How to choose the right card issuing provider: 5 technical essentials

The card payments industry is growing rapidly, fueled by the shift to online and mobile payments. Your processing and card issuance provider significantly impact sales, customer acquisition, retention and growth. With so many in the market, including Marqeta, GPS, I2C, to name a few, how do you know which one to choose? 

From our work helping clients form sector partnerships and build digital banking products, we’ve seen how APIs and technical evaluation are critical and too often overlooked parts of that process of finding the right fit for now and in the future. 

Here are five essentials to factor in your card issuance strategy to put into use from Day 1.  

1. Go beyond surface-level features when reviewing platform capabilities

It’s imperative to thoroughly examine prospective card issuance system functionalities, especially when considering more cost-friendly options compared to major players like I2C, GPS, and Marqueta. For example, most companies want the ability to set spending controls. Just checking that this capability exists in the list of APIs is not enough. Look for specific functionalities instead that align with your product goals. Is it the ability to allow spending of up to $500 per day? Or do you want to limit spending to certain merchant types, such as a business payment solution that would not allow transactions on entertainment? Or do you want both?

You need to answer these questions before selecting a card issuance service provider. Otherwise, you may have unexpected expenses related to building that feature yourself instead of getting it from your issuing provider.

2. Achieve PCI DSS compliance without touching sensitive data 

The Payment Card Industry Data Security Standard (PCI DSS) is mandated by card brands if a business operates with sensitive payment data such as a card number (often called PAN) and CVV. 

Many of our clients are SMEs focused on growing their businesses rather than undergoing a lengthy and expensive certification process. What should you do with limited time and resources?

Achieving PCI compliance is much easier if you can operate on sensitive payment data without ever touching it. 

Here are two ways how to do that:

1. Check if your card issuer provides API flows allowing sensitive card data to bypass your servers. Often this can be done by issuing temporary client tokens on the back-end side, which can be used from a mobile application to obtain a full card number directly via the issuing platform API. 

2. Many providers don’t have that API, but there’s another way to simplify PCI compliance — by using tokenization solutions from vendors like VGS. Essentially they’ll provide you two proxies that you install and then any sensitive data will be tokenized on the way into your back-end system and detokenized as it goes out.

3. Ensure an event subscription API is in place

There are many ways in which you can integrate with a processing partner. One approach we often recommend to our clients building sophisticated banking solutions is to synchronize account, card and transaction data to a database. 

It not only improves app performance (compared to proxying GET requests between mobile apps and the card issuing provider), but also all that data could be used for real-time analytics and business insights.

It's good when card issuing companies have an event subscription API, which is usually implemented as Webhooks. In that case, you'd only need to subscribe to events (such as balance changed, new transaction, card shipping status changed, etc.) and store the data. Without such an API, in the worst case scenario, you'll have to iterate through all financial accounts, poll for updates and check what has changed yourself. 

If you are building a BNPL product or just want to manage accounts and balances yourself, look for Just-in-time (JIT) payments Webhooks. You'll be able to process card authorization events as best suits your payment solutions. For example, as a JIT payment is requested, you can run a quick credit check, verify the merchant and transaction and approve the purchase. 

4. Pay attention to API Authentication

Most card issuing process providers have at least key-based API authentication, which is what you need for server-to-server integration. One thing worth checking is whether they allow creating multiple keys. This will make it possible to implement zero downtime key rotation.

Another authentication method we see being offered is OAuth2. However, it’s not the best way for server-to-server communication as you will need to keep access tokens “fresh” in all places where you use it. Nonetheless, if you are looking for ways to build a digital wallet fast with a serverless approach and the card issuer has the functionality to become an authentication and identity provider for your users, then it’s a perfect authentication method to choose.

5. Check the sandbox environment has all the capabilities you need

Card issuing and processing providers will always give access to a sandbox environment, but will it include simulations for all scenarios you will want to implement?

From our experience, the answer is often No. For example, when implementing physical card issuance, simulating different card statuses (sent to a printer, printed, shipped, etc.) may not be possible. What that means for you is you will be able to test some features only in a production environment increasing the cost of defect detection.

Find the right card issuance provider for the long haul 

Your card issuance strategy impacts your product roadmap, user experience, compliance and go-to-market. Use these essentials to evaluate all potential and current vendors to find the right long-term partner who will give you the flexibility, support and tools to grow your business and run a successful card program.