Skip to main content

Security and PCI DSS Compliance

Why are card details masked?

Cartevo is compliant with the PCI DSS (Payment Card Industry Data Security Standard), an international regulation that ensures the security of bank card data. This compliance is essential to protect sensitive cardholder information. By default, sensitive card information (full card number, CVV, expiration date) is masked in all API responses for security and compliance reasons:
  • Data protection: Reduces the risk of accidental exposure of card information
  • Audit and traceability: All access to sensitive data is logged

Information masked by default

When you retrieve card details via the API, the following fields are masked:
  • number: The full card number is replaced with an encrypted token (e.g., tkMplr_eyJhbGci...)
  • cvv: The CVV code is replaced with an encrypted token
  • masked_number: Displays only the last 4 digits (e.g., **** **** **** 1234)

Revealing sensitive information

To access complete, unmasked card information, you must include the reveal: true parameter in the body of your request.

Request example

GET /api/v1/cards/{cardId}
Query: 
{
  "reveal": true
}

Response with revealed data

When reveal: true is included, the response will contain: 
{
  "success": true,
  "data": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "number": "4111111111111111",
    "cvv": "123",
    "masked_number": "**** **** **** 1111",
    "expiry_month": 12,
    "expiry_year": 2025,
    "balance": 100.0,
    "currency": "USD",
    "status": "ACTIVE",
    "brand": "VISA"
  }
}

Default response (masked data)

Without the reveal parameter, the response will be: 
{
  "success": true,
  "data": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "number": "tkMplr_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "cvv": "tkMplr_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "masked_number": "**** **** **** 1111",
    "expiry_month": 12,
    "expiry_year": 2025,
    "balance": 100.0,
    "currency": "USD",
    "status": "ACTIVE",
    "brand": "VISA"
  }
}

Security best practices

When to use reveal: true?

Use reveal: true only when:
  • ✅ You need to display complete information to the end user (e.g., during initial card creation)
  • ✅ You are performing operations that require complete data (e.g., integration with an external system)

Recommendations

  1. Never store revealed data in plain text in your logs or databases
  2. Transmit sensitive data only through secure channels (HTTPS)
  3. Limit access to revealed data to authorized users only
  4. Audit all access to sensitive data
  5. Delete sensitive data from memory after use

Virtual card features

Specifications

  • Currency: USD only
  • Maximum amount: 10,000 USD per card
  • Validity: 3 years (automatically renewable)
  • Accepted brands: Visa and Mastercard
  • Type: Virtual cards only (physical cards coming soon)

Compatibility

Cartevo virtual cards can be used on:
  • Online payment platforms (PayPal, Stripe, etc.)
  • Streaming services (Netflix, Spotify, etc.)
  • Social networks (Facebook, Google Ads, TikTok Ads)
  • Cloud services (AWS, Google Cloud, Azure)
  • Mobile applications (Apple Pay, Google Pay - depending on BIN)

Card management

Available operations

  • Retrieval: Get card details (with or without revelation)
  • Funding: Add funds to a card
  • Withdrawal: Withdraw funds from a card
  • Freeze: Temporarily freeze a card
  • Unfreeze: Reactivate a frozen card
  • Transactions: View transaction history

Card statuses

  • ACTIVE: Card is active and usable. The card can be used for transactions, funding, and withdrawals.
  • FROZEN: Card is temporarily frozen. The card cannot be used for transactions, but can be unfrozen to restore functionality. The balance remains intact.
  • TERMINATED: Card is permanently deactivated and cannot be reactivated. When a card is terminated:
    • The card becomes unusable for any transactions
    • Any remaining balance on the card is automatically refunded to the company’s USD wallet
    • The card balance is set to zero
    • This action is irreversible - once terminated, a card cannot be unfrozen or reactivated
  • PENDING: Card is being created. The card is in the process of being issued and is not yet available for use.
  • FAILED: Card creation failed. The card could not be created due to an error during the issuance process.
  • SUSPENDED: status indicates that a card has been temporarily disabled due to multiple failed transactions. This is different from FROZEN (which is manually set) or TERMINATED (which is permanent).

SUPPORTED CARDS TRANSACTIONS TYPES

This section lists all the transaction types supported by the Card API, with a brief explanation of each type and its purpose.
Transaction TypeDescription
AUTHORIZATIONTransaction: This is when a card is successfully used at a merchant site.
SETTLEMENTTransaction: This is when a card is successfully used and settlement is completed at a merchant site.
FUNDINGTransaction: This is when a customer funds the card via the /funding endpoint.
WITHDRAWALTransaction: This is when a customer withdraws from the card via the /withdrawal endpoint.
TERMINATIONTransaction: This is when a card is terminated (available on the dashboard).
DECLINETransaction: When an attempt to use the card at a merchant site is rejected for any reason e.g. insufficient balance.
REVERSALTransaction: When a merchant charges a card but immediately returns the amount to the card.
REFUNDTransaction: This occurs when a reversal fails and a request is made to return funds erroneously debited from the card.
CROSS-BORDERTransaction: This is used to identify card cross-border charges when a card is used on a merchant site outside the US or in a currency other than USD.
💡 Support: Our technical team is available to answer any questions or provide assistance. Contact us to ensure smooth and optimized integration.