How to choose the right card issuing provider: 5 technical essentials

Aleksandr Gornostal

by Aleksandr Gornostal

How to choose card issuing provider? R1hbapm

The card payments industry is growing rapidly, fueled by the shift to online and mobile payments. Your processing and card issuance provider significantly impact sales, customer acquisition, retention and growth. With so many in the market, including Marqueta, GPS, I2C, to name a few, how do you know which one to choose? 

Card issuance ecosystem with company clusters including Issuer Processors, Payments, Processors, Acquirers, Payment Gateways

From our work helping clients form sector partnerships and build digital banking products, we’ve seen how APIs and technical evaluation are critical and too often overlooked parts of that process of finding the right fit for now and in the future. 

Here are five essentials to factor in your card issuance strategy to put into use from Day 1.  

1. Go beyond surface-level features when reviewing platform capabilities

It’s imperative to thoroughly examine prospective card issuance system functionalities, especially when considering more cost-friendly options compared to major players like I2C, GPS, and Marqueta. For example, most companies want the ability to set spending controls. Just checking that this capability exists in the list of APIs is not enough. Look for specific functionalities instead that align with your product goals. Is it the ability to allow spending of up to $500 per day? Or do you want to limit spending to certain merchant types, such as a business payment solution that would not allow transactions on entertainment? Or do you want both?

You need to answer these questions before selecting a card issuance service provider. Otherwise, you may have unexpected expenses related to building that feature yourself instead of getting it from your issuing provider.

2. Achieve PCI DSS compliance without touching sensitive data 

The Payment Card Industry Data Security Standard (PCI DSS) is mandated by card brands if a business operates with sensitive payment data such as a card number (often called PAN) and CVV. 

Many of our clients are SMEs focused on growing their businesses rather than undergoing a lengthy and expensive certification process. What should you do with limited time and resources?

Achieving PCI compliance is much easier if you can operate on sensitive payment data without ever touching it. 

Here are two ways how to do that:

1. Check if your card issuer provides API flows allowing sensitive card data to bypass your servers. Often this can be done by issuing temporary client tokens on the back-end side, which can be used from a mobile application to obtain a full card number directly via the issuing platform API. 

Client token request flow

2. Many providers don’t have that API, but there’s another way to simplify PCI compliance — by using tokenization solutions from vendors like VGS. Essentially they’ll provide you two proxies that you install and then any sensitive data will be tokenized on the way into your back-end system and detokenized as it goes out.

PAN & CVV card issuance journey to a proxy for tokenization through backend and detokenization and reaching end user app

3. Ensure an event subscription API is in place

There are many ways in which you can integrate with a processing partner. One approach we often recommend to our clients building sophisticated banking solutions is to synchronize account, card and transaction data to a database. 

It not only improves app performance (compared to proxying GET requests between mobile apps and the card issuing provider), but also all that data could be used for real-time analytics and business insights.

It's good when card issuing companies have an event subscription API, which is usually implemented as Webhooks. In that case, you'd only need to subscribe to events (such as balance changed, new transaction, card shipping status changed, etc.) and store the data. Without such an API, in the worst case scenario, you'll have to iterate through all financial accounts, poll for updates and check what has changed yourself. 

If you are building a BNPL product or just want to manage accounts and balances yourself, look for Just-in-time (JIT) payments Webhooks. You'll be able to process card authorization events as best suits your payment solutions. For example, as a JIT payment is requested, you can run a quick credit check, verify the merchant and transaction and approve the purchase. 

4. Pay attention to API Authentication

Most card issuing process providers have at least key-based API authentication, which is what you need for server-to-server integration. One thing worth checking is whether they allow creating multiple keys. This will make it possible to implement zero downtime key rotation.

Another authentication method we see being offered is OAuth2. However, it’s not the best way for server-to-server communication as you will need to keep access tokens “fresh” in all places where you use it. Nonetheless, if you are looking for ways to build a digital wallet fast with a serverless approach and the card issuer has the functionality to become an authentication and identity provider for your users, then it’s a perfect authentication method to choose.

5. Check the sandbox environment has all the capabilities you need

Card issuing and processing providers will always give access to a sandbox environment, but will it include simulations for all scenarios you will want to implement?

From our experience, the answer is often No. For example, when implementing physical card issuance, simulating different card statuses (sent to a printer, printed, shipped, etc.) may not be possible. What that means for you is you will be able to test some features only in a production environment increasing the cost of defect detection.

Find the right card issuance provider for the long haul 

Your card issuance strategy impacts your product roadmap, user experience, compliance and go-to-market. Use these essentials to evaluate all potential and current vendors to find the right long-term partner who will give you the flexibility, support and tools to grow your business and run a successful card program. 

Related topics

Share

How to choose card issuing provider? R5dkbapm
Aleksandr Gornostal
FinTech Solutions Architect at Star

Aleksandr is a FinTech Solutions Architect at Star with 15+ years of IT experience building web and mobile applications. For the last six years, he's worked with numerous FinTech products as a full-stack developer, team lead and software architect. At Star, his focus is helping clients craft powerful FinTech software tailor-made for their needs and long-term success.

Harness our FinTech capabilities

We blend strategy, design and engineering to help our customers harness disruptive technologies and opportunities to build innovative, integrated and frictionless financial services.

Explore our expertise
Loading...
North America, Big

We are truly global.
Explore our locations around the world.

North America, Big

Star is a global team of product creators. We connect strategy, design and engineering services into a seamless workflow devised to build solutions with the right focus on impact, scalability, performance and prudence.

Insights & inspiration

Receive the latest Star insights on trends, technologies and endgame-driven approaches straight to your inbox.

Contacts

Or write us at hellostar@star.global

© Copyright Star 2022. All rights reserved Privacy Policy

plus iconminus iconarrow icon pointing rightarrow icon pointing rightarrow icon pointing downarrow icon pointing leftarrow icon pointing toparrow icon pointing top rightPlay iconResume iconCross iconActive Badge iconInactive Badge iconFocused Badge iconDropdown Arrow iconQuestion Mark iconFacebook logoLinkedin logoLinkedIn logoFacebook logoTwitter logoInstagram logo