displaying sensitive card data (card number, CVV2 and PIN) to a customer
I am trying to display card details to users but the documentation of service am getting the cards from,they suggested
VGS Show JavaScript library
But this library is very complicated and hard to use
Am I just want to displaying it plain in div etc
So i just need an opinion how do you handle such
Do you just read the cards from the API and display them straight or how exactly do you approach such
13 Replies
oh boy
1. try and not handle CC data if you can
2. I imagine PCI compliance will dictate what to do here
I would try and have the api return what i wanted to show to the user (ie a PAN)
is this an input field for the customer? if so, take a look around at what other solutions are doing (load up your favourite website and make a payment and see how they handle it)
even better, make a charitable donation 😄
I am not handling or collecting payments
I am just plugged in to display an already issued card
oh then yeah 100% just show the pan
you do not want PCI on your ass
(maybe you're PCI compliant, but as I said, I imagine those regulations would tell you what to do here(
Whats pan?
How will PCI know 🤔
https://www.investopedia.com/terms/p/primary-account-number-pan.asp
what i actually meant was to show the first and last 4 digits of the pan (like you see in a lot of apps)
Investopedia
Primary Account Number (PAN): What It Is, How It Works on Cards
A primary account number is a unique identifier designated for a primary account such as a credit or debit card.
Ok
So i can show the pan first and last 4 with pci issues
But if u must show the full card details it must be pci compliant
I agree with Alex if they want to see full details I would probably direct them to go to their account for that service. When it comes to PII I always think worst case scenario rather than "how will they know"
To me i see it as all as formalities
Because basically i am not storing the cards on my database all i am doing is reading to unto the user that owns it
And it's on the web so basically everything can be gotten even if it was passed through the vault
How are you retrieving the data then?
Api calls
Can i stored mask pan directly to my database?
Just the masked pan and expiry date
Example
Api calls to what, if you’re directly using card data then you must be pci compliant right?
Should be able to, but you can’t use that to make purchases
payment providers may have the option for a “token” which represents a card, you store tjst token on your database along with the pan and then you can use the token to make payments to the saved card. (Regulations and laws may make it different so I’d consult your security and privacy teams at your work)
As a developer or website owner you should not have access to a credit card number of a customer unless through a 3rd part component that you host.
You certainly shouldn't store it.
Ok thank you all for your contributions