/
15 minute read
June 30, 2022

Building Your Managed By Marqeta Card Program

With Managed By Marqeta (MxM) card program configuration, Marqeta manages your program for you, providing a full-service experience and configuring most of the critical resources required by your production environment.

This page summarizes the processes and requirements for engaging with Marqeta for your Managed By program.

Launching an MxM program

Marqeta manages the following primary tasks related to launching a production card program:

  • Providing bank partners to act as Bank Identification Number (BIN) sponsors

  • Approving and managing the program with the card network/scheme

  • Approving and managing the program with the issuing bank

  • Ensuring program compliance with regional regulations

  • Ensuring program compliance with bank and card network mandates

  • Configuring the customer processing environments

  • Configuring funding methodology

  • Providing API access (controls, user management, etc.)

  • Processing card network/scheme events (authorization, clearing, etc.)

  • Fulfilling cards

  • Managing Know Your Customer (KYC)

  • Managing card inventory and fulfillment providers

  • Managing tokenization with the card network

  • Engaging with the digital wallet providers

  • Providing Tier II technical support

  • Sending daily card network reporting files to the issuing bank

  • Reconciling with the card network

  • Monitoring transactions (fraud, anti-money laundering, etc.)

  • Managing disputes

During your integration with Marqeta, you or a third party need(s) to stand-up and build infrastructure to process notifications and interactions with the Marqeta API. The minimum requirements for an integration with Marqeta are outlined below.

  • A webhook endpoint that receives and parses all events and responds with a 200 response within five seconds of acknowledging an event receipt. Data sent to the endpoint supports direct reconciliation and ledger management.

  • A platform that manages your card program through Marqeta’s APIs, such as card products, velocity controls, and Commando Mode (if applicable).

  • If your program includes Just-in-Time (JIT) Funding, a gateway endpoint that receives Gateway JIT requests and provides responses that approve or decline authorizations within a three-second time window.

Launching an MxM Program Step 1 — Prototype in your public sandbox

It is highly recommended that you start development in your public sandbox to familiarize yourself with the Marqeta platform and its object models.

When you are sufficiently comfortable with the platform, contact your Marqeta Business Development Representative to initiate the sales process.

Launching an MxM Program Step 2 — Develop in your private sandbox

When you have an approved card program configuration and the IP addresses for your private sandbox are on the allow list, Marqeta can then issue keys to your private sandbox, enabling you to begin development on your program.

Launching an MxM Program Step 3 - Configure your production environment

After creating the basic components of your card program in your private sandbox environment, simulating transactions, and completing integration certification, Marqeta configures your production environment.

Launching an MxM Program Step 4 - Go live

As referenced in the signed contract, your card program configuration is now considered to be in "go live" state.

Launching an MxM Program Step 5 — Launch

You have successfully started the production development of your card program configuration and have been cleared for launch.

Sales process

Your contact with Sales begins with the Marqeta Sales Development Representative who inquires about your use case to determine if there is a fit with the Marqeta platform.

Sales Process Step 1 — Sales engagement

You will be introduced to a Business Development Representative who will start a pricing and feasibility assessment.

Sales Process Step 2 — Solutions engineering consultation

Engaging with a Solutions Engineer provides a solid starting point for integrating with the Marqeta platform.

The level of detail your Solutions Engineer goes into here depends on the nature and complexity of the card program you are developing. Typical outcomes include:

  • Understanding and scoping your card program to provide you with an overview of how Marqeta’s products and capabilities can best serve you.

  • Developing sequential diagrams for end-user onboarding to the Marqeta platform, as well as transactional and funding flow diagrams.

  • Assisting you with delivery resource preparation and technical development.

  • Being your development team’s initial point of contact for all technology and product questions.

This is a great opportunity to benefit from Marqeta’s in-depth expertise and established best practices while getting started.

A final agreed-upon card program configuration is documented in a Statement of Work in Sales Process Step 3 as you move through the onboarding process.

Sales Process Step 3 — Proposal / SOW

Marqeta generates a proposal or Statement of Work (SOW) that provides clarity and transparency to the engagement. The SOW describes the card program configuration, as well as the responsibilities of both parties, the associated pricing, and the project timeline.

