# Cards management

The Pismo platform offers you many different types of cards (credit, debit, prepaid, private label, and more) you can issue. These cards allow transactions to occur in almost all conceivable locations and circumstances -  retail stores, online e-commerce, ATM withdrawals, recurring subscriptions, and so on.

> 📘 Getting started with card issuing
>
> Refer to the [Get started with card issuing](https://developers.pismo.io/pismo-docs/docs/get-started-with-card-issuing) guide.

Every card is associated with a single customer and account. Accounts can have multiple customers, typically to accommodate primary and additional cardholders, but only one owner. Customers can also have more than one account.

Pismo infrastructure handles all card information including sensitive data, which is stored in a dedicated, secure and <Anchor label="Payment Card Industry (PCI)" target="_blank" href="https://www.investopedia.com/terms/p/pci-compliance.asp">Payment Card Industry (PCI)</Anchor> compliant environment.

<Image align="center" alt="Card management workflow" src="https://files.readme.io/e224c33-pismoCards.png" title="pismoCards.png" />

> 📘 PCI endpoints
>
> Certain endpoints are designated PCI endpoints and should be called in a PCI environment. For more information, refer to [Environments](https://developers.pismo.io/pismo-docs/docs/environments) and, specifically, [PCI vs non-PCI endpoints](https://developers.pismo.io/pismo-docs/docs/environments#pci-endpoints-vs-non-pci-endpoints).

**Pismo enables you to:**

* Choose [card types](#card-types) that best suit your customers' needs.
* Customize a card’s attributes, behaviors, and lifecycle, including limits on spending, the number of card uses, and the number of active cards.
* [Work with the card embosser of your choice](https://developers.pismo.io/pismo-docs/docs/physical-card-embossing).
* [Tokenize card data](https://developers.pismo.io/pismo-docs/reference/create-a-cardsonfile-v3) for use in a [digital wallet](https://developers.pismo.io/pismo-docs/docs/wallet-overview).

## Card data

Cards store the data necessary to complete a merchant transaction. In the table below,  the **expiration date** and **name** are not considered sensitive PCI  data.

| Field                                                                                               | Description                                                                                                                                                                                                                                                                                |
| :-------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Name                                                                                                | Card name, can be nickname or alias the cardholder wishes to use. Though a card is associated with one customer and account, a customer can have multiple accounts and cards.                                                                                                              |
| Expiration date                                                                                     | Date when card is no longer valid. You can set this value during program configuration. If not set, the default is 72 months.                                                                                                                                                              |
| [Primary Account Number](https://www.investopedia.com/terms/p/primary-account-number-pan.asp) (PAN) | Unique number that IDs the card network, issuing bank, and cardholder account. For Visa and Mastercard, this is a 16-19 digit string. The PAN is generated from program settings, including the [BIN](https://www.investopedia.com/terms/b/bank-identification-number.asp) and BIN ranges. |
| [Card Verification Value](https://www.investopedia.com/terms/v/validation-code.asp) (CVV or CVV2)   | Verification number that appears on the card's back, usually used for **[card not present](https://squareup.com/us/en/townsquare/what-is-a-card-not-present-transaction)** transactions.                                                                                                   |
| Personal Identification Number (PIN)                                                                | Encrypted card password. Pismo randomly generates the initial PIN at [card creation](https://developers.pismo.io/pismo-docs/reference/post-v2-card) time. Can be 4 or 6 digits.                                                                                                                                                         |

The PIN, PAN, and expiration date are automatically generated at card creation time.

You can call the following API endpoints for a card's PIN:

* [Get card password](https://developers.pismo.io/pismo-docs/reference/get-v2-card-password)
* [Change card password](https://developers.pismo.io/pismo-docs/reference/put-v2-card-password)
* [Reset password try count](https://developers.pismo.io/pismo-docs/reference/post-v2-card-password-reset)
* [Get PIN as PINBlock](https://developers.pismo.io/pismo-docs/reference/get-v1-pin-as-pinblock)
* [Update PIN from PINBlock](https://developers.pismo.io/pismo-docs/reference/put-v1-update-pin-from-pinblock)

## Card types

Pismo offers the following card types.

<Table align={["left","left"]}>
  <thead>
    <tr>
      <th>
        Type
      </th>

      <th>
        Description
      </th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>
        **Physical (plastic/metal)**
      </td>

      <td>
        You can use *physical* or plastic/metal cards at terminals to not only make purchases and withdrawals from ATMs, but also online in e-commerce using the card's data.<br />

        **Pismo offers two ways to issue physical cards**:

        **Nominal** - At [card creation](https://developers.pismo.io/pismo-docs/reference/post-v2-card) , the customer is designated the cardholder.

