You can retrieve virtual card details via the Dashboard or via the API. PCI-DSS rules protect cardholder data. For PCI-DSS compliance, we recommend limiting retrieval of virtual card information to the dashboard. If the API is used to retrieve card information, or if virtual card information is exported from the Dashboard, the information should be stored in a password manager or otherwise encrypted.
You can retrieve both the full unredacted card number and CVC from the API. For security reasons, you can only use these fields with virtual cards in live mode, and we omit them unless you explicitly request them with the expand property. You can only retrieve these fields for physical cards in test mode. Additionally, you can only access them through the Retrieve a card endpoint.
Details about PCI-DSS
If you are generating virtual cards for your own use, you are not required to attain PCI-DSS compliance for Issuing activity. If you are generating virtual cards for use by your users, you may be considered a Service Provider under PCI-DSS rules. Service Providers must be PCI-DSS compliant.
If you accept payments through Stripe, read more about your PCI-DSS obligations. These obligations are in addition to requirements noted above.