Employee Cards on a Business Credit Card

An employee card is an additional card issued on an existing business credit-card account, with the employee's name embossed on the card and the card linked to the same credit line and the same legal account as the primary cardholder's card. It is not a separate account, a separate credit line, or a separate legal obligation. From the issuer's perspective, every transaction on every card on the account contributes to the same balance, and that balance is owed by the account holder.

Most business-card products issue employee cards at no additional cost or at a modest annual fee per card. The application typically requires the employee's name and (depending on the issuer) date of birth and last four digits of the SSN for KYC purposes. The credit-bureau implications for the employee are usually minimal; the account does not appear on the employee's personal credit report under most issuers' policies, because the employee is not the legal cardholder. The card is the company's card, issued in the employee's name for convenience.

This structure is mechanically different from a joint personal credit-card account (where two consumers share legal liability for the balance) and from an authorized-user designation on a personal credit card (where a user is authorized to transact but the account is owned by one person). On a business card, the account is owned by the entity (and personally guaranteed by the owner, on most small-business products); the employee is an authorized user with operational permission to transact on the company's credit.

Joint-and-several liability with the account holder

The legal architecture of an employee card. The entity owns the account. The personal guarantor (typically the owner) has guaranteed the balance. The employee uses a card linked to the account. When the employee charges $5,000 of plane tickets to the card, that $5,000 is part of the entity's balance, and the personal guarantor is on the hook for it just like any other charge on the account.

The implications for the account holder are real. If the employee makes an unauthorized charge (a personal expense, a transaction in violation of company policy, a transaction with a vendor the employee was not authorized to engage), the charge still posts to the account and the account holder still owes the issuer. Recovery from the employee is an internal matter (payroll deduction, civil suit, criminal referral if the misuse rises to embezzlement), but the issuer does not pause the obligation while the recovery is in progress. The site's personal-guarantee reference covers the legal structure of the guarantor's exposure in more detail.

The chargeback question is similarly weighted toward the account holder. If a vendor over-charges or fails to deliver, the cardholder can file a chargeback through the issuer; the dispute proceeds through normal channels. But if the dispute is "this charge was on a card my employee was authorized to use, and the employee shouldn't have made it," that is not a chargeback the issuer will process. The vendor delivered the service the employee bought; the dispute is between the cardholder and the employee, not between the cardholder and the vendor.

Best practice for any business with multiple employee cards is to have a written card-use policy, to require the employee to acknowledge it in writing, and to enforce it consistently. The policy is the cardholder's primary recourse if employee misuse becomes a payroll-deduction or civil-suit question.

The Regulation E exclusion for business accounts

Regulation E implements the Electronic Fund Transfer Act and provides extensive consumer protections for electronic transactions on consumer accounts, including liability limits for unauthorized transactions on personal debit cards. The regulation's scope, however, is explicitly limited to accounts established primarily for personal, family, or household purposes. Business accounts are excluded.

The consequence. The $50 maximum liability for unauthorized transactions on consumer debit cards, the 60-day window for reporting unauthorized transactions, the mandatory issuer-investigation procedures, and the other Reg E protections do not apply to business debit cards or to business credit cards. The legal floor for cardholder protection on business cards is set by the card agreement plus general contract law, not by Reg E.

Some issuers extend Reg-E-like protections voluntarily to business-card customers as a competitive matter, and many issuers honor unauthorized-charge disputes generously even on business accounts. The voluntary protections vary by issuer and are not statutorily required. The card agreement language is the operative source for what the issuer commits to.

The CARD Act, similarly, does not extend most of its consumer-protection provisions to business credit cards. The site's CARD Act and consumer protections reference covers the scope-of-coverage question in detail. For business cards, including business cards in the hands of employees, the legal protections are weaker than consumers might assume from their experience with personal cards.

Per-card spending controls

Modern business-card platforms support a range of per-card controls that let the account holder limit what each employee card can do. The control surface varies by issuer; fintech corporate-card platforms tend to offer the richest controls, and traditional bank-issued business cards have a narrower set.

Per-card spending limit. Set a monthly or per-transaction dollar cap on each card. The cap is enforced at the network level; transactions above the cap are declined at the point of sale. This is the most basic and most universally available control.

Merchant-category restrictions. Allow or block transactions in specific Merchant Category Codes (MCCs). An employee card limited to office-supply, software, and travel MCCs cannot, for example, be used at a casino or a liquor store. The control is precise at the MCC level but does not understand the substantive merchant (a transaction at a hotel can be a legitimate business expense or not, depending on context).

Vendor allowlists / blocklists. Some platforms allow per-card restrictions to a specific list of approved vendors, identified by their merchant ID. An employee card dedicated to advertising spend might be limited to Meta, Google, and TikTok merchant IDs and decline all other transactions. This is tighter than MCC restrictions but requires more setup.

