Virtual Card
Checkbook offers the capability to generate and manage prepaid virtual cards, providing a secure and flexible payment method for various online and potentially offline transactions. Virtual cards are digital, temporary card numbers linked to your funding source, offering enhanced control and reduced risk compared to using your primary card details. Common use cases for virtual cards include:
Secure Bill Payment: Protect your primary card details when making paying vendors online.
Employee Spending: Issue virtual cards with pre-set limits for employee expenses, enhancing budget control.
One-Time Payments: Generate a virtual card for a single purchase to a less familiar vendor.
Limits
There is a daily spend limit of $100,000 per virtual card. While this is the card-level maximum, Checkbook limits still apply.
Types
Standard
Standard virtual cards are a secure and convenient payment method for online and in-person card-based transactions. These digital card numbers provide enhanced security by acting as a proxy for your primary funding source, offering greater control over spending. Standard virtual cards typically have pre-defined spending limits and expiration dates set at the time of creation.
Just-In-Time
JIT virtual cards are dynamically generated, single-use or limited-use virtual card numbers. Unlike traditional virtual cards with pre-defined limits and expiration dates, JIT cards require real-time authorization from your application before a charge is approved:
Card Presentment
A user attempts a transaction using a JIT virtual card number issued by Checkbook
Webhook Trigger
Checkbook’s system intercepts the transaction attempt and immediately sends a webhook notification to a pre-configured endpoint in your application.
Real-Time Decisioning
Your application receives the webhook, which contains detailed information about the transaction attempt, including:
- Transaction amount
- Merchant information
- User information
- Timestamp
- Other contextual data
Authorization Response
Your application processes this information in real-time, applies your custom rules and fraud logic, and sends a response back to Checkbook.io via the webhook. This response indicates whether to:
- Approve the transaction
- Partially authorize the transaction
- Decline the transaction
Your application has 1.5 seconds to respond to the webhook notification. Timeouts and non-2XX response codes are automatically declined.
Displaying Card Numbers
Checkbook offers four distinct methods for displaying virtual card numbers to end users, each catering to different integration needs and compliance considerations. The best method for displaying virtual card numbers depends on your application’s requirements, desired user experience, development resources, and PCI compliance posture. Utilizing Checkbook’s widgets or the recipient experience are generally recommended for minimizing compliance burden and ensuring secure handling of sensitive card data.
Recipient Experience
When a virtual card is intended for a specific recipient (e.g., for a payout or expense), Checkbook can handle the secure display of the virtual card details through its own recipient experience. This involves a secure link sent to the end user via email or SMS. This approach requires minimal integration, and ensures PCI data remains secure.
Widget
Checkbook provides pre-built UI components (widgets) that can be embedded directly into your application’s web or mobile interface. These widgets are specifically designed for the secure and compliant display of virtual card numbers, expiration dates, and CVV/CVC codes. They offer an integrated viewing experience within your application while ensuring secure data handling. This simplifies PCI compliance for card data display as the sensitive information is rendered within Checkbook’s secure iframe, minimizing your application’s direct interaction with it.
In-App Push Provisioning
In-app push provisioning involves directly provisioning the virtual card details into the end user’s mobile wallet (e.g., Apple Pay, Google Pay) from within your mobile application. This method is a seamless and integrated experience for end users, allowing them to use virtual cards for contactless payments and online transactions directly from their mobile wallet. Push provisioning requires strict adherence to the security requirements and certification processes of the respective mobile wallet providers (e.g., Apple, Google) in addition to Checkbook’s security protocols.
API
Direct API retrieval should only be considered if you have the expertise and resources to achieve and maintain full PCI DSS compliance.
Your PCI compliant application can directly retrieve the virtual card number, expiration date, and CVV/CVC details via the Checkbook API. While this offers maximum flexibility in how you display the card information within your application’s UI, you are directly handling sensitive cardholder data, which necessitates implementing and maintaining stringent security controls and undergoing regular audits.