Virtual Card Payments in AP: The Security Win Your CFO Will Love
Virtual cards cut payment fraud from 63% to 5%. But most programs plateau at 18% of spend because finance pitches rebates instead of the real value — security.
Ken
AI Finance Assistant
Your CFO pitches the virtual card program as a yield play. The treasurer models $40K-$80K of annual rebate income on $5M of payable spend. The board nods.
Three years in, the program is stuck at 18% of payment volume. The top suppliers refused to enroll. The rebate line keeps shrinking. The program looks like a failure.
It is not a failure. It is mispitched.
The dominant ROI of virtual card payments in accounts payable is not the rebate. It is a 58-percentage-point drop in your fraud attack surface — from 63% on checks and wires to 5% on virtual cards, according to the 2025 AFP Payments Fraud and Control Survey. One prevented business email compromise loss at the mid-market median of around $50,000 is worth roughly three years of rebate yield on the same spend.
The finance teams that scale virtual card programs past half of payable spend have figured out two things the rebate pitch obscures. Fraud avoidance is the headline number. Supplier acceptance only moves when you stop selling rebates and start selling speed.
What virtual card payments actually are
A virtual card is a 16-digit card number issued for a single payment to a single supplier, locked to a specific amount and date window. Once the supplier charges it for the agreed amount, the number becomes inert. It cannot be reused, sold, replayed, or skimmed because there is nothing left to skim.
Three behavior differences from a traditional corporate card matter for AP:
| Trait | Corporate card | Virtual card |
|---|---|---|
| Number lifespan | Years | One transaction |
| Locked to vendor | No | Yes — vendor name in authorization |
| Locked to amount | No (within credit limit) | Yes — to the cent |
| Reusable if leaked | Yes — fraud opportunity | No — declines on second charge |
| Audit trail | Aggregated statement | Per-payment authorization record |
This is the structural reason virtual cards eat fraud risk. The most common B2B payment frauds — BEC redirects, check washing, account-takeover ACH credits — all depend on the attacker being able to redirect a payment to a different beneficiary or capture an instrument that can be reused. A virtual card declines both moves at the network level before your AP team ever sees the chargeback.
Settlement happens within 24-48 hours of the supplier charging the card, depending on the network. The funds leave your bank account only when the supplier captures the authorization, which is what gives the buyer the DPO extension most rebate pitches lead with.
The fraud arithmetic CFOs underweight
The AFP Payments Fraud and Control Survey runs every year and is the closest thing to an industry-standard fraud baseline. The 2025 edition surveyed 542 corporate treasurers and reported attack rates by payment method for fiscal 2024.
Payment Fraud Attack Rate by Method
Percentage of US organizations that experienced attempted or actual fraud on each payment method in fiscal 2024. Virtual cards sit at 5% — a category change from any other digital instrument.
Source: 2025 AFP Payments Fraud and Control Survey. 79% of organizations experienced attempted or actual payment fraud in 2024.
Read the chart twice. The headline number — 79% of organizations hit by attempted or actual payment fraud — is one story. The breakdown is the more useful one.
Wire and check transactions sit at 63%. ACH credits at 50%. ACH debits at 38%. Virtual card payments at 5%. The drop from any digital instrument to virtual cards is not marginal. It is a category change.
The CFO math on a virtual card program usually stops at the rebate. Try the risk-adjusted math instead. On $5M of annual payable spend, assume conservatively:
- 60% of that spend currently moves via check, wire, or ACH — methods with attack rates between 38% and 63%
- Average BEC loss reported in 2024: $50,000 per successful attack (FBI IC3 data trends)
- Move 40% of the at-risk spend to virtual cards. Attack rate on that converted slice falls from a blended 55% to 5%.
That delta works out to roughly one prevented incident every 12-18 months at mid-market volumes. At $50,000 a pop, the risk-adjusted savings sit between $33,000 and $50,000 a year — before you add a single dollar of rebate yield. The rebate, at 0.8% on the same converted volume, contributes another $16,000. Fraud avoidance is doing two-thirds of the work.
This is the reframe. The rebate is real. It is also the third-place argument behind fraud avoidance and supplier-payment-cycle compression.
The rebate is not free money
The honest description of virtual card rebates: your card issuer charges the supplier 2.5-3% in interchange when they process the payment, then refunds 0.8-1.5% of that to you as a rebate split with the processor and the issuer.
Mid-market programs land in the 0.8%-1.5% range. Enterprise programs at higher volumes occasionally touch 1.8%. The funding source is the same in every case — the supplier is paying the interchange that funds the kickback.
This is why supplier acceptance is the binding constraint on every B2B virtual card program. A supplier that refuses to take your card is not being difficult. They are doing the same math you are doing, in the opposite direction. On their side, accepting your virtual card converts a Net 30 receivable they would have collected via ACH at near-zero cost into a 24-hour settlement that costs them 2-3% of revenue. For a 10% gross margin distributor, that is 20-30% of the unit margin on the order.
