New Articles

Programmable Money: How Virtual Cards Are Improving T&E Management

virtual cards

Programmable Money: How Virtual Cards Are Improving T&E Management

It’s hard to imagine companies funding employee travel and expenses (T&E) without plastic credit cards. They offer the ultimate flexibility for employees to get whatever they need when they’re away on company business. However, these cards are not always the best – or most lucrative – option.

The biggest challenge with physical cards is that companies don’t want every employee to have a corporate credit card. When you have plastic walking around, it can be lost, stolen, or used fraudulently. The majority of employees don’t make enough corporate purchases to warrant that risk. 

In the back office, it’s an administrative nightmare to keep track of cards that aren’t actively being used. So, companies often need to limit the number of cardholders to people who utilize them regularly. 

For employees that don’t have a corporate card, the traditional option has been to let them use their personal credit card. Then they submit a reimbursement form, attach all of their receipts to their paperwork, and present a justification for the expenses – resulting in a time-consuming, tedious process.

With this process, companies expect their employees to float the company money – sometimes for 30 days or longer if the reimbursement process is slow. That can cause cash flow problems for them. Some employees are okay with this because they’re getting all the points or rebates on company spending, but for the business, they’re both losing out on rebate revenue potential while causing undue stress on employees.  

The solution? Virtual cards. Programmable virtual credit cards offer companies a more customizable solution for when they want more control over T&E spending. They also address the challenges that plastic cards present for both companies and employees.

Virtual card Application Programming Interfaces (APIs) open the door to a better solution for everyone. You can connect to a virtual card issuing platform that lets you manage your virtual cards quickly and easily. You can then allow these cards to be used for limited spending by a specific person, even for a defined purpose and frequency, all within a specific time frame. 

For example, let’s say you’re sending someone out on the road for a week and their hotel has already been paid for by the company. You don’t need to give them a card with a $4,000 credit line for that. You can simply issue a virtual card and set the controls so that they can spend up to $150 each day. 

You can also set controls so that the card can only be used for purchases within certain Merchant Category Codes (MCCs). These MCCs can include restaurants, limo services, taxis, and even big box stores like Walmart or Target. You can even narrow the purchases down to specific items, like a toothbrush or aspirin. Essentially, if you don’t set the purchase as an MCC, it’s restricted. 

You set the controls, and when the card is presented, you can perform real-time authorizations using all of the data from the authorization message. These cards are secure by their very nature, which allows your business to know about any potential fraud within seconds.

All of this is done instantaneously through APIs and webhooks. It’s all application to application. No people are involved.

You can also use User-Defined Fields to attach metadata that’s meaningful to your business. The metadata flows through your systems throughout the lifecycle of the card, and comes in handy when reconciling and categorizing payments.

You can even customize your card art, and supply the virtual card directly to the recipient’s digital wallet for frictionless point-of-sale acceptance.

This is what we call “Virtual Card as a Service.” It’s taking existing virtual card technology and automating it so that corporate travel administrators can create, manage, and supply these cards as needed. They could be for employees who don’t need to be carrying around a company card, and even for contract workers or temporary employees. 

Nobody has to float the company money. Nobody has to contend with a manual expense reimbursement process, and the company gets the rebates.

Plastic T&E cards aren’t going away anytime soon. Whether they’re issued by the company, or people use their own cards and get reimbursed, they’re still considered a convenient way to pay for non-invoiced spending. But there are a lot of different ways that people spend a business’s money, and some ways benefit the business more than others.

The ability to program virtual cards with embedded controls gives companies more control – and more benefits – than ever before.The cardholder can pay at the point of sale with the same ease as plastic, and they don’t have to hassle with reimbursements. The company’s spending controls are enforced automatically, and they don’t have to take on the risk of having plastic cards outstanding. The customization is unmatched and ultimately safer for the businesses, making virtual cards the better way to manage T&E purchases.




In the digital world, most of us are constantly immersed in protecting data while ensuring smooth operations that have become increasingly complex in recent years, particularly in the age of COVID-19 for manufacturers and e-commerce leaders. With concerns of maximizing cybersecurity compliance increasing almost as quickly as consumer demand, we decided to take a deeper look at how data protection ties into e-commerce and manufacturing and what companies can do to remain competitive, compliant and trustworthy in the eyes of their customers. 

To gain a better understanding, we looked to Bindu Sundaresan, director at AT&T Cybersecurity Consulting. With the firm for the past 12 years, Sundaresan and her organization offer planning and professional services to help customers in retail, healthcare, manufacturing, finance and more reduce cyber risks.


“You name the emerging technology irrespective of customer security maturity, we are there,” Sundaresan says. “We are starting to see some implications of rushed transformation efforts, putting companies at larger risk. They have to take stock of their altered risk profile as the threat surface grows and with the adoption of digital technologies in pursuit of new business models and enhanced customer experiences such as e-commerce in manufacturing.”

