms, retailers, and SaaS companies are now launching their own card programs to capture interchange revenue, increase customer engagement, and embed financial services directly into their core product.
Interchange Economics
For every card transaction, the merchant's acquirer pays an interchange fee to the card issuer. On a typical US consumer credit card, interchange is 1.5%–2.4% of the transaction value. This fee structure means that high-spending customer segments—travel, corporate—generate significantly more interchange income per cardholder than everyday debit users.
Card Issuing vs. Card Acquiring
These two roles are frequently confused because both involve card networks and transaction processing. However, they serve opposing parties in every payment and carry entirely different risk profiles, licensing requirements, and revenue models.
| Dimension | Card Issuing | Card Acquiring |
|---|---|---|
| Serves | Cardholder (payer) | Merchant (payee) |
| Primary function | Funds the transaction; manages cardholder account | Accepts the transaction; settles funds to merchant |
| Revenue source | Interchange fees, card fees, interest | Merchant discount rate (MDR), gateway fees |
| Risk held | Credit risk, fraud liability, chargeback liability | Merchant fraud, settlement risk |
| Regulatory license | E-money institution, bank charter, or BaaS sponsorship | Payment institution license or acquiring bank charter |
| Key partners | Card networks, issuer processors, KYC providers | Card networks, payment gateways, fraud tools |
| Typical margin | 0.2%–2.4% of transaction (interchange) | 0.1%–0.5% of transaction (net MDR after interchange) |
Types of Card Issuing
Card programs vary significantly by product structure, intended use case, and the regulatory framework they operate under. Understanding the major categories helps merchants and fintech teams choose the right program design for their customers.
Credit card issuing extends a revolving line of credit to the cardholder. The issuer earns interchange on every purchase plus interest on unpaid balances. Credit issuing requires the most rigorous underwriting and carries the highest regulatory burden.
Debit card issuing links directly to a deposit account. Funds are pulled from the cardholder's balance at authorization. Debit interchange is regulated in many markets—under the Durbin Amendment in the US, large bank debit interchange is capped at roughly $0.22 per transaction.
Prepaid card issuing loads a fixed balance onto the card before use. Prepaid cards require no credit check and suit payroll, government disbursements, and loyalty programs. They are also the most accessible product for non-bank program managers to launch.
Virtual card issuing generates card credentials on demand via API without physical plastic. Virtual cards are ideal for B2B payments, online subscriptions, and travel booking, where instant issuance and per-transaction spending controls reduce fraud and simplify reconciliation.
Corporate and fleet card issuing creates cards for employee expense management or vehicle fleets. These programs typically layer merchant category code (MCC) restrictions, per-transaction limits, and real-time spend visibility on top of a standard card product.
White-label and co-brand card issuing lets non-bank brands—airlines, retailers, tech platforms—distribute cards carrying their own branding while a bank sponsor handles the regulatory and processing infrastructure.
Tokenization is increasingly integrated into all card types, replacing the primary account number with a network token for digital wallet and in-app payments, reducing card-not-present fraud exposure for issuers.
Best Practices
Executing a card issuing program well requires discipline at both the product and technical layers. Mistakes at either level can result in compliance failures, poor cardholder experience, or significant financial losses.
For Merchants
- Define your interchange strategy early. The card product type, cardholder segment, and network determine your interchange tier. Model revenue projections before committing to a program manager or sponsor bank.
- Design KYC flows for conversion, not just compliance. Overly aggressive identity checks at onboarding destroy activation rates. Work with your legal team to calibrate verification depth to actual regulatory risk, not worst-case assumptions.
- Build chargeback management from day one. Issuer liability for chargebacks can erode interchange income quickly if dispute workflows are not automated. Set dispute time limits as alerts and assign ownership before launch.
- Plan for card replacement cycles. Physical cards expire every two to four years. Build re-issuance campaigns into your cardholder lifecycle to prevent forced churn at expiry.
For Developers
- Use network tokenization for digital channels. Storing raw PANs creates PCI scope. Network tokens improve authorization rates and reduce fraud losses on card-on-file and wallet transactions.
- Implement idempotency on card creation endpoints. Duplicate card issuance can occur during network retries. Every card creation API call should include a unique idempotency key to prevent double issuance.
- Instrument authorization decline codes. Declines contain diagnostic data—insufficient funds, card blocked, invalid CVV—that should feed real-time cardholder communications and fraud analytics pipelines.
- Test velocity controls in staging before go-live. Spending limits and MCC blocks are easy to misconfigure. Simulate edge cases—split tickets, refunds, partial authorizations—in a sandbox before issuing production cards.
Common Mistakes
Even well-funded card programs make avoidable errors that delay launch or create long-term operational problems.
1. Underestimating BIN sponsorship complexity. First-time program managers often assume a sponsor bank relationship is a simple vendor contract. In practice, the sponsor bank conducts its own due diligence, imposes ongoing compliance monitoring, and can terminate the program at will. Negotiate governance terms—exit clauses, BIN portability, data ownership—before signing.
2. Ignoring network rules in favor of sponsor guidance. Visa and Mastercard operating regulations run to hundreds of pages and are updated quarterly. A sponsor bank may interpret rules differently than the network enforces them. Program managers should obtain and read the relevant operating rules directly rather than relying solely on sponsor summaries.
3. Launching physical and virtual cards simultaneously. Card bureau production, packaging, fulfillment, and PIN management add complexity that has derailed many launches. Launching virtual-only first lets teams validate the core product—authorization, controls, dispute handling—before absorbing physical card operational overhead.
4. Setting interchange expectations from US benchmarks in non-US markets. US interchange rates are among the highest globally. In Europe, consumer credit interchange is capped at 0.3% and debit at 0.2% under the Interchange Fee Regulation. Revenue models built on US assumptions will fail in European markets.
5. Skipping real-time transaction webhooks. Many card issuing APIs offer webhooks for authorization events. Programs that skip webhook integration and poll for transactions instead create latency in fraud decisioning and cardholder notifications—two areas where delays directly increase losses and reduce trust.
Card Issuing and Tagada
Card issuing programs generate high transaction volumes across multiple payment rails, acquirers, and geographies. As programs scale, routing decisions—which processor handles which authorization, which fallback fires when a primary route fails—become operationally critical.
Tagada's payment orchestration layer sits between your card issuing infrastructure and your downstream payment processors. For platforms running both card issuing and merchant acquiring, Tagada can normalize transaction data across providers, apply intelligent routing rules, and surface unified analytics across the full payment stack—without requiring changes to your issuer processor integration.
Teams building embedded card programs often find that their issuing processor handles authorization well but lacks flexibility in reporting, retry logic, and multi-provider settlement. Tagada fills that orchestration gap, letting card program operators route, monitor, and optimize payment flows independently of any single processor dependency.