Issue card
%20cover%20(1).avif)
Virtual card compliance is confusing in 2026 because:
Overall, the global shift is from patchwork national regimes toward harmonized licensing and security standards, but the timing differs by region and sector.
%20EN.png)
The PCI Security Standards Council states that PCI DSS v4.0.1 is a limited revision to v4.0 with no new or deleted requirements, only corrections, clarifications, and updated guidance.
The PCI DSS 4.0.1 requirements became the only active version after PCI DSS v4.0 was retired on 31 December 2024, and the new future-dated requirements from v4.0 became mandatory on 31 March 2025. The PCI SSC document library also lists PCI DSS v4.0.1 and the “Summary of Changes from PCI DSS v4.0 to v4.0.1,” confirming that v4.0.1 is the operative standard and not a separate ruleset with additional obligations. KPMG’s summary likewise notes that v4.0.1 introduces no new requirements. [1]
PCI DSS v4.0.1 did not add new requirements; it mainly corrected formatting and typographical errors, clarified the intent of some requirements and guidance, and updated supporting language. The PCI SSC specifically says this limited revision contains no additional or deleted requirements.
A few concrete changes in the official update include clarification for:
The update also changed appendices by removing sample customized-approach templates from the standard and moving them to the PCI SSC website resources. In practical terms, v4.0.1 is a clarification release, not a new compliance regime. [2]
PCI DSS v4.0.1 is now the operative baseline, so card platforms should align their security and compliance programs with the clarified requirements rather than wait for a new version.
For card platforms that fall within the PCI DSS scope — including virtual card, tokenization, and embedded issuing platforms — the primary change is not new requirements but demonstrating that applicable controls are implemented and operating effectively. Assessors will expect evidence that the future-dated requirements, which became mandatory on 31 March 2025, are implemented and functioning.
In practice, this puts emphasis on payment-page script controls, authentication, vulnerability management, targeted risk analysis, and service-provider governance. For card platforms, v4.0.1 reduces interpretive ambiguity, but it does not reduce scope or compliance burden.
The EU Anti-Money Laundering (AML) Package is a set of European Union laws adopted in 2024 and designed to strengthen and harmonize anti-money laundering (AML) and counter-terrorist financing (CTF) rules across all EU member states. Instead of each country applying significantly different rules, the package creates a more consistent framework.
The EU Anti-Money Laundering Regulation (AMLR) is the directly applicable anti-money-laundering regulation in the EU AML package, and it applies from 10 July 2027. It is part of the wider 2024 reform package that also created AMLA and replaced the old directive-based patchwork with a single rulebook. [3]
For a provider, AMLR matters if the provider is an obliged entity under the EU framework, especially in the financial sector and related higher-risk activities. The rulebook broadens coverage to more sectors and tightens customer due diligence, beneficial ownership checks, and monitoring obligations, so firms should treat 2026 as the preparation year rather than the start date.
AMLD6 is the EU’s sixth Anti-Money Laundering Directive, and unlike AMLR, it is a directive that Member States must transpose into national law. In the 2024 AML package, AMLD6 is the part that strengthens how national supervisors, FIUs, and cross-border supervisory cooperation work, rather than directly imposing a single EU-wide rulebook. It entered into force in 2024 and must be implemented by Member States by 10 July 2027 at the latest. [4]
The EU AMLA is the Anti-Money Laundering Authority: a new EU agency in Frankfurt that coordinates AML/CFT supervision, directly supervises some high-risk cross-border financial entities, supports national supervisors and FIUs, and helps set technical standards and guidelines. [5] AMLA began operations in summer 2025, but it will phase in its full direct-supervision powers later, with full operational supervision expected in 2028.
Under the EU AML framework, an obliged entity is a person or business that must carry out AML/CFT controls such as customer due diligence, ongoing monitoring, and suspicious-activity reporting. In practice, this includes banks, payment institutions, e-money institutions, crypto-asset service providers, and many other financial and non-financial businesses covered by the AML rules.
For card and payment platforms, this means that virtual-card issuers, embedded-finance providers, and crypto-funded card programs may fall into scope if they perform regulated financial activity. If a provider is an obliged entity, it must be able to identify customers, verify beneficial ownership where relevant, monitor transactions, and keep records in line with the applicable EU AML rules. This is why the provider’s legal classification matters as much as the product itself.
MiCA (Markets in Crypto-Assets Regulation) sets a single EU rulebook for crypto-assets that aren’t already covered by other EU financial-services legislation, and it creates a harmonized authorization and supervision regime for crypto-asset services.
Under MiCA, the key question for whether the card scheme falls under MiCA is whether the provider (or the card operation) performs one or more crypto-asset services that are regulated as CASP activities (e.g., custody/admin of crypto-assets, exchange for crypto-assets, executing orders, placing crypto-assets on behalf of others, etc.). MiCA then requires those regulated service providers to operate under the MiCA CASP authorization/supervision framework rather than only relying on national licensing. [6]
In MiCA, a CASP (Crypto-Asset Service Provider) authorization is tied to the idea that the provider must have compliant governance/risk controls and comply with prudential and conduct requirements, and it is granted by the competent national authority under MiCA’s Title on CASPs.