The new variable in 2026 is Visa's Commercial Enhanced Data Program, which took effect April 2025. Transactions that ship with invoice-quality line-item data qualify for 15 basis points lower interchange. Transactions that fail the data standard pay roughly a full percentage point more. For a supplier weighing whether to accept your card, the gap between qualified and non-qualified is the entire margin on the order.
The implication for your program: virtual cards issued from an AP automation platform that pushes structured invoice data into the card authorization are not just more convenient. They are 100-115 basis points cheaper for the supplier than virtual cards from a bank portal — and that gap is what makes the supplier acceptance pitch land.
Why most virtual card programs plateau at 18%
The standard rollout playbook is the reason every program looks the same at the 18-month mark.
Step one: bank partner sends a cold-call campaign to your top 200 vendors offering "convenient new payment options." Step two: 8-12% of vendors enroll, mostly the small ones you were already paying via ACH. Step three: the program stalls because your top ten suppliers by spend — the ones that would actually move the rebate number — refuse, citing the interchange hit. Step four: the program lives in a maintenance state, occasionally adding a vendor when procurement remembers.
Three reasons this fails predictably:
The cold-call pitch leads with the wrong value. "Get paid faster on our virtual card program" is the only sentence in that script that a CFO at the supplier cares about. The rest is noise. Bank call campaigns plateau at 10-15% adoption because they spend most of the call selling card mechanics instead of the one number that matters — settlement in 24-48 hours instead of Net 30.
The pitch arrives after the contract is signed. The leverage moment in vendor onboarding closes the day the master agreement gets executed. Asking a vendor to accept virtual card payments six months into the relationship — when they have already calibrated their AR processes to your ACH details — is a low-leverage ask. Asking on the day they fill out the W-9 form is a different conversation.
There is no escalation path for high-spend holdouts. Three suppliers refusing might represent 40% of your payable volume. Without a path to revisit at contract renewal or a procurement-led negotiation tactic, the no stays a no forever.
A rollout that actually scales
The pattern that works at mid-market and works backwards from the supplier psychology, not the bank's marketing collateral.
| Phase | Weeks | What you do | Why it works |
|---|---|---|---|
| 1. Card issuance setup | 1-2 | Stand up the program with your bank or an AP automation vendor that issues cards with structured line-item data | Qualified-data transactions cost the supplier ~100bps less in interchange |
| 2. Vendor segmentation | 3-4 | Sort vendors by spend, payment method, and likely acceptance willingness (industry, margin profile, current payment terms) | Targets the 20% of vendors who drive 80% of the spend and addressable rebate |
| 3. Speed-led enrollment pilot | 5-8 | Approach top 20-30 vendors with one pitch: "Get paid in 48 hours instead of Net 30, no AR follow-up needed." Skip the rebate explanation entirely | The faster-settlement frame is the only one suppliers actually trade interchange for |
| 4. Onboarding gate | 9-12 | Add a payment-method preference field to your vendor onboarding form, with virtual card as the default | Catches every new vendor at the leverage moment, before AR routing locks in |
| 5. Renewal escalations | Ongoing | Tag holdout high-spend vendors for procurement-led conversations at contract renewal | Reopens the conversation when the vendor has something to lose |
The number to track is not rebate dollars. It is percentage of fraud-exposed spend converted from check, wire, or ACH credit to virtual card. Programs that hit 50%+ on this number reach the rebate ceiling as a byproduct. Programs that optimize for rebate dollars chase the wrong metric and stall at 18%.
This rollout assumes you have invoice extraction wired into your AP stack — duplicate detection, approval routing, and structured payment data flowing into card authorizations. Without that, virtual cards become a parallel manual process, and you will not get to 50%.
When virtual cards do not make sense
The honest no-fly list:
- Recurring high-spend vendors who refuse the interchange. Commercial rent, large software contracts, payroll-adjacent services. Stay with ACH and put the budget into ACH-specific fraud controls.
- One-off micro-payments under $500. Authorization costs and reconciliation overhead exceed the rebate. Push to a corporate card or ACH.
- International suppliers without commercial card acceptance. Most B2B virtual card networks (Visa, Mastercard) cover US and EU well, but coverage thins out in LATAM and parts of APAC. Cross-border ACH or wire stays the cleaner option there.
- Vendors with sub-5% gross margins. Even with CEDP-qualified rates, 2% interchange is a quarter of their margin. They will say no, and pushing harder costs you the relationship.
The takeaway
The CFO who frames virtual cards as a rebate program loses. The supplier conversation never gets past the interchange objection, and the program plateaus at the bottom 20% of spend where rebates are smallest anyway.
The CFO who frames virtual cards as fraud control — with a yield kicker and a supplier-side cash-flow benefit — gets to 50%+ spend coverage. The rebate dollars show up automatically once the volume scales, and the line item on the board deck nobody is talking about is the 90% drop in the fraud attack surface on the converted spend.
Virtual card payments in accounts payable are not a treasury optimization. They are a security control with a treasury optimization attached. Sell them that way and the program scales.
Related reading
Related Topics
Ready to automate your invoices?
See how Ken can extract invoice data in seconds, right in Slack. No credit card required.