What This Template Is For
Card issuing is one of the most complex product domains in fintech. You are building on top of payment networks (Visa, Mastercard), working with BIN sponsors and processor partners, managing real-time authorization decisions, handling chargebacks, and complying with PCI-DSS at every layer. A missed edge case in authorization logic can mean fraudulent transactions going through or legitimate purchases being declined.
This template helps product managers spec out card issuing features for physical cards, virtual cards, or both. It covers card lifecycle management, authorization controls, spend rules, 3D Secure authentication, dispute workflows, and card program configuration. Whether you are building an expense management platform, a neobank debit card, or an embedded finance product with cards-as-a-service, this template gives you a structured starting point. Pair it with the financial product PRD for the full product context and the payment flow spec for the money movement layer.
How to Use This Template
- Copy the template into your documentation tool.
- Start with Card Program Configuration. Your BIN sponsor and processor determine what is technically possible.
- Define card types (physical/virtual) and their lifecycle states.
- Spec authorization controls and spend rules. These are the core product decisions.
- Define 3DS, dispute, and fraud flows.
- Review with engineering, the BIN sponsor, your processor, and compliance.
- Use the RICE Calculator to prioritize which card features to build first.
The Template
Card Program Configuration
| Field | Details |
|---|---|
| Program Name | [Name] |
| Author | [PM name] |
| Date | [Date] |
| Card Network | Visa / Mastercard / Both |
| BIN Sponsor | [Bank partner name] |
| Processor | [Marqeta / Galileo / Lithic / i2c / Stripe Issuing] |
| Program Type | Prepaid / Debit / Credit / Charge |
| Funding Model | Prefunded / Just-in-time (JIT) |
| Target Market | [Country/region] |
| PCI-DSS Level | Level 1 / Level 2 / Managed by processor |
Program economics:
| Revenue Stream | Expected Rate |
|---|---|
| Interchange revenue | [e.g. 1.5% of transaction volume] |
| Card issuance fee | [e.g. $5 per physical card] |
| Monthly card fee | [e.g. $0 or $2.99/month] |
| FX markup | [e.g. 1% on international transactions] |
| ATM fee | [e.g. $2.50 per non-network ATM] |
Card Types
Physical Cards
| Attribute | Specification |
|---|---|
| Card Material | PVC / Metal / Recycled |
| Design | Branded / Custom / Co-branded |
| Personalization | Embossed / Flat-printed / Laser-engraved |
| Chip | EMV contact + contactless (NFC) |
| Magnetic Stripe | Yes (fallback) / No |
| PIN | 4-digit, encrypted PIN block |
| Shipping | Standard (5-7 days) / Express (2-3 days) |
| Activation | App-based / IVR / SMS |
Virtual Cards
| Attribute | Specification |
|---|---|
| Card Number Format | 16-digit PAN |
| Provisioning Time | Instant (< 2 seconds) |
| Display | In-app card view with copy-to-clipboard |
| Digital Wallet | Apple Pay / Google Pay / Samsung Pay |
| Single-use Option | Yes / No |
| Merchant-locked Option | Yes / No |
Card Lifecycle
States:
CREATED → INACTIVE → ACTIVE → SUSPENDED → CLOSED
ACTIVE → LOST/STOLEN → REPLACEMENT_ISSUED → ACTIVE (new card)
ACTIVE → EXPIRED → RENEWAL_ISSUED → ACTIVE (new card)State transition rules:
| Transition | Trigger | Who Can Trigger |
|---|---|---|
| INACTIVE → ACTIVE | Card activation (app/IVR) | Cardholder |
| ACTIVE → SUSPENDED | Temporary freeze | Cardholder or Admin |
| SUSPENDED → ACTIVE | Unfreeze | Cardholder or Admin |
| ACTIVE → LOST/STOLEN | Report lost/stolen | Cardholder or Admin |
| LOST/STOLEN → REPLACEMENT | Replacement request | System (auto) or Admin |
| ACTIVE → CLOSED | Account closure | Admin only |
| ACTIVE → EXPIRED | Expiry date reached | System (auto) |
| EXPIRED → RENEWAL | Auto-renewal (if eligible) | System (auto) |
Card replacement logic:
- Lost/stolen: Issue new card with new PAN. Transfer digital wallet tokens.