Geographic restrictions. A few platforms allow per-card restrictions by country or region. An employee card intended for domestic-only use can be set to decline foreign-currency transactions.

Time-bounded enablement. Some platforms allow per-card on/off scheduling, useful for cards issued for a specific trip or project. The card is active only during the relevant window and is automatically deactivated after.

For organizations with meaningful employee-card programs, the per-card controls are usually the right enforcement mechanism for the company's spending policy. Policy without enforcement relies on the employee's discretion; enforcement at the card level reduces the burden on management to police every transaction.

Virtual cards for one-time vendor payments

A virtual card is a card number generated on demand by the cardholder portal, with its own card number, expiration, and CVV, that draws against the same underlying credit line as the primary account. Virtual cards typically support all the per-card controls described above, applied per-virtual-card.

Standard use cases. A one-time vendor payment where the vendor will retain the card on file (the cardholder can issue a virtual card with a limit equal to the one-time charge plus a small buffer, then revoke the virtual card after the charge posts, eliminating the vendor's ability to charge the card again in the future). A subscription where the cardholder wants per-subscription separation in the books (one virtual card per SaaS subscription makes the recurring charge easy to identify and cancel). An online purchase from a less-trusted site where the cardholder wants to limit the blast radius if the card data is compromised. A per-project or per-campaign card where the limit doubles as a budget cap.

The economics. Virtual cards typically carry no per-card fee on the fintech corporate-card platforms that support them; unlimited issuance is the standard offering. On bank-issued business cards, virtual-card support is less universal and sometimes has setup friction.

The risk-reduction case is strong enough that many practitioners default to virtual cards for all online and recurring vendor payments, reserving the physical card for in-person purchases. The cost is a small operational discipline (issuing a virtual card before each new vendor relationship); the benefit is that no single vendor ever holds the primary card data, and any vendor that becomes a problem can be revoked at the virtual-card level without disrupting other accounts.

An internal card-use policy worth writing

For any business issuing more than one or two employee cards, a written card-use policy serves both as employee guidance and as the cardholder's documentation of expectations. A few elements worth including.

Permitted uses. The category of expenses the card is intended for, with explicit reference to the IRS standard (ordinary and necessary business expenses). Examples of permitted and prohibited uses.

Substantiation requirements. The standard for receipt-keeping and business-purpose documentation (the IRS $75 receipt threshold is one reasonable starting point). The expense-report system the employee uses to submit substantiation.

Spending limits. The per-transaction limit, the monthly limit, and the approval threshold for transactions above some dollar amount.

Prohibited uses. Personal use, cash advances, gift-card purchases (frequently a fraud vector), and any other categories the business wants to exclude.

Lost/stolen card procedure. The employee's obligation to report the loss immediately, and the contact information for the issuer's lost-card line.

Misuse consequences. What happens if the employee makes an unauthorized charge: repayment requirement, payroll deduction authorization (with attention to state wage-deduction law, which varies), and potential disciplinary action up to termination.

Termination procedure. The acknowledgment that the card must be returned and deactivated on separation, that any remaining personal-use exposure remains the employee's debt, and that the employer reserves all collection rights.

A signed copy of the policy in the employee's file is the cardholder's primary documentation if a misuse problem becomes a recovery problem. The site's business expense tax basics reference covers the IRS framework that informs the substantiation portion of the policy.

Offboarding when an employee leaves

The card-management offboarding for a departing employee is operationally simple if done promptly and operationally awkward if delayed.

Deactivate the card on the last day. Most platforms allow the admin to deactivate a specific card from the cardholder portal in seconds. Deactivation prevents new transactions but does not affect transactions that have been initiated but not yet posted. Pending transactions at deactivation continue to post.

Collect the physical card. The card belongs to the company; the employee should return it on separation. Destroying the card visibly (cut through the chip, the magnetic stripe, and the card number) is the standard practice. A retained but deactivated card is a minor risk surface if the deactivation is ever reversed in error.

Review recent activity. Pulling the last 30-60 days of card activity on the departing employee's card before the final paycheck is processed lets the employer identify any unauthorized charges that should be reconciled against the final settlement. State law on wage deductions varies; an employee's signed acknowledgment of the card policy (with explicit authorization for deduction of card misuse from final pay) strengthens the employer's position if a deduction is contested.

Consider line-size review. If the departing employee was a significant share of the account's spend pattern, the cardholder may want to request a credit-line review (up or down, depending on whether the spend is being redistributed to other cards or genuinely reducing).

Re-issue replacement cards if needed. If the departing employee was the only authorized user on some recurring vendor accounts, the cardholder needs to update those vendor accounts to a different card before the next billing cycle, or the recurring charges will decline. A 30-day audit of the departing employee's recurring transactions catches the obvious ones.