EST. 2012 CODEGO GROUP LTD · MALTA BANKING AS A SERVICE EU IBAN · 6 COUNTRIES SEPA · SEPA INSTANT · SWIFT PCI DSS CERTIFIED 2025 API FIRST · WEBHOOKS 79 COUNTRIES DEPOSITS MULTI-CURRENCY · EUR · GBP · USD $1.1BN PROCESSED 2025 EST. 2012 CODEGO GROUP LTD · MALTA BANKING AS A SERVICE EU IBAN · 6 COUNTRIES SEPA · SEPA INSTANT · SWIFT PCI DSS CERTIFIED 2025 API FIRST · WEBHOOKS 79 COUNTRIES DEPOSITS MULTI-CURRENCY · EUR · GBP · USD $1.1BN PROCESSED 2025
Codego · Glossary · est. 2012 Reference · Vol. XII · Issue 04/2026 ● 12 countries · Malta HQ
G·3

What is
card issuing?
White-label programmes explained.

Card issuing is the process by which a financial institution or its sponsored programme manager produces, distributes and operates payment cards on a scheme's rails — Visa, Mastercard, American Express, Discover, JCB or UnionPay. Issuing covers the full cardholder lifecycle: identity verification, card production, activation, authorisation, transaction processing, dispute handling and re-issue. This guide covers card issuing end-to-end and shows how modern white-label programmes compress what used to take twelve months into fifteen days.

01
The card lifecycle

The card lifecycle

Every card has a standard lifecycle that the issuing programme manages from end to end:

  1. Application and KYC. Cardholder submits identity documents, proof of address, sometimes income or beneficial-ownership data. The issuer verifies the documents (manual or liveness-based), runs sanctions and PEP screening, and assigns a risk score.
  2. Card creation. A primary account number is generated under one of the issuer's BIN ranges, expiry and CVV are set, the cardholder profile is registered with the scheme.
  3. Production and fulfilment. Virtual cards are activated immediately. Physical cards are produced — embossed or printed — and shipped to the cardholder.
  4. Activation. Cardholder confirms receipt, sets a PIN, enables the card for use.
  5. Authorisation. Each transaction triggers a real-time decision based on balance, merchant category, geographic location, scheme controls and the issuer's fraud rules.
  6. Settlement and clearing. Approved transactions settle daily through the scheme; the issuer is debited, the merchant's acquirer is credited, the cardholder's balance is updated.
  7. Disputes and chargebacks. Cardholder disputes — fraud, non-delivery, duplicate charges — flow through scheme-defined chargeback processes that the issuer manages.
  8. Re-issue and retirement. At expiry the card is replaced; if compromised, it is blocked and re-issued; at programme end, the card is retired.
02
Card types

Card types

Prepaid

Card balance held in a separate prepaid account, funds loaded before spending. Common for gift, payroll, expense and corporate disbursement programmes.

Debit

Card linked to a customer account or IBAN; spending immediately debits the balance. Standard for consumer neobank programmes and modern current accounts.

Credit

Spending against a credit line; balance repaid later. Requires the issuer to lend on balance sheet (banking licence). Less common in BaaS programmes.

Virtual

Card number issued in software with no physical artefact. Used for online-only spending, expense management, single-use payments. Issued in seconds.

Corporate

Programmes for businesses with controls — merchant category restrictions, spend limits, multi-user accounts. Codego expense cards covers this segment.

Crypto-funded

Card backed by stablecoin or on-chain balance, converted to fiat at authorisation. See white-label crypto card.

03
Processing rails and scheme certification

Processing rails and scheme certification

Every card programme runs on the rails of one or more card schemes — Visa, Mastercard, American Express, Discover, JCB, UnionPay. Each scheme requires programme certification: a structured technical and operational review covering authorisation, settlement, dispute processes, fraud controls and operational resilience. Certification is typically the longest-running task in a new card-programme launch and the one that BaaS providers compress most aggressively for partners.

EMV — Europay, Mastercard, Visa — is the chip-card standard that defines how physical cards interact with terminals. EMVCo, the consortium that owns the standard, certifies hardware and software stacks. Modern programmes also support contactless (NFC) and tokenised payments via Apple Pay and Google Pay, which require additional certification with the scheme tokenisation networks (VTS for Visa, MDES for Mastercard).