- Expired: Issue new card with new PAN and new expiry. Migrate recurring merchant tokens.
- Damaged: Issue new card with same PAN (if possible) or new PAN.
Authorization Controls
Authorization is the core product decision engine. Every card transaction flows through your authorization logic in real-time (typically < 100ms response required).
Just-in-time (JIT) funding flow:
1. Cardholder taps/swipes card at merchant
2. Card network routes authorization request to processor
3. Processor sends webhook to your platform
4. Your platform evaluates spend rules (< 50ms)
5. Your platform responds: APPROVE or DECLINE
6. Processor relays decision to card network
7. Merchant receives approval/declineAuthorization decision inputs:
| Input | Source | Example |
|---|---|---|
| Transaction amount | Network message | $42.50 |
| Merchant category code (MCC) | Network message | 5812 (Restaurants) |
| Merchant name | Network message | "UBER EATS" |
| Merchant country | Network message | US |
| Available balance | Your ledger | $500.00 |
| Card status | Your system | ACTIVE |
| Spend rules | Your system | Max $200/day |
| Fraud signals | Fraud provider | Risk score 0.15 |
Spend Rules
Rule types:
| Rule | Parameters | Example |
|---|---|---|
| Daily limit | Amount per 24h period | $500/day |
| Transaction limit | Max single transaction | $1,000 per transaction |
| Monthly limit | Amount per calendar month | $5,000/month |
| MCC allowlist | Permitted merchant categories | Only 5411 (Grocery), 5812 (Restaurant) |
| MCC blocklist | Blocked merchant categories | Block 7995 (Gambling), 5993 (Tobacco) |
| Country allowlist | Permitted countries | US, CA, GB only |
| Country blocklist | Blocked countries | Block high-risk jurisdictions |
| Merchant lock | Single merchant only | Only "Amazon.com" |
| Time window | Active hours | Mon-Fri 9am-6pm only |
| Channel | Transaction type | Online only / POS only / ATM disabled |
Rule evaluation order:
1. Card status check (active?)
2. Balance check (sufficient funds?)
3. Velocity checks (daily/monthly limits)
4. MCC rules (allowed category?)
5. Geography rules (allowed country?)
6. Time rules (within active window?)
7. Fraud score check (below threshold?)
8. Custom business rules
9. APPROVE or DECLINE with reason codeDecline reason codes:
| Code | Reason | User-facing Message |
|---|---|---|
INSUFFICIENT_FUNDS | Balance too low | "Insufficient funds" |
CARD_FROZEN | Card is suspended | "Card is temporarily frozen" |
SPEND_LIMIT_EXCEEDED | Hit velocity limit | "Daily spending limit reached" |
MCC_BLOCKED | Merchant category blocked | "This merchant type is not allowed" |
COUNTRY_BLOCKED | Transaction in blocked country | "International transactions are disabled" |
FRAUD_SUSPECTED | High fraud risk score | "Transaction declined for security" |
3D Secure (3DS) Authentication
| Setting | Value |
|---|---|
| 3DS Version | 3DS2 (preferred) with 3DS1 fallback |
| Challenge Preference | No preference / No challenge / Challenge |
| Authentication Methods | Push notification / SMS OTP / Biometric |
| Exemptions | Low value (< $30) / Trusted beneficiary / Recurring |
3DS flow:
1. Cardholder initiates online purchase
2. Merchant sends 3DS authentication request
3. Your system evaluates risk (frictionless vs. challenge)
4. If frictionless: authenticate silently, return success
5. If challenge: send push notification to cardholder app
6. Cardholder approves in app (biometric or PIN)
7. Return authentication result to merchant
8. Merchant proceeds with authorizationDispute and Chargeback Handling
Dispute workflow:
TRANSACTION → DISPUTED (cardholder reports) → UNDER_REVIEW
UNDER_REVIEW → PROVISIONAL_CREDIT_ISSUED → INVESTIGATION
INVESTIGATION → RESOLVED_IN_FAVOR (credit permanent)
