Skip to main content
Sometimes you need to show sensitive card data (PAN, CVC, expiry) to the cardholder. This page explains how to do that safely.
Treat PAN/CVC/expiry as highly sensitive. Never log it. Never store it unencrypted. Restrict access in your product to the cardholder only.

When you should retrieve sensitive data

Typical scenarios:
  • The cardholder wants to view card details inside your app
  • The cardholder needs to add the card to a wallet or use it for online payments

Safe handling principles

Don’t preload sensitive data in the background. Retrieve it on demand (for example after the user clicks Show card details).
Before showing sensitive data, verify the user with your own controls (for example: re-authentication, device binding, OTP, or biometric).
If you cache it in memory, keep it short-lived and clear it immediately after use.

Implementation details

For endpoint names, request/response fields, and examples, use the Cards API reference.