Displaying Credit Cards on User Profile

Question

I'm having a problem understanding this concept. I'm using a payment gateway, and I'm not storing the credit card details anywhere. I get the payment information by using hosted payment fields. I want to add a place on the user's profile where they can view their card type, and expiration date.

I'm not storing this data, so the only way I'd be able to get the credit card details would be calling the payment gateway. As far as I know sending credit card details from client to server normally goes against PCI compliance standards. In that case I don't really understand the concept of calling the payment gateway api to get the card data from the client side. How do I go about getting the card data on file, and then allowing the users to view it in a location that isn't within a transaction space?

Answer 1

PCI DSS 3.2.1 says this about credit card data on page 7:

The primary account number is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements.

It's widely accepted that expiration dates on their own are acceptable and will not impact your eligibility to certify your PCI compliance using SAQ-A - the easiest and most favorable way to certify PCI compliance.

I imagine most payment gateways will allow you to access the expiration dates for cards after tokenizing the data - which I suspect you're already doing. Stripe seems to return this data with their tokens:

{
  "id": "tok_1J0xWb2eZvKYlo2C7vnTp9Kg",
  "object": "token",
  "card": {
    "id": "card_1J0xWb2eZvKYlo2C0LX2vblH",
    "object": "card",
    "address_city": null,
    "address_country": null,
    "address_line1": null,
    "address_line1_check": null,
    "address_line2": null,
    "address_state": null,
    "address_zip": null,
    "address_zip_check": null,
    "brand": "Visa",
    "country": "US",
    "cvc_check": "pass",
    "dynamic_last4": null,
    "exp_month": 8,
    "exp_year": 2022,
    "fingerprint": "Xt5EWLLDS7FJjR1c",
    "funding": "credit",
    "last4": "4242",
    "metadata": {},
    "name": null,
    "tokenization_method": null
  },
  "client_ip": null,
  "created": 1623368581,
  "livemode": false,
  "type": "card",
  "used": false
}

The specifics will vary depending on your payment gateway.