INVESTIGATION → RESOLVED_AGAINST (provisional credit reversed)
INVESTIGATION → ESCALATED (representment to network)Dispute categories:
| Category | Network Reason Code Range | SLA |
|---|---|---|
| Fraud (unauthorized) | 10.1-10.5 | Provisional credit within 1 business day |
| Not received | 13.1-13.3 | Investigation within 10 business days |
| Not as described | 13.4-13.7 | Investigation within 10 business days |
| Duplicate charge | 12.6 | Provisional credit within 3 business days |
| Cancelled recurring | 13.8 | Provisional credit within 3 business days |
Dispute intake fields:
- ☐ Transaction ID (pre-populated from transaction history)
- ☐ Dispute reason (dropdown by category)
- ☐ Description (free text, max 500 chars)
- ☐ Supporting documents (photo upload, max 3 files)
- ☐ Expected resolution (refund / replacement / investigation)
Fraud Prevention
| Layer | Mechanism |
|---|---|
| Pre-authorization | Velocity checks, MCC/country rules, device fingerprinting |
| Real-time | ML fraud scoring, behavioral biometrics, location matching |
| Post-authorization | Transaction monitoring, pattern detection, alert review |
| User controls | Instant freeze, transaction alerts, channel toggles |
Fraud alert triggers:
- ☐ Transaction in a new country (first-time)
- ☐ Transaction > 3x average transaction amount
- ☐ Multiple declined attempts in 5 minutes
- ☐ Card-not-present transaction after recent card-present in a different city
- ☐ Transactions at 3+ merchants within 10 minutes
Cardholder Notifications
| Event | Channel | Timing |
|---|---|---|
| Transaction approved | Push | Real-time |
| Transaction declined | Push | Real-time |
| Card shipped | Push + Email | On shipment |
| Card activated | Push | On activation |
| Spend limit approaching | Push | At 80% of limit |
| Suspicious activity | Push + SMS | Real-time |
| Statement ready | Push + Email | Monthly |
| Card expiring | Push + Email | 30 days before |
Reporting and Admin
Cardholder dashboard:
- ☐ Transaction history with search and filters
- ☐ Spending breakdown by category
- ☐ Monthly statement generation (PDF)
- ☐ Card details view (masked PAN, expiry, CVV reveal)
- ☐ Spend rule management interface
- ☐ Dispute submission and tracking
Admin dashboard:
- ☐ Card inventory management
- ☐ Bulk card issuance
- ☐ Spend rule templates
- ☐ Transaction search and investigation tools
- ☐ Dispute queue and resolution workflow
- ☐ Program-level analytics (volume, interchange, fraud rate)
- ☐ Cardholder account management
Compliance Requirements
| Requirement | Standard | Status |
|---|---|---|
| PCI-DSS | Level 1 or managed by processor | [Status] |
| KYC | Identity verification before card issuance | [Status] |
| AML | Transaction monitoring and SAR filing | [Status] |
| Reg E (US) | Error resolution and provisional credits | [Status] |
| SCA (EU) | Strong Customer Authentication for online | [Status] |
Review the fintech compliance checklist for a full regulatory audit. Refer to the glossary entry on compliance for definitions of key regulatory terms.
Launch Checklist
- ☐ BIN sponsor agreement signed and program ID assigned
- ☐ Processor integration tested end-to-end (auth, clearing, settlement)
- ☐ JIT funding webhook response time < 100ms at P99
- ☐ Spend rules engine validated against 100+ test scenarios
- ☐ 3DS authentication flow tested with major merchants
- ☐ Physical card fulfillment and shipping tested
- ☐ Digital wallet provisioning tested (Apple Pay, Google Pay)
- ☐ Dispute workflow tested with all reason code categories
- ☐ Fraud rules calibrated (false positive rate < 5%)
- ☐ Cardholder notifications tested across all channels
- ☐ PCI-DSS audit completed (or processor attestation obtained)
- ☐ KYC/AML integration verified
- ☐ Admin dashboard reviewed by operations team