She adds that in the modern age, e-commerce is no longer just in sight for retailers or e-tailers. In fact, e-commerce has transformed the way major industries are conducting business from manufacturing, B2B and even shippers. 

“It’s a whole function, end-to-end in terms of when the ordering is placed to checking on what stocks are available, to shipping,” Sundaresan says. “This is all happening through front-end e-commerce websites. E-commerce in general is an attractive target for the malicious actor, because that’s where the money is.”

Data protection in the digital space requires a strategic and tedious process–two words some would never think to put in the same sentence when talking technology. For businesses to successfully secure consumer data, company data and overall cybersecurity, all moving parts must be considered, starting with the basics. Sundaresan emphasizes that just because digital applications have been simplified, it does not ensure a successful launch of data-secured applications.

“Follow the data, think about every connection, think about the data flow, think about every connection you are making for every asset within your organization. Web application security must be taken seriously. Application Security 101 is how you should secure your third-party and open-source code because approximately 96 percent of apps today use borrowed code. Sure, it is a great way of standing an application up, making it run fast, and saving development time and resources. But at the same time, it will introduce vulnerabilities into your infrastructure.” 

From its inception, web applications present competitive advantages—and significant vulnerabilities if not properly deployed. One must carefully consider the limitations and vulnerabilities of the selected tools over protected information to effectively secure and operate it. 

“It’s not just about fraud protection or credit card data behind these applications,” Sundaresan notes. “It is about the denial-of-service attacks that can happen, making your website unavailable. It is not somebody stealing, it is somebody getting availability. It is about using your website and your brand to craft another webpage that looks exactly like your brand, and then do SQL injection on it. E-commerce websites now have sophisticated tools with shielding applications and technologies available. These are all affordable and easily consumable, eliminating the need to go in and actually change the code.”

Whether we realize it or not, almost all of us are using some type of e-commerce platform, IoT device or another form of digital technology enabling connectivity between us and the outside world of products and goods.

“Everyone cares about privacy, and this is a common thread across industry verticals,” Sundaresan explains. “We all use internally built applications, APIs and take payment information. Anyone that takes credit card information needs to comply with the PCI standard. It covers a lot of web applications and e-commerce security controls that are a must. Compliance is not the end goal, but it’s a great starting point for your framework.”

Looking at manufacturing, we see a different story unfold. Data protection measures are approached from a different angle that does not consider coverage for sensitive consumer payment information or personal identification. After all, many manufacturers are not dealing directly with the consumer but still have a need for securing digital transformation in the sector.

“As a manufacturer, you have to think about what the attack surface looks like and what the protection surface looks like,” Sundaresan warns. “It is critical for manufacturers to think of each new connection as a potential vulnerability to their attack surface. Gone are the days where manufacturers are going to look at just safety and well-being as the only priorities–security is now top of mind, and it should be.” 

Along with basically every other industry sector across the globe, COVID-19 impacted and changed manufacturing. Sundaresan highlights the changes sparked by the pandemic and how manufacturers are now prioritizing data security. 

“COVID propelled smart manufacturing, showing us that security is more about risk and resilience rather than just providing a technological element to operations. We have enough tools out there, and it’s time to initiate the joining of forces and look at how data can be exploited because of unpatched systems in manufacturing.” 

Over the past 12 years, Sundaresan and her team at AT&T Cybersecurity Consulting have learned the adage, “you’re only as strong as your weakest link” was more than relevant during the pandemic for the supply chain, challenging the notion that just because a company is not focused on B2C operations does not eliminate risk for data breaches and threatened security.

“In the 20 years I have been working in the industry, there is not one thing that we don’t do at AT&T Cybersecurity. Some assume we might only do large projects or cater to those if they are connected to our network. That is not the case. In relation to the industry as a whole, an important takeaway is to remember that what manufacturing and healthcare are going through now, retail and finance went through this same thing about two, three years ago.” 

To learn more about AT&T Cybersecurity and its diverse solutions portfolio, visit:


Bindu’s experience, which spans more than 20 years, has been shaped by the opportunity to work with some of the world’s most innovative companies. She has worked with industry frameworks, including NIST/ISO/HITRUST, regulatory requirements including PCI, NERC, and HIPAA. Bindu has led dozens of cyber-risk engagements for Fortune 500 clients from strategy to technology implementation to breach response. She was tapped to lead a complex PCI and HIPAA compliance assessment for a leading global retailer, spearheaded a $1M security assessment, and worked on securing Criminal Justice Information Sharing Networks in NYC. Before AT&T, Bindu was a Senior Manager with Verisign. Before joining Verisign, she was a Senior Consultant with KPMG and a Senior Network engineer. Her love for teaching and mentoring started with her role as an Adjunct Faculty with the State University of New York (SUNY).