        **Noname** - Noname cards are [batch-generated](https://developers.pismo.io/pismo-docs/reference/create-bulk)  and not initially associated with customers, which occurs later. Noname cards work well for special use cases like gift cards or in countries or scenarios where a password or chip might be required but not necessarily a printed card name.  When you are ready, you can [assign a noname card to a customer and account](https://developers.pismo.io/pismo-docs/reference/post-v2-card-bind) . Refer to **Cards Management**  > **Noname** for more APIs and endpoints in the [API Reference documentation](https://developers.pismo.io/pismo-docs/reference/create-bulk).

        **The following applies to physical cards**:\
        Only one per customer and account.\
        Customers can have more than one account and card.\
        Can be [tokenized](https://developers.pismo.io/pismo-docs/docs/wallet-overview)  for use in a [digital wallet](https://developers.pismo.io/pismo-docs/docs/wallet-overview)\
        Have a fixed PAN and CVV\
        Have to be [activated](https://developers.pismo.io/pismo-docs/reference/put-v1-card-activate)  before use\
        Can be both a [credit and debit](#create-a-combination-card-with-card-modes)  card

        ***Contactless* physical card**
        Contact transactions require inserting a card into a terminal. With **contactless** transactions, you can simply hold or tap the card on a contactless-enabled card reader to complete a transaction. This requires that both the card and the terminal have [Near Field Communication (NFC)](https://en.wikipedia.org/wiki/Near-field_communication) technology. All  APIs that generate an embossed card have a contactless card option and Pismo sends this information to your [configured embosser](https://developers.pismo.io/pismo-docs/docs/physical-card-embossing).
      </td>
    </tr>

    <tr>
      <td>
        **Virtual**
      </td>

      <td>
        A card that exists digitally, used in e-commerce and subscriptions. You can change a virtual card's [CVV](https://developers.pismo.io/pismo-docs/reference/post-v2-reset-cvv) periodically, increasing its security. Virtual cards provide greater customer flexibility to make a purchase as you can offer them via an application.

        **The following applies to virtual cards:**\
        Can have multiple active cards per customer, but the card name needs to be different.
        Can be [tokenized](https://developers.pismo.io/pismo-docs/docs/wallet-overview) for use in a [digital wallet](https://developers.pismo.io/pismo-docs/docs/wallet-overview).\
        Have a fixed PAN and dynamic CVV. (When you [create a virtual card](https://developers.pismo.io/pismo-docs/reference/post-v2-card), be aware that the `cvv_rotation_interval_hours` is a **required** field.)
        Have a **transaction limit** you set at card creation. If not set, the account limit is used. Later, you can change the transaction limit with the [Update card information](https://developers.pismo.io/pismo-docs/reference/patch-v2-card) endpoint.
        Are created with the same [endpoint](https://developers.pismo.io/pismo-docs/reference/post-v2-card) as a physical card.
        Do not need to be activated before use.
      </td>
    </tr>

    <tr>
      <td>
        **Temporary (virtual)**
      </td>

      <td>
        A virtual card with a fixed PAN and CVV originally meant for short-term use, typically 24 hours (default). By default, it is renewable. For more information, refer to [Configuring temporary cards](https://developers.pismo.io/pismo-docs/docs/cards-overview-1#configuring-temporary-cards)  below.
      </td>
    </tr>

    <tr>
      <td>
        **Recurring (virtual)**
      </td>

      <td>
        A virtual card with a fixed PAN and CVV originally meant for use with recurring subscriptions. This type is being DEPRECATED and it is recommended you use **Virtual** instead.
      </td>
    </tr>
  </tbody>
</Table>

> 🚧 CVV rotation for virtual cards
>
> The logic for virtual card CVV rotation belongs to Pismo. The card networks are not updated every time this happens. This might impact  scenarios where the card network validates the CVV before sending a transaction to Pismo.

### Configuring temporary cards

As stated in the table above, temporary cards are virtual cards with a fixed PAN and CVV originally meant for short-term use, typically 24 hours (default). By default, it is also renewable.

Through [Pismo Control Center](https://developers.pismo.io/pismo-docs/docs/get-started-with-control-center) program parameter configuration, you can  define:

* Validity period (in hours) for temporary cards. The default is 24, but can be configured differently.
* Transactions limit  for temporary cards. Only authorized transactions are counted.
* Skip auto-renewal for temporary cards.

