Show all
Business insights

Virtual Card Compliance in 2026: AML, PCI DSS, and What EU/US Regulations Now Require

15.07.2026
07
 min to read
Virtual Card Compliance in 2026: AML, PCI DSS, and What EU/US Regulations Now Require

Why Virtual Card Compliance Is Confusing in 2026

Virtual card compliance is confusing in 2026 because: 

  • Multiple, overlapping authorities (payment brands, PCI SSC, issuers, processors, and regulators) give different scope rules and guidance.
  • Rapid product innovation (single‑use vs multi‑use, tokenization, embedded issuing) outpaces standardization.
  • Operational variations (APIs, integrations, geography/BINs, and reporting) create inconsistent auditor and merchant practices.
  • The world has completed the transition to PCI DSS 4.0.1, and virtual cards aren’t an exception.

Quick answer: what's in force in 2026

  • PCI DSS v4.0.1 became the active standard after 31 March 2025. 
  • The transitional period of the Markets in Crypto-Assets Regulation (MiCA) ended across the EU on July 1, 2026, meaning any CASP still operating on legacy national licenses must now hold full MiCA authorization or cease serving EU clients.
  • The EU Anti-Money Laundering Regulation (AMLR) has been in force since July 2024, but it doesn't become directly applicable until July 10, 2027. The compliance shift is already underway through preparatory rules, supervisory alignment, and implementation planning.
  • In the US, the situation remains fragmented, with overlapping federal, state, and sector-specific rules rather than one unified framework. 

Overall, the global shift is from patchwork national regimes toward harmonized licensing and security standards, but the timing differs by region and sector.

PCI DSS v4.0.1 Requirements

The PCI Security Standards Council states that PCI DSS v4.0.1 is a limited revision to v4.0 with no new or deleted requirements, only corrections, clarifications, and updated guidance. 

The PCI DSS 4.0.1 requirements became the only active version after PCI DSS v4.0 was retired on 31 December 2024, and the new future-dated requirements from v4.0 became mandatory on 31 March 2025. The PCI SSC document library also lists PCI DSS v4.0.1 and the “Summary of Changes from PCI DSS v4.0 to v4.0.1,” confirming that v4.0.1 is the operative standard and not a separate ruleset with additional obligations. KPMG’s summary likewise notes that v4.0.1 introduces no new requirements. [1]

What Changed in v4.0.1

PCI DSS v4.0.1 did not add new requirements; it mainly corrected formatting and typographical errors, clarified the intent of some requirements and guidance, and updated supporting language. The PCI SSC specifically says this limited revision contains no additional or deleted requirements. 

A few concrete changes in the official update include clarification for:

  • Requirement 3, including applicability notes for issuers and support for issuing services.
  • Requirement 6, including patching language tied to critical vulnerabilities and payment-page script controls.
  • Requirement 8, including how phishing-resistant authentication affects MFA applicability.
  • Requirement 12, including clearer language on customer and third-party service provider relationships.

The update also changed appendices by removing sample customized-approach templates from the standard and moving them to the PCI SSC website resources. In practical terms, v4.0.1 is a clarification release, not a new compliance regime. [2]

What It Means for Card Platforms

PCI DSS v4.0.1 is now the operative baseline, so card platforms should align their security and compliance programs with the clarified requirements rather than wait for a new version. 

For card platforms that fall within the PCI DSS scope — including virtual card, tokenization, and embedded issuing platforms — the primary change is not new requirements but demonstrating that applicable controls are implemented and operating effectively. Assessors will expect evidence that the future-dated requirements, which became mandatory on 31 March 2025, are implemented and functioning.

In practice, this puts emphasis on payment-page script controls, authentication, vulnerability management, targeted risk analysis, and service-provider governance. For card platforms, v4.0.1 reduces interpretive ambiguity, but it does not reduce scope or compliance burden.

The EU AML Package: AMLR, AMLD6, AMLA

The EU Anti-Money Laundering (AML) Package is a set of European Union laws adopted in 2024 and designed to strengthen and harmonize anti-money laundering (AML) and counter-terrorist financing (CTF) rules across all EU member states. Instead of each country applying significantly different rules, the package creates a more consistent framework.