In practice, authorization typically requires you to be able to demonstrate adequate internal controls, procedures, and arrangements, including compliance arrangements connected to (virtual card) AML requirements/CFT obligations, before you can operate as a CASP.
The “travel rule” comes from the EU Transfer of Funds Regulation (EU) 2023/1113, which revises/extends the obligations around transfers so that relevant originator/beneficiary information is collected and made accessible for traceability. In AML/CFT compliance terms, the travel rule applies to crypto-asset transfers handled by a CASP, and it is designed to ensure that authorities can reconstruct transaction trails for enforcement and investigations.
In the U.S., crypto and payments businesses often run into FinCEN’s Bank Secrecy Act rules first. FinCEN treats many payment and transfer businesses as money services businesses (MSBs), which means they may need to register, maintain an AML program, and file reports on certain activity. [7]
The FinCEN prepaid access rules bring certain prepaid products under anti-money-laundering requirements. Providers and sellers of "prepaid access" products face extra compliance obligations — but closed-loop prepaid products (usable only at one merchant or network) can stay exempt, as long as they meet FinCEN's limits.
One key point: if a closed-loop product gets resold or exchanged on a secondary market, that alone doesn't turn it into a regulated open-loop product. Resale activity by itself doesn't change its status.
FinCEN says that, with limited exceptions, each Money Services Business (MSB) must register with the Treasury by filing FinCEN Form 107 within 180 days after the business is established and then renew that registration every two years. FinCEN also requires that you keep supporting registration records in the United States for five years. [8] Depending on the type of activity, this can include money transmission, currency exchange, check cashing, and some prepaid-access services.
That said, federal registration is only one layer. Many MSBs also need state money-transmitter licenses, so businesses often have to comply with both federal and state rules.
The GENIUS Act is Congress’s federal stablecoin framework for payment stablecoins. Congress’s summary says the bill creates a regulated system for “permitted issuers,” requires one-to-one reserves backed by cash or similarly liquid assets, requires monthly reserve disclosures, and subjects issuers to the Bank Secrecy Act. [9]
The White House also described the law as creating the first-ever federal regulatory system for stablecoins, with reserve and disclosure requirements and marketing restrictions intended to prevent misleading claims. That makes stablecoins much more clearly regulated at the federal level than they were before. [10]
%20EN.png)
Given how fragmented the rules are in 2026, the right questions depend on where the provider sits — PCI DSS, EU AML/MiCA, or US FinCEN rules. Here's what to ask in each area.
No. PCI DSS v4.0.1 became the active standard after March 2025, so 2026 is not a new deadline year. It is simply the first full year in which auditors enforce the controls that became mandatory on 31 March 2025.
The EU Anti-Money Laundering Regulation (AMLR) becomes directly applicable across all EU Member States on July 10, 2027. Because this unified rulebook introduces significantly stricter compliance mandates, affected firms and obliged entities are expected to utilize 2026 as their primary transition and implementation period to ensure full readiness.
The EU AMLA is the Anti-Money Laundering Authority. Whether it supervises your provider depends on what your provider is and where it operates. AMLA will directly supervise only selected, high-risk obligated entities in the financial sector; it also has an indirect/coordination role over other financial and non-financial entities, but most firms will still be supervised by their national competent authority rather than AMLA.
Yes, the transitional grandfathering window for Crypto-Asset Service Providers (CASPs) under the Markets in Crypto-Assets (MiCA) Regulation officially ended on July 1, 2026.
When a virtual card is loaded with cryptocurrency, the initial funding process falls under crypto card compliance regulations (specifically the Travel Rule) if it qualifies as a regulated digital asset transfer. However, once that crypto is loaded, the actual purchases made with the card are regulated under standard payment card industry rules. [11]
In the US, virtual card providers typically fall under FinCEN's Bank Secrecy Act framework. FinCEN treats many payment and transfer businesses as money services businesses (MSBs), which means they may need to register with the Treasury, maintain an AML program, and file reports on certain activity.
If the provider offers prepaid access products, FinCEN's prepaid access rule may add extra obligations — though closed-loop products (usable only at one merchant or network) can stay exempt as long as they meet FinCEN's limits. Note that reselling a closed-loop product on a secondary market doesn't by itself turn it into a regulated open-loop product.
If the card program is stablecoin-funded, issuers now also fall under the GENIUS Act, which subjects "permitted issuers" to Bank Secrecy Act requirements alongside reserve and disclosure rules.
Focus on five areas — PCI DSS virtual card status, tokenization, card network monitoring, audit support, and API scope:
Compliance shouldn't be a guessing game. A provider that keeps pace with all virtual card regulations in 2026, including PCI DSS, VAMP, MiCA, and FinCEN changes, is one you can trust with your spend. Talk to sales to see how Finup stays ahead of it.

We offer a variety of virtual cards to suit your needs. Simplify payments for any purpose.