Virtual Card

What Is a Virtual Card?

A virtual card is a payment card that exists only in digital form. Like a physical credit or debit card, it has a 16-digit card number, an expiration date, and a CVV security code. The difference is that no plastic is ever produced: the card details are generated electronically and delivered through a mobile app, browser extension, or secure web portal.

Virtual cards function identically to physical cards when used for online or card-not-present transactions. The card number is submitted at checkout, the acquirer routes the transaction through Visa or Mastercard, the issuing bank authorizes or declines it, and settlement follows the standard payment settlement cycle. Merchants cannot distinguish a virtual card from a physical one.

The market for virtual cards has grown rapidly, with the global virtual card services market estimated at approximately $19 billion in 2024 and projected to exceed $60 billion by 2030. Business-to-business payments account for nearly 64% of total virtual card usage, driven by corporate expense management and accounts payable automation.

How It Works

Virtual card issuance relies on the same infrastructure as physical card issuance, with a few key differences in how the card number is generated and delivered.

The Issuance Flow

1. A user or company requests a new virtual card through their provider (a bank, fintech app, or card-as-a-service platform)
2. The provider generates a unique card number under a BIN (Bank Identification Number) assigned to the issuing institution
3. The card number is delivered instantly to the user via app, browser extension, or API response
4. The user enters the virtual card number at an online checkout or loads it into a digital wallet
5. The transaction is processed through the card network, authorized by the issuer, and settled through the standard clearing process

BIN Sponsorship

Most fintech companies issuing virtual cards do not hold direct card network memberships. Instead, they operate under a BIN sponsor: an established financial institution with a principal membership from Visa or Mastercard. The BIN sponsor provides the card network license, regulatory compliance umbrella, settlement services, and processing infrastructure. The fintech customizes the user experience, controls, and branding.

Modern card-as-a-service platforms (Marqeta, Lithic, Stripe Issuing) abstract this complexity behind APIs. A developer can integrate virtual card issuance with a few API calls:

// Example: Creating a virtual card via a card-issuing API
const card = await cardAPI.create({
  type: "VIRTUAL",
  currency: "USD",
  spendLimit: 50000,        // $500.00 in cents
  spendLimitDuration: "TRANSACTION",
  merchantLock: "amazon.com",
  state: "OPEN"
});

// Response includes card number, expiry, CVV
console.log(card.pan);      // 4242...1234
console.log(card.expMonth); // 12
console.log(card.expYear);  // 2027
console.log(card.cvv);      // 831

Tokenization and Security

Virtual cards are themselves a form of payment tokenization: each virtual card number acts as a restricted-use token that maps to a real funding source but is constrained by merchant, amount, time, or transaction count. This creates isolation between the underlying account and the merchant, so a data breach at one retailer cannot compromise other vendor relationships or the primary account.

Virtual cards can be further tokenized when provisioned into digital wallets like Apple Pay or Google Pay. In this case, the card network replaces the virtual card's PAN with a device-specific network token per the EMVCo Payment Tokenisation Specification, creating two layers of abstraction from the original funding source.

Single-Use vs Multi-Use Cards

Virtual cards fall into two categories based on their lifespan:

Single-use cards eliminate post-transaction exposure entirely: the card number becomes useless after settlement. Multi-use cards rely on merchant locks, spending caps, and expiration dates to manage risk over their active period.

Use Cases

Online Checkout and Consumer Protection

Consumers use virtual cards to protect their real card numbers when shopping online. Services like Privacy.com and Capital One Eno generate a unique virtual card per merchant, so if a retailer suffers a data breach, only that one virtual card number is exposed. The underlying account remains safe, and the compromised card can be closed instantly without disrupting other subscriptions or payment relationships.

Subscription Management

Assigning a dedicated virtual card to each subscription (SaaS tools, streaming services, recurring vendors) gives users granular control. Canceling a subscription is as simple as closing the card: no more forgotten charges from services you thought you canceled. Finance teams can track per-vendor spend and instantly cut off access when an employee leaves or a tool is deprecated.