Sales Process Step 4 — Signed contract

Marqeta prepares a Master Service Agreement (MSA) based on the SOW. After you and Marqeta have signed the MSA, the due diligence and integration verification processes begin.

Due diligence

Before you can operate in the payments space with Marqeta, Marqeta must collect information about your business to assess your company’s practices and overall health in a process known as due diligence. The due diligence process gives Marqeta context about your company and your program, including legal documents (e.g., articles of incorporation), financial statements, and policies/procedures (e.g., information security policy).

Marqeta facilitates the necessary research and approvals, then communicates directly with the issuing bank, card network, and any other regulatory bodies as appropriate.

Due Diligence Step 1 — Pre-screen questionnaire

The optional pre-screen questionnaire helps Marqeta know more about your company. The questionnaire focuses on the following aspects of your business:

  • Business contact information, standing, legal entity

  • Compliance and licensing information

If you are a privately owned company (i.e., not traded publicly), you must also provide:

  • Controlling officer information

  • Principal ownership information

  • Banking information, if Marqeta is the Program Manager

For businesses identified as higher risk, additional documentation may be requested as part of the pre-screening process.

Due Diligence Step 2 — Bank and card network approval

In this step, you submit documents to Marqeta so that the issuing bank and card network can review and approve your request to work with them. It is important to submit the requested documents quickly.

As the Program Manager, Marqeta will begin coordinating and receiving bank and card network approval as soon as you provide a complete due diligence package.

Below are the documents and information you must provide as part of this step.

Due Diligence Requirement Description

Articles of Incorporation*

For US locations, the articles of incorporation show when your company was founded, along with basic information about the business. You can retrieve these documents by contacting the office that handles business registration in your state (typically the Secretary of State).

For businesses based in Canada, you may provide a Certificate of Incorporation instead.

Two years financial statements (audited preferred)*

Your financial statements help Marqeta establish confidence that you can fund transactions and will be accountable for the payments Marqeta processes. Marqeta requests audited financial statements to confirm that they are accurate and certified.

Business continuity/disaster recovery policy

Since you provide the interfaces to your customers (e.g., the end-user application and customer support), your card program becomes unavailable when your systems are down. These policies help Marqeta better understand your operations, in the event that your systems become unavailable.

Examples of what Marqeta might need to know include:

  • If you have documented policies and procedures.

  • If you have redundant data center operations.

  • If you outsource data center operations (and to whom).

  • If you outsource customer-facing functions such as customer support.

If you are using Cardholder Support Services from Marqeta, the disaster recovery policy will be a Marqeta responsibility.

Data security policy

These policies help Marqeta confirm that your customers' data is maintained securely. Inappropriate data access (i.e., a breach) can impact Marqeta and the issuing bank.

Examples of what Marqeta might need to know include:

  • How you protect sensitive information.

  • How you limit access to sensitive information for employees, contractors, and third parties.

  • If you conduct background checks on persons who will have access to sensitive information.

  • The process you follow to revoke access to systems for terminated persons.

Proof of insurance

Marqeta requires documentation of your liability, cyber, and/or errors and omissions coverage, as specified in the Master Service Agreement (MSA).

Third-party service providers

Provide a list of any third-party service providers involved in any part of your card program, including customer support, website/mobile app development and management, and network/technical support.

If these service providers have access to sensitive card or customer personal identification information, Marqeta may need to review their business to ensure they have the proper security controls in place to protect that information.

Pending litigation

If you are engaged in any pending litigation or other regulatory action that could have a material impact on your business, you must provide a summary of the action, including the possible business impacts.

Policy documents

If Marqeta is the Program Manager, you need to provide the below policies for review:

  • Anti-Money Laundering (AML) policy and procedures.

  • Customer Identification Program (CIP) / Know Your Customer (KYC) policy and procedures, if applicable.

  • Payment Card Industry (PCI) Data Security Standard (DSS) Attestation of Compliance (AOC), if applicable.

  • Fraud prevention policy.

  • Business continuity/disaster recovery policy.

  • Anti-human trafficking policy.

