Card issuing is being rewritten. The shift is being driven by regulation and technology pulling in the same direction: regulators demand real-time transparency, stronger fraud controls, and interoperability, while consumers expect instant issuance, tokenised payments, and mobile-first journeys. Network tokenisation mandates are accelerating. Cloud-native providers are raising the speed and cost-efficiency benchmarks. Together, these forces define what a modern card issuer must look like.

The scale of the market

Active payment cards worldwide have exceeded 40 billion, with ongoing growth across debit, prepaid and virtual programmes. The modern card issuing platform market — estimated at $5.2 billion in 2023 — is projected to grow to nearly $15.8 billion by 2032, reflecting sustained demand for cloud-native, API-first issuing infrastructure. Virtual and digitally issued cards are becoming the default for many new products, particularly in fintech, payroll, expense management and B2B virtual card programmes. Instant issuance and in-app card controls are now expected features, not differentiators.

Network tokenisation: from optional to mandatory

EMV tokenisation — replacing the card PAN with a network-issued token scoped to a specific merchant or channel — has contributed to a 67% reduction in digital payment fraud since widespread implementation began in 2020, according to the Nilson Report. Mastercard committed to 100% European e-commerce tokenisation by 2030. Visa is enforcing tokenisation mandates across issuers and processors. This is moving from a security best practice to a baseline operational requirement.

For issuers, tokenisation compliance requires integration with Token Service Providers (TSPs) across Visa and Mastercard networks, management of the token lifecycle including updates when underlying card credentials change, and support for wallet provisioning flows across Apple Pay, Google Pay and Samsung Pay. Issuers that do not have automated token management infrastructure face a growing operational burden as token volumes scale.

The fraud protection case is clear: tokens are domain-specific, meaning a token issued for one merchant cannot be used at another, and the underlying PAN is never transmitted through the transaction flow. This eliminates the primary attack surface for card data theft at the merchant and processor level. Implementing tokenisation is no longer optional for institutions serious about fraud loss reduction.

Instant issuance and digital-first card programmes

Instant issuance — the ability to provide a functional payment credential to a customer in seconds, digitally, without waiting for a physical card — has transformed the consumer experience for new card products. For retail banks launching debit products, the expectation is that a new customer can complete KYC, receive a card credential to their mobile wallet, and make a contactless payment within minutes of account opening.

For commercial card programmes — expense management, virtual cards for supplier payments, single-use cards for online purchasing — instant issuance is the operating model. Platforms like Marqeta and Stripe Issuing enable fintechs and corporates to issue virtual cards programmatically via API, with real-time transaction controls including spend limits, merchant category restrictions, and velocity rules applied at the card level. This capability is the foundation of corporate expense management platforms, B2B payments automation, and embedded finance products.

The modern issuing stack

Legacy card management systems — often batch-processing mainframes that were built for a different era — are incompatible with the real-time authorisation decisioning, instant issuance, and dynamic tokenisation requirements of 2026. The migration to cloud-native issuing platforms is accelerating, driven by the inability of legacy systems to support wallet provisioning, real-time authorisation controls, and API connectivity to modern compliance and fraud tooling.

A modern issuing platform requires: real-time transaction authorisation capable of decisioning in under 100 milliseconds; card lifecycle management including instant issuance, digital wallet provisioning, and automated token management; fraud decisioning integration with behavioural analytics and machine learning models; scheme connectivity to Visa, Mastercard and local schemes; full API platform with webhook support for real-time event notification; and multi-currency capability for international programmes.

GCC issuing context

Card issuing in the GCC operates within scheme frameworks defined by Visa and Mastercard alongside local scheme requirements — mada in Saudi Arabia, BENEFIT in Bahrain, and national debit schemes across the UAE. GCC issuers have been early adopters of contactless and mobile wallet payment technologies: contactless penetration in the UAE and Saudi Arabia is among the highest globally. The challenge for GCC issuers is legacy core banking infrastructure — many institutions operate card systems that predate modern tokenisation and API standards, creating migration programmes that are technically complex and operationally disruptive.

For new entrants — neobanks, fintech issuers and institutions launching new card programmes in GCC markets — cloud-native issuing platforms offer a path to market that bypasses the legacy migration problem. The licensing requirements under QCB, SAMA and CBUAE frameworks for card issuing are well established; the technology question is which issuing platform best serves the specific business model, card type and target customer segment.