The Payment Card Industry Security Standards Council (PCI SSC) has defined a set of global security standards that define how card information can be processed and stored. You can read more about PCI DSS Compliance in our docs page.
There are various use cases for which you may need to obtain the full card information, such as the card number (PAN), CVC, Expiry Date or a card’s PIN code. One example could be for your Cardholders to obtain the card information in order to complete payments in an Ecommerce setting, or for the Cardholder to obtain the PIN code to complete in-person payments with their card. Another example is that you issue a one-time use virtual card, in which you provide the card information to a supplier to perform a business payment.
Because of the strict rules defined around how to process and store card data, by default Adyen does not share card information of your Cardholders. Should you require the card information, Adyen offers the Reveal API. This is an API integration and component on your website or application (the “client side”), that allows you to communicate sensitive card data to your Cardholders in an encrypted fashion. Your internal systems will not be able to read the card information, the information can only be decrypted on the client side. Hence, you reduce the risk of inadvertently storing or processing card information against the rules set by PCI.
Should you use a one-time-use virtual card model, the rules are less restrictive, and depending on your use case Adyen may be able to communicate card information to you directly during card issuance. This can be discussed with your Adyen contact.
This document should only be used for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.