Stripe Issuing
Overview
Stripe Issuing lets you create virtual cards that can be used with the Mercoa Virtual Card Agent to process invoice payments securely.
Integration Setup
Enable Stripe Issuing in Stripe Account
To start using Stripe Issuing, ensure your Stripe account has it enabled:
- Log in to your Stripe Dashboard.
- Click Issuing from the left-hand menu.
- Complete the Issuing application process.
- Locate and save your
publishable_key
andsecret_key
.
Create Virtual Card
Create virtual cards for specific invoices:
This is just an example, please refer to the Stripe Issuing documentation for more information.
API Integration
The Stripe Issuing integration with the Virtual Card Agent provides a secure, automated workflow for processing virtual card payments. This integration uses ephemeral keys and iFrame technology to ensure sensitive card data is handled securely.
How It Works
The integration follows a secure workflow where your Stripe virtual card is used to process payments through the Virtual Card Agent:
Process Flow:
- Create a Stripe virtual card with spending controls matching the invoice amount
- Call the Mercoa API with your card ID and ephemeral key endpoint configuration
- The agent uses your backend to generate a temporary ephemeral key
- Secure card data is retrieved through Stripe’s iFrame technology
- The agent completes the payment through the vendor’s payment gateway
- Receipt and confirmation details are captured for reconciliation
API Request Structure
When using Stripe Issuing with the Virtual Card Agent, your API request should include:
Field Descriptions
Card Details Object
Ephemeral Key Endpoint
Supported Variables
The postBody
and headers
template supports these variables that will be replaced with actual values:
{{cardId}}
- The Stripe card ID{{nonce}}
- A unique nonce for this request{{accountId}}
- Your Stripe account ID (if applicable)
Backend Implementation
Your backend needs to implement an endpoint that generates ephemeral keys. Here’s an example:
Ephemeral Key Response Structure
Your ephemeral key endpoint must return the ephemeral key secret in one of these formats:
Option 1: Object with ephemeralKeySecret
property
Option 2: Object with secret
property
Option 3: Plain string (the ephemeral key secret directly)
The ephemeral key secret must be a valid Stripe ephemeral key that was created for the specific card and nonce provided in the request.
Security Considerations
- Use ephemeral keys that expire quickly (typically within 1 hour) and are scoped to a single operation.
- Avoid storing card numbers. Your backend must not store or process full card data.
- Ensure PCI compliance by using Stripe’s iframe-based tokenization and minimal card data handling.
- Enable logging for all virtual card operations to maintain an audit trail for compliance and traceability.
Best Practices
🔐 Security
- Use one-time virtual cards with exact amounts.
- Set strict spending limits per card.
- Avoid storing card numbers directly.
- Monitor card usage in the Stripe Dashboard.
📊 Reconciliation
- Store transaction IDs from Stripe with invoice metadata.
- Use metadata to associate cards with invoices.
- Set up webhooks to track card lifecycle and usage.