Abstract

The rapid adoption of virtual cards in business-to-business (B2B) payments has created a complex digital ecosystem involving buyers, suppliers, issuers, acquirers, and increasingly, automated processing platforms. While virtual cards offer inherent security benefits, the ecosystem's interconnectedness and reliance on digital channels introduce a new and expanded attack surface. This paper presents a comprehensive threat model for this next generation of digital payments. Using the STRIDE framework, we systematically analyze the security threats inherent in the end-to-end virtual card lifecycle, with a particular focus on novel attack vectors targeting the automated data ingestion and processing stages of platforms like Visa AR Manager. Based on this analysis, we propose a multi-layered, defense-in-depth mitigation strategy. This strategy integrates foundational controls such as PCI DSS compliance, technical solutions including payment tokenization and secure API gateways, and advanced AI-powered fraud detection to create a resilient and secure virtual payment environment capable of withstanding modern threats.