What card controls should every program have - limits, MCC restrictions, locks, and expiry?

Hard-block what is never legitimate (cash advances, gambling, clearly personal categories) and what is structurally risky (spend over the pre-approval threshold without an approval attached). Soft-flag what is usually legitimate but worth a look - out-of-pattern merchants, weekend spend, near-limit velocity. The test: if a false positive would strand an employee mid-trip, it should flag; if a false negative would embarrass you in an audit, it should block.

Every merchant has a four-digit category code assigned by its acquirer; MCC restrictions allow or block authorizations by category at the network level, before the transaction completes.

Cash advances and quasi-cash, gambling, dating, crypto, jewelry, and money transfer - categories with no plausible business purpose for most companies. Everything else is a per-program judgment.

Merchants are sometimes miscategorized by their acquirer. Handle it with a fast exception path (temporary category unblock or a one-time approval) rather than loosening the rule globally - and merchant-lock recurring offenders so the rule doesn't touch them.

Per-transaction caps catch single large purchases; daily caps catch velocity (including split transactions); monthly caps bound total exposure. Layer all three on expense cards; AP cards sized to a specific approved purchase need only the transaction-level control.

Real-time controls evaluate the authorization itself - limit, merchant, category, rule - and decline violations before money moves. After-the-fact review finds problems weeks later, when the only remedies are awkward: repayment requests and policy emails.

Set expiry dates at issuance (project end, contract end, a default 12 months), and pause on inactivity - 60 - 90 days dormant is a reasonable trigger. Reactivation should be a request, not automatic.

A control restricting a card to a single supplier, by merchant identifier rather than category - the strongest structural control available for recurring vendor and subscription cards.

Day one: limits, default MCC blocks, expiry, real-time declines. As the program matures: pre-approval thresholds, budget-linked controls, receipt-required rules, and velocity/anomaly alerting.

The control checks remaining budget at authorization and declines when it's exhausted, which converts the budget from a report into a constraint. It requires the card platform to know budgets - which is an argument for cards living inside the spend workflow rather than beside it.

Use trip-aware adjustments: a temporary geographic allowance and raised velocity threshold scoped to travel dates, reverting automatically. Tuning means narrowing the rule's scope, not deleting it.

AP cards: locked to vendor and amount - the approval already happened. Expense cards: layered limits, MCC blocks, receipt rules. Executive cards: same rules as everyone (the cultural signal matters more than the dollar risk), with higher limits where genuinely needed.

Table stakes: limits, MCC blocks, instant freeze, virtual issuance. Differentiated: approval-before-spend tied to an actual request workflow, pre-coded GL inheritance, budget-linked declines, and receipt-compliance rules that affect card behavior.

Stampli Card enforces spending limits by cardholder, merchant category, or vendor, configured by finance at issuance - controls are set before the card exists, not retrofitted after spend appears. Because transactions post in real time into approval workflows, review happens continuously instead of at statement close.