Corporate Expense Control

Virtual cards embed spending policy directly into the payment instrument. Corporate card programs can enforce merchant category restrictions, per-transaction limits, daily and monthly caps, and automatic expiration. This eliminates the need for after-the-fact expense report reviews: out-of-policy purchases are blocked at the point of authorization.

For accounts payable automation, single-use virtual cards are generated per approved invoice, sent to vendors for one-time payment, and auto-closed after settlement. This approach streamlines reconciliation because each card number maps to exactly one invoice.

Crypto-Funded Virtual Cards

Crypto-funded virtual cards bridge the gap between cryptocurrency holdings and the traditional card payment network. Providers like Coinbase Card, Crypto.com, and BitPay issue Visa or Mastercard virtual cards funded by a user's crypto balance. For a deeper look at how fiat and crypto payment systems connect, see the research on crypto on/off-ramp infrastructure.

The transaction flow works as follows:

1. The user holds cryptocurrency (BTC, ETH, stablecoins) in the provider's wallet
2. At checkout, the user pays with the virtual card number
3. The card issuer checks the user's crypto balance and authorizes the transaction
4. The provider converts the required amount of crypto to fiat at the current exchange rate
5. Fiat is settled to the merchant through the card network
6. The equivalent crypto amount is debited from the user's balance

Stablecoin-funded cards can offer lower conversion fees since stablecoins like USDC maintain a 1:1 peg to USD, eliminating exchange rate volatility. Visa began settling with card issuers in USDC on Ethereum and Solana in 2023, and Mastercard has enabled stablecoin spending at over 150 million merchant locations through partnerships with major crypto platforms.

Why It Matters

Virtual cards represent a shift in how payment credentials are managed: from static, long-lived card numbers shared across dozens of merchants to dynamic, scoped tokens generated per transaction or vendor. This shift directly addresses the card-not-present fraud problem that costs merchants billions annually.

For crypto and Bitcoin users, virtual cards solve the "last mile" spending problem. Holding Bitcoin or stablecoins is straightforward, but spending them at merchants who only accept card payments requires an off-ramp. Crypto-funded virtual cards automate this conversion at the point of sale, making cryptocurrency practically spendable at any of the millions of merchants in the Visa and Mastercard networks. Platforms building on Bitcoin Layer 2 solutions like Spark can integrate virtual card issuance to give users instant fiat spending from their Bitcoin or stablecoin balances.

Risks and Considerations

Fraud Limitations

Virtual cards significantly reduce fraud from data breaches and card skimming, but they do not protect against all attack vectors. If a user enters a virtual card number on a phishing site, the card's security controls cannot prevent the initial fraudulent charge. Account credential compromise at the card provider level can also expose the ability to generate new cards. Virtual cards are a defense-in-depth measure, not a complete fraud solution.

Refund Complications

Single-use virtual cards that auto-close after a transaction can create difficulties when refunds are needed. If the card number no longer exists when the merchant processes a return, the refund may fail or require manual intervention. Most providers handle this by keeping closed cards eligible for inbound credits, but the experience is not always seamless.

Crypto Card Tax Implications

In most jurisdictions, spending cryptocurrency through a virtual card is a taxable event. Each transaction that converts crypto to fiat triggers a capital gains or losses calculation based on the difference between the acquisition cost and the value at the time of spending. Users must track every card transaction for tax reporting purposes, which adds complexity compared to spending fiat directly.

Interchange and Fee Structures

Virtual card transactions incur the same interchange fees as physical card transactions. For crypto-funded cards, additional fees may apply: conversion spreads (typically 0.5% to 3%), foreign currency charges, and network fees for the underlying crypto transfer. These costs can erode the value proposition compared to direct real-time payment rails that bypass card networks entirely.

PCI DSS Compliance

While virtual cards reduce PCI DSS compliance scope for merchants (tokenized numbers reduce the amount of sensitive card data in their systems), the card-issuing platform itself must maintain full PCI DSS compliance. For fintech companies building virtual card products, this means either obtaining certification directly or operating under a compliant BIN sponsor.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.