You can retrieve virtual card details via the Dashboard or via the API. PCI-DSS rules protect cardholder data. For PCI-DSS compliance, we recommend limiting retrieval of virtual card information to the dashboard. If the API is used to retrieve card information, or if virtual card information is exported from the Dashboard, the information should be stored in a password manager or otherwise encrypted.
You can retrieve both the full unredacted card number and CVC from the API. For security reasons, these fields are only available for virtual cards and will be omitted unless you explicitly request them with the expand property. Additionally, they are only available through the Retrieve a card endpoint.
Details about PCI-DSS
If you are generating virtual cards for your own use, you are not required to attain PCI-DSS compliance for Issuing activity. If you are generating virtual cards for use by your users, you may be considered a Service Provider under PCI-DSS rules. Service Providers must be PCI-DSS compliant.
If you accept payments through Stripe, read more about your PCI-DSS obligations. These obligations are in addition to requirements noted above.