04
Compliance and security

Compliance and security

Card issuing operates under several overlapping compliance regimes:

  1. PCI DSS. The Payment Card Industry Data Security Standard governs how card data is stored, processed and transmitted. Issuers and processors are typically Level 1 — the most stringent — and audited annually.
  2. 3D Secure 2. Strong customer authentication for card-not-present transactions, mandated under PSD2 in the EU and in adoption globally.
  3. AML and sanctions. The cardholder onboarding flow runs full KYC, sanctions screening and PEP checks; ongoing transaction monitoring continues throughout the cardholder's life.
  4. Fraud monitoring. Issuer-side fraud rules — velocity checks, geolocation, device fingerprinting, behavioural analytics — block suspicious authorisations in real time.
  5. Scheme rules. Visa Core Rules, Mastercard Rules: hundreds of pages of operational and commercial requirements that change quarterly.
05
Integration patterns

Integration patterns

A modern card-issuing API exposes the lifecycle through a consistent set of endpoints: create cardholder, create card, fund balance, authorise (synchronous and webhook-driven), block, replace, close. Webhook-driven event streams keep the partner's systems in sync with the issuer's ledger in real time. Idempotency keys, sandbox environments and structured error responses are standard.

A typical integration covers: cardholder onboarding (KYC handoff), card creation and fulfilment, authorisation and settlement webhooks, chargeback notifications, balance reconciliation, scheduled reporting. Partners that already operate a banking ledger integrate against the events; partners that do not, run on the issuer's ledger directly.

06
Common pitfalls in launching a card programme

Common pitfalls in launching a card programme

  1. Underestimating certification. Scheme certification is the long pole. Self-service BaaS providers like Codego pre-certify BIN ranges so the partner inherits certification rather than running it from scratch.
  2. Ignoring chargeback economics. Chargebacks consume support headcount and erode interchange revenue. Programmes should design chargeback handling early.
  3. Inconsistent KYC across products. If a programme issues both cards and IBANs, KYC must be aligned: one onboarding flow, one risk view, one set of decisions.
  4. Neglecting Apple Pay / Google Pay. Cardholder activation is materially higher when wallets are supported on day one. Codego programmes ship Apple Pay and Google Pay activation within 24 hours.
  5. Underbuilt fraud controls. Default fraud rules are conservative; programmes that operate in higher-risk segments need tuning early to avoid loss spikes.
07
Frequently asked questions

Frequently asked questions

Q1.How long does it take to launch a card programme?
A self-service white-label programme on a modern BaaS provider — like Codego white-label card — is live in around fifteen days. Enterprise-led programmes with custom requirements typically take sixty to one hundred and twenty days. Building a programme from scratch under a new BIN takes twelve to twenty-four months.
Q2.Do I need a banking licence to issue cards?
No, not under BIN sponsorship. The sponsor's licence covers the regulated activity. Direct issuance — without sponsorship — requires the partner to itself be a scheme principal member or hold an electronic-money licence with direct scheme connections.
Q3.What is the difference between issuing and acquiring?
Issuing is the cardholder side: producing cards, managing cardholder balances, authorising and settling. Acquiring is the merchant side: signing up merchants, processing their card receipts, settling funds to their accounts. They are mirror functions of the same payment flow.
Q4.Can I issue cards in multiple countries from one programme?
Yes, depending on the issuer's licence and BIN coverage. Codego's pan-European passporting covers twelve countries directly. Programmes spanning more jurisdictions either use multiple sponsors or work with a sponsor that holds licences in the relevant regions.
Q5.What is interchange and how is it shared?
Interchange is the fee paid by the merchant's acquirer to the cardholder's issuer on each transaction, set by Visa and Mastercard rules and capped in the EU under the Interchange Fee Regulation. The sponsor and the programme manager split interchange under the sponsorship contract; share varies by volume and product type.
Q6.Can virtual and physical cards be issued from the same programme?
Yes. Modern card-issuing platforms manage both from a single API. Cardholders typically receive a virtual card immediately on onboarding and a physical card by post a few days later. Both share the same underlying account.
08
Related

Related

What is BaaS?

The broader infrastructure stack that card issuing sits inside.