  • Regional-specific policies like Personal Information Protection and Electronic Documents Act (PIPEDA).

Additional information

Marqeta may have follow-up questions, based on what you provide, and request additional information.

*Not required for publicly traded companies or federally regulated financial institutions.

Due Diligence Step 3 — Documentation verification

A certified environment is part of the path toward production readiness. To certify your environment, Marqeta will review the information provided in previous steps, including:

  • Information security checklist

  • Business continuity/disaster recovery addendum

Additionally, if Marqeta is the Program Manager, you must also provide the latest PCI DSS AOC.

At this point, you have completed due diligence, your integration is certified, and you are ready to complete business readiness by setting up your program funding account.

Security verification

For all Marqeta customers, security is viewed as an ongoing relationship rather than a one-time check.

Security Verification Step 1 — Security assessment

The security assessment starts with a checklist to verify that your integration architecture is compliant with Marqeta guidelines. As part of the integration verification, Marqeta’s Security Team scans your private sandbox IP addresses to confirm a secure connection and to highlight any risks that need to be resolved.

Security Verification Step 2 — Comprehensive security scan

You supply the Marqeta Security Team with production IP addresses. The Marqeta Security Team performs a comprehensive security scan of your IP addresses within five business days.

  • If the scan is successful, your production IP addresses are added to the Marqeta firewall.

  • If vulnerabilities are discovered, Marqeta will provide you with corrective measures and guidance on the specific changes you need to make to secure your environment. Contact Marqeta to repeat Security Verification Step 2 after applying these measures.

Integration verification

Marqeta drives your integration by gathering key data points about your program that describe how you will leverage the Marqeta platform to build your card program and serve your customers. It’s vital that you review these data points to confirm their accuracy.

Marqeta provides best practices and ways to resolve potential issues so you can configure the Marqeta platform to best solve your business needs.

Integration Verification Step 1 — Technical advisement

By this step, you should have started the due diligence process. As you set up your integration with the Marqeta platform, a Marqeta Integration Engineer will provide customized recommendations for your card program such as the examples below:

Feature Travel / Supplier Payments Expense Management

Card product

  • Virtual

  • Single use

  • 30-day expiration

  • Max spend: $5,000/txn

  • Load limit: $20,000/txn

  • US only

  • Physical

  • Reloadable

  • 4-year expiration

  • Max spend: $5,000/txn, $20,000/month

  • US and Canada only

Address Verification System (AVS)

Enabled, decline on postal code mismatch and on address mismatch

Enabled, decline on postal code mismatch, do not decline on address mismatch

User and card structure

Flat, user/card 1:1 = each user will have a card, user will include address for end user whose bill is to be paid

Parent:child, business object = downstream customer, child object = employees of the business who are authorized users

Card ordering and activation

Activate upon issue

Fulfilled via full-service mail with personalized carriers, to be activated via Interactive Voice Response (IVR) or in-app

Card presentment

No human presentment, only machine to machine

Human presentment

Funding

Managed JIT, creating velocity controls for max spend at card creation

Gateway JIT, injecting decision logic into the authorization process

Default authorization control behavior

Deny all, add specific Merchant Category Code (MCC) in the travel space to the allow list

Allow all, add the issuing bank’s MCC list to the deny list

Integration Verification Step 2 — Private sandbox access

After you complete the technical advisement process, Marqeta configures your private sandbox environment, provides you with access keys, and adds your system’s IP addresses to the allow list. If you need to use Payment Card Industry (PCI) compliant widgets or the Marqeta.js library, Marqeta provisions them for you at this time.

Integration Verification Step 3 — Onboarding checkpoints

Throughout the early stages of the development process, your Marqeta Integration Engineer holds weekly onboarding checkpoint meetings with you and other stakeholders.

During this time, you should be creating the basic components of your card program. The table below lists who is responsible for some common tasks.

Task Responsible Party

Creating and configuring card products

Marqeta

Creating and managing users

You

Creating and managing cards

You

Creating and managing spend controls at the card product level

Marqeta

Creating and managing user controls

You

Integration Verification Step 4 — Simulating transactions

At a minimum, Marqeta expects you to simulate the following transactions before proceeding to final review.