AMLR: Applies from July 2027

The EU Anti-Money Laundering Regulation (AMLR) is the directly applicable anti-money-laundering regulation in the EU AML package, and it applies from 10 July 2027. It is part of the wider 2024 reform package that also created AMLA and replaced the old directive-based patchwork with a single rulebook. [3]

For a provider, AMLR matters if the provider is an obliged entity under the EU framework, especially in the financial sector and related higher-risk activities. The rulebook broadens coverage to more sectors and tightens customer due diligence, beneficial ownership checks, and monitoring obligations, so firms should treat 2026 as the preparation year rather than the start date.

AMLD6 and virtual card compliance

AMLD6 is the EU’s sixth Anti-Money Laundering Directive, and unlike AMLR, it is a directive that Member States must transpose into national law. In the 2024 AML package, AMLD6 is the part that strengthens how national supervisors, FIUs, and cross-border supervisory cooperation work, rather than directly imposing a single EU-wide rulebook. It entered into force in 2024 and must be implemented by Member States by 10 July 2027 at the latest. [4]

AMLA: Operational Since 2025

The EU AMLA is the Anti-Money Laundering Authority: a new EU agency in Frankfurt that coordinates AML/CFT supervision, directly supervises some high-risk cross-border financial entities, supports national supervisors and FIUs, and helps set technical standards and guidelines. [5] AMLA began operations in summer 2025, but it will phase in its full direct-supervision powers later, with full operational supervision expected in 2028.

Who Counts as an Obliged Entity

Under the EU AML framework, an obliged entity is a person or business that must carry out AML/CFT controls such as customer due diligence, ongoing monitoring, and suspicious-activity reporting. In practice, this includes banks, payment institutions, e-money institutions, crypto-asset service providers, and many other financial and non-financial businesses covered by the AML rules.

For card and payment platforms, this means that virtual-card issuers, embedded-finance providers, and crypto-funded card programs may fall into scope if they perform regulated financial activity. If a provider is an obliged entity, it must be able to identify customers, verify beneficial ownership where relevant, monitor transactions, and keep records in line with the applicable EU AML rules. This is why the provider’s legal classification matters as much as the product itself.

MiCA and Crypto-Funded Cards (Including Virtual Cards)

MiCA (Markets in Crypto-Assets Regulation) sets a single EU rulebook for crypto-assets that aren’t already covered by other EU financial-services legislation, and it creates a harmonized authorization and supervision regime for crypto-asset services.

Under MiCA, the key question for whether the card scheme falls under MiCA is whether the provider (or the card operation) performs one or more crypto-asset services that are regulated as CASP activities (e.g., custody/admin of crypto-assets, exchange for crypto-assets, executing orders, placing crypto-assets on behalf of others, etc.). MiCA then requires those regulated service providers to operate under the MiCA CASP authorization/supervision framework rather than only relying on national licensing. [6]

What CASP Authorization Requires

In MiCA, a CASP (Crypto-Asset Service Provider) authorization is tied to the idea that the provider must have compliant governance/risk controls and comply with prudential and conduct requirements, and it is granted by the competent national authority under MiCA’s Title on CASPs. 

In practice, authorization typically requires you to be able to demonstrate adequate internal controls, procedures, and arrangements, including compliance arrangements connected to (virtual card) AML requirements/CFT obligations, before you can operate as a CASP.

The Travel Rule (Reg. 2023/1113)

The “travel rule” comes from the EU Transfer of Funds Regulation (EU) 2023/1113, which revises/extends the obligations around transfers so that relevant originator/beneficiary information is collected and made accessible for traceability. In AML/CFT compliance terms, the travel rule applies to crypto-asset transfers handled by a CASP, and it is designed to ensure that authorities can reconstruct transaction trails for enforcement and investigations.

