The unique risk profile of card issuance
Most fintech security assessments focus on protecting the balance. Virtual card security assessments focus on protecting the credential. A card number, CVV, and expiry date in an attacker's hands is a payment instrument. Unlike a bank account where a transfer requires a beneficiary name and account number, a card credential can be used on any e-commerce platform worldwide without knowing who you are attacking. The attacker does not need to know the victim's identity to spend their money — they only need the three fields printed on the card.
This changes the remediation urgency. A leaked wallet balance requires a social engineering attack to move funds. A leaked card credential requires a shopping session. The window for damage is measured in minutes, not days.
1. Card detail revelation endpoint authorization
PCI DSS requires that card numbers be masked in transit and at rest, with the full PAN only accessible through a dedicated, separately authenticated reveal flow. We test the entire card management API surface for any endpoint that returns unmasked card data in its standard response. Common findings include card listing endpoints that return full PANs in array responses, account summary endpoints that include the card object with all fields populated, and notification webhooks sent to third-party systems that include full card details in the payload.
2. Cross-user card access via BOLA
Virtual card APIs are typically organized around a card ID. We test whether an authenticated user can request the card details of a card belonging to a different user by substituting the card ID in the API request. This is the card-specific variant of Broken Object Level Authorization. If the card detail endpoint does not validate that the requesting user owns the card being queried, any user can retrieve any other user's card credentials by iterating through card IDs.
# Test: authenticated as user A, request card belonging to user B
curl -H "Authorization: Bearer userA_token" \
https://api.cardplatform.ng/v1/cards/card_b7392/reveal
# If this returns user B's card number: BOLA confirmed, critical finding 3. Card provisioning authorization on the issuance API
Card issuance platforms expose an API that creates new cards. We test whether a user can create more cards than their account tier permits, whether card creation can be triggered without completing the required KYC step, and whether the card programme (Visa or Mastercard, debit or prepaid, dollar or naira) can be manipulated in the creation request to issue a card type the user's account is not entitled to.
4. Spending limit bypass and card control manipulation
Virtual cards typically have configurable spending limits and merchant category restrictions. We test the card control API for: ability to set a spending limit higher than the account balance, ability to remove merchant category restrictions that the platform requires for compliance, and ability to modify card controls on a card belonging to a different user. For corporate card platforms, we test whether an employee cardholder can modify limits set by their card administrator.
5. Card freeze and unfreeze authorization
Card freeze endpoints are often implemented with less authorization scrutiny than card detail revelation endpoints, on the assumption that freezing a card is a defensive action. We test whether a user can freeze another user's card (a denial of service attack), and whether the freeze state can be bypassed at the payment authorization layer by submitting a transaction while a freeze is being processed. The freeze-during-transaction race condition is a real exploitable window on platforms that process card transactions and freeze operations in separate threads without mutual exclusion.
Full card PAN returned in card listing endpoint response
During a security audit of a Nigerian virtual card platform, we called the card listing endpoint and inspected the JSON response. The response array included the full 16-digit card number for every card associated with the authenticated account. The endpoint was intended for displaying the last four digits in the UI, but the backend returned the complete PAN and the frontend simply displayed only the last four. Any script intercepting the API response received the full card number. Fix priority: critical. The card listing endpoint was also missing authorization on the card ID scope, meaning any authenticated user could call it with any user ID. Remediated by masking all PANs at the API layer and adding strict object-level authorization on all card endpoints.
Issuing virtual cards in Nigeria? Book a security assessment that covers PCI DSS requirements and card API authorization.
Book a Card Issuance Security AuditFrequently asked questions
What makes virtual card platforms more dangerous to breach than wallets?
A compromised wallet exposes the wallet balance. A compromised virtual card exposes the card number, CVV, and expiry date — credentials that can be used immediately on any online merchant globally that accepts Mastercard or Visa. The damage is instantaneous, irreversible (card transactions are cleared in seconds), and frequently undetected until the user's statement arrives.
What is card detail enumeration in an API?
Card detail enumeration occurs when a card management API returns full card details (16-digit PAN, CVV, expiry) in API responses where only the last four digits should be visible. We test every card detail endpoint to confirm that full card data is only returned in dedicated, separately authenticated reveal flows — not in standard card listing or account summary responses.
Do PCI DSS requirements apply to Nigerian virtual card issuers?
Yes. Any platform that stores, processes, or transmits cardholder data must comply with PCI DSS, regardless of geography. Nigerian virtual card issuers working with Visa or Mastercard are contractually required to maintain PCI DSS compliance as a condition of their card programme agreement. A breach that exposes card data can result in immediate programme termination by the card scheme.
Related reading
Blog: PCI DSS compliance in Nigeria · BOLA in financial APIs · Embedded finance security testing
Services: Penetration testing · API security