Simulation Endpoint and Method

Create 50 users and cards

POST /users
POST /cards

Simulate 15 authorizations

POST /simulate/authorization

Simulate 15 clearings

POST /simulate/clearing

Simulate 15 reversals

POST /simulate/reversal

For more information, see Users, Cards, and Simulating Transactions.

Integration Verification Step 5 — Integration certification
Just-in-Time (JIT) Funding certification
Note
A JIT Funding review is only required for card programs that include JIT funding.

Certification is a critical step when integrating with the Marqeta platform. This is when your Marqeta Integration Engineer verifies that transactions are being authorized correctly through the gateway.

Marqeta will work with you to create data in your private sandbox that is required to complete the JIT Funding certification tests. Technical team members from both Marqeta and your team should be available to troubleshoot any issues that arise.

The table below lists who is responsible for JIT Funding Certification Test tasks.

Task Responsible Party

Providing details about your gateway endpoint for the private sandbox and production environments

You

Configuring gateways and card products

Marqeta

Examining test case responses

Marqeta

Conducting test authorizations against your private sandbox gateway endpoint

Marqeta

Creating test users and cards by card program configuration

You

Conducting clearing transactions to be sent to your webhook endpoint

Marqeta

Integration Verification Step 6 — Production configuration

Marqeta configures your production environment with the approved configurations from your private sandbox environment.

Integration Verification Step 7 — Environment review

Marqeta certifies your readiness to proceed by answering questions such as the following:

  • Have all configurations been implemented correctly?

  • Have you successfully simulated the necessary transactions?

  • Is the default authorization behavior correct?

  • Are the active card limits correct?

  • Does your card product have the correct funding source (if you are using JIT Funding)?

  • Are you adhering to the expected KYC behaviors?

  • Are all necessary PCI compliance widgets and Marqeta.js deployed as expected?

  • Does your cardholder account reflect the correct parent and child hierarchy?

Marqeta completes a comprehensive security scan of your production IP addresses, reserve funding, and card fulfillment. After you successfully pass the certification, as well as complete all Due Diligence and MSA requirements, Marqeta provides you with production credentials to transition your card program configuration to a live environment.

Integration Verification Step 9 — Production validation testing

Your Marqeta Integration Engineer will assist you with performing testing in your live environment, focusing on authorizing and clearing transactions.

A few tasks remain before your program is ready to launch:

  • If your card program includes either physical or virtual cards that need to be displayed, you must produce and approve the card art in accordance with the card network and issuing bank guidelines.

  • If your card program includes physical cards, you may want to schedule fulfillment orders to be able to reliably distribute cards to your cardholders.

Business readiness

You work on business readiness in parallel with development and throughout your engagement with Marqeta. As soon as your card program has been approved, you can begin Business Readiness Step 1 to prepare your card art.

With approved card art, you are ready to put the finishing touches on your card program before you go live.

Business Readiness Step 1 — Card art preparation

All card art that appears on physical or virtual cards must be approved, based on guidelines specified by the card networks and issuing banks. Approval of proposed card art involves validating details such as the placement of the card network logo, the Primary Account Number (PAN), and the cardholder name, as well as the card orientation, color selection, terms, and contact numbers.

If Marqeta is your Program Manager (or you are using Marqeta for the card fulfillment service), your Marqeta Integration Engineer will coordinate on your behalf with the issuing bank, card network, and fulfillment partners to ensure that the card art is approved and ready for printing.

Business Readiness Step 2 — Card fulfillment and management

If your card program offers physical cards, a representative from Marqeta’s Card Fulfillment team will work with you and our card providers to ensure you are satisfied with the printed card proofs and have sufficient card inventory on hand to keep pace with your card issuing needs.

Business Readiness Step 3 — Reserve funding

Before a card program can accept live transactions, you must configure a reserve funding source and a program funding account at your issuing bank. The due diligence process guides you through the paperwork and instructions to set this up correctly.

If Marqeta is your Program Manager, your Onboarding Manager will coordinate on your behalf with the issuing banks to ensure that the program funding account is created, funded, and continues to maintain sufficient funding so your card transactions are processed.

Join our developer newsletter