US Regulations: FinCEN, MSB, and Stablecoins

In the U.S., crypto and payments businesses often run into FinCEN’s Bank Secrecy Act rules first. FinCEN treats many payment and transfer businesses as money services businesses (MSBs), which means they may need to register, maintain an AML program, and file reports on certain activity. [7]

FinCEN's Prepaid Access Rule

The FinCEN prepaid access rules bring certain prepaid products under anti-money-laundering requirements. Providers and sellers of "prepaid access" products face extra compliance obligations — but closed-loop prepaid products (usable only at one merchant or network) can stay exempt, as long as they meet FinCEN's limits.

One key point: if a closed-loop product gets resold or exchanged on a secondary market, that alone doesn't turn it into a regulated open-loop product. Resale activity by itself doesn't change its status.

MSB Registration and State Licensing

FinCEN says that, with limited exceptions, each Money Services Business (MSB) must register with the Treasury by filing FinCEN Form 107 within 180 days after the business is established and then renew that registration every two years. FinCEN also requires that you keep supporting registration records in the United States for five years. [8] Depending on the type of activity, this can include money transmission, currency exchange, check cashing, and some prepaid-access services.

That said, federal registration is only one layer. Many MSBs also need state money-transmitter licenses, so businesses often have to comply with both federal and state rules.

Stablecoins: The GENIUS Act

The GENIUS Act is Congress’s federal stablecoin framework for payment stablecoins. Congress’s summary says the bill creates a regulated system for “permitted issuers,” requires one-to-one reserves backed by cash or similarly liquid assets, requires monthly reserve disclosures, and subjects issuers to the Bank Secrecy Act. [9]

The White House also described the law as creating the first-ever federal regulatory system for stablecoins, with reserve and disclosure requirements and marketing restrictions intended to prevent misleading claims. That makes stablecoins much more clearly regulated at the federal level than they were before. [10]

What to Ask a Virtual Card Provider

Given how fragmented the rules are in 2026, the right questions depend on where the provider sits — PCI DSS, EU AML/MiCA, or US FinCEN rules. Here's what to ask in each area.

PCI DSS and card data security

  • Do you have a current PCI DSS v4.0.1 Attestation of Compliance, and can you share it?
  • Which of the future-dated requirements (mandatory since March 31, 2025) apply to your platform, and can you show they're implemented and operating — not just documented?
  • Where does your PCI scope end and mine begin? Ask for a written responsibility split, especially around payment-page script controls, authentication, and tokenization.

EU AML status (if you operate in the EU)

  • Are you classified as an "obliged entity" under the EU virtual card AML requirements, and if so, how do you handle customer due diligence, beneficial ownership checks, and monitoring?
  • Are you preparing for AMLR (applies July 2027) and AMLD6?
  • Is your program supervised or likely to fall under AMLA's direct supervision, and what does that mean for onboarding timelines?

Crypto-funded cards (if relevant)

  • Does your card program touch any CASP-regulated activity under MiCA?
  • If so, do you hold CASP authorization from a national competent authority, and can you show your AML/CFT-linked internal controls?
  • For crypto transfers, how do you comply with the EU Travel Rule (Reg. 2023/1113)? How is originator/beneficiary information collected and made traceable?

US regulatory status

  • Are you registered with FinCEN as a Money Services Business (Form 107), and is that registration current?
  • Do you also hold the state money-transmitter licenses required for your activity, or only federal registration?
  • If your product involves prepaid access, is it closed-loop or open-loop, and if closed-loop, how do you ensure secondary-market resale doesn't push it into open-loop territory?
  • If stablecoins are involved, are you working with a GENIUS Act–permitted issuer, and can you confirm reserve backing and monthly disclosure practices?

Network-level fraud monitoring

  • Who's accountable if my program crosses into an "Above Standard" or "Excessive" tier?

FAQ

Is there a PCI DSS deadline in 2026?

No. PCI DSS v4.0.1 became the active standard after March 2025, so 2026 is not a new deadline year. It is simply the first full year in which auditors enforce the controls that became mandatory on 31 March 2025.

When does the EU AMLR actually apply?

The EU Anti-Money Laundering Regulation (AMLR) becomes directly applicable across all EU Member States on July 10, 2027. Because this unified rulebook introduces significantly stricter compliance mandates, affected firms and obliged entities are expected to utilize 2026 as their primary transition and implementation period to ensure full readiness.

What is AMLA, and does it supervise my provider?

The EU AMLA is the Anti-Money Laundering Authority. Whether it supervises your provider depends on what your provider is and where it operates. AMLA will directly supervise only selected, high-risk obligated entities in the financial sector; it also has an indirect/coordination role over other financial and non-financial entities, but most firms will still be supervised by their national competent authority rather than AMLA.

  • If your provider is a cross-border, high-risk financial entity, AMLA may directly supervise it.
  • If it is a local or lower-risk provider, supervision will usually remain with the national AML/CFT supervisor, with AMLA setting the EU-level framework and coordination.

Did the MiCA transition period end?

Yes, the transitional grandfathering window for Crypto-Asset Service Providers (CASPs) under the Markets in Crypto-Assets (MiCA) Regulation officially ended on July 1, 2026. 

Do crypto-funded virtual cards fall under the Travel Rule?

When a virtual card is loaded with cryptocurrency, the initial funding process falls under crypto card compliance regulations (specifically the Travel Rule) if it qualifies as a regulated digital asset transfer. However, once that crypto is loaded, the actual purchases made with the card are regulated under standard payment card industry rules. [11]

What AML rules apply to virtual cards in the US?

In the US, virtual card providers typically fall under FinCEN's Bank Secrecy Act framework. FinCEN treats many payment and transfer businesses as money services businesses (MSBs), which means they may need to register with the Treasury, maintain an AML program, and file reports on certain activity.

If the provider offers prepaid access products, FinCEN's prepaid access rule may add extra obligations — though closed-loop products (usable only at one merchant or network) can stay exempt as long as they meet FinCEN's limits. Note that reselling a closed-loop product on a secondary market doesn't by itself turn it into a regulated open-loop product.

If the card program is stablecoin-funded, issuers now also fall under the GENIUS Act, which subjects "permitted issuers" to Bank Secrecy Act requirements alongside reserve and disclosure rules.

What should I ask a virtual card provider about compliance?

Focus on five areas — PCI DSS virtual card status, tokenization, card network monitoring, audit support, and API scope:

  • What's your PCI DSS status? Ask for their current Attestation of Compliance (AOC) and confirm it's validated against v4.0.1, not an older version.
  • Where does your compliance scope end and mine begin? Request a written responsibility matrix — don't rely on verbal reassurance.
  • How is card data tokenized, and where is it stored? Ask about token standards used and data residency, especially if you're issuing across multiple countries.
  • Ask who's accountable if your program triggers an enforcement tier and whether you get real-time fraud/dispute reporting to monitor this yourself.
  • What audit and reporting support do you provide? Ask for sample logs, breach notification SLAs, and whether your API docs clearly flag which fields are in PCI scope.

Compliance shouldn't be a guessing game. A provider that keeps pace with all virtual card regulations in 2026, including PCI DSS, VAMP, MiCA, and FinCEN changes, is one you can trust with your spend. Talk to sales to see how Finup stays ahead of it.

Sources

  1. PCI Security Standards Council. Document Library
  2. PCI Security Standards Council. Just Published: PCI DSS v4.0.1
  3. Deloitte. The New EU AML Package
  4. eucrim. New Anti-Money Laundering Directive (AMLD 6)
  5. EUR-Lex. Authority for Anti-Money Laundering and Countering the Financing of Terrorism
  6. European Securities and Markets Authority. Markets in Crypto-Assets Regulation (MiCA)
  7. IRS. Money services business (MSB) information center
  8. Financial Crimes Enforcement Network. Money Services Business (MSB) Registration
  9. Congress.gov. S.1582 - GENIUS Act
  10. The White House. Fact Sheet: President Donald J. Trump Signs GENIUS Act into Law
  11. Wilson Sonsini Goodrich & Rosati. “Anti-Money Laundering Obligations for Virtual Currency Companies”
Link Copied !