#### Temporary card renewal

Temporary cards can have an `INOPERATIVE` status , which occurs automatically when the validity period expires. You can call the [Get PCI card info](https://developers.pismo.io/pismo-docs/reference/get-v2-card-info)  endpoint to renew it. However, the following applies if you do this:

* If the "Skip auto-renewal for temporary cards" program parameter is `true`, the card is not renewed. In this case, the card's status becomes permanently `INOPERATIVE`.
* If the Skip parameter is `false` (default), then the card is renewed. In this case, the card's status becomes `NORMAL`.

**Note**: A temporary card's validity date is different from a card's expiration date. The expiration date applies to all  card types—only temporary cards have a validity date.

### Branded and private label cards

You need to contact your Pismo representative to set up branded and private label cards.

* **Branded**—Visa and Mastercard cards that allow customers to make purchases at all establishments accepting these brands.

* **Private label** —For companies seeking customer loyalty, private label cards are a good option as you can provide benefits such as discounts and better payment terms. They are usually only accepted at stores in the same network. With a private label, it is possible to control and monitor issuer transactions.

## Issuer-defined PAN/PIN

As of October, 2025, Issuers can create cards without a Pismo-generated Primary Account Number (PAN) or Personal Identification Number (PIN). They can then set the value for these fields themselves via Pismo endpoints as described below.

**To create a card without a PAN/PIN**

1. Call [Create card](https://developers.pismo.io/pismo-docs/reference/post-v2-card) or [Reissue card](https://developers.pismo.io/pismo-docs/reference/post-v1-card-reissue) with `status` set to `UNNUMBERED` and `brand` set to the card network's brand (`VISA`, `MASTERCARD`, `ELO`, or `RUPAY`).
2. Call either [Update nominal card PAN/PIN](https://developers.pismo.io/pismo-docs/reference/put-v1-update-pan-nominal) (nominal cards) or [Update noname card PAN/PIN](https://developers.pismo.io/pismo-docs/reference/put-v1-update-pan-noname) (noname cards) to update the PAN and, optionally, the PIN.\
   This changes the card's status to `UNBOUND` for noname cards and `CREATED` for normal cards.

**Note:** Before calling the update endpoints, talk to your Pismo representative about setting up encryption for them.

## Custom expiration for virtual and physical cards

As of October, 2025, plastic and virtual cards can have a custom expiration date and time. Prior to this, only temporary cards could. To support this, a `validity_period_hours` field has been added to the following endpoints:

* [Create card](https://developers.pismo.io/pismo-docs/reference/post-v2-card)
* [Reissue card](https://developers.pismo.io/pismo-docs/reference/post-v1-card-reissue)
* [Create noname card bulk](https://developers.pismo.io/pismo-docs/reference/create-bulk)

You can use this field to set how long, in hours, a plastic or virtual card is valid. Once this time is exceeded, and the card has a `NORMAL`, `BLOCKED`, `PENDING`, `WARNING` or `REISSUED` status, its status becomes `INOPERATIVE`.

Two new endpoints have been added to support this feature:

* [Renew card validity](https://developers.pismo.io/pismo-docs/reference/patch-v2-card-validity-renew)—Renew a card's validity period in hours.
* [Delete card validity period](https://developers.pismo.io/pismo-docs/reference/delete-v2-card-validity)—Delete a card's previously scheduled validity period.

## Create a combination card with card modes

You can use a combination card for both debit and credit transactions. What makes this possible are ***modes*** . A card can have a credit mode or a debit mode or both (combination cards).  A mode is derived from a program/account, which can be either credit or debit.

A card's initial mode comes from the program/account it is issued with but, if you [create a card](https://developers.pismo.io/pismo-docs/reference/post-v2-card) with the parameter `mode_type` set to `COMBO`,  you can add an additional mode to the card with the [Add card mode](https://developers.pismo.io/pismo-docs/reference/post-v1-card-mode) API endpoint at a later time to create a combination card.

> 📘 Removing a card mode
>
> A card mode can't be removed, but it can be suspended and made inactive with the [Change card mode status](https://developers.pismo.io/pismo-docs/reference/put-v1-card-mode-status) endpoint.

### Mode object

A card mode has an object and an identifier:

```json
{
  "modes": [
    {
      "id": 128876,
      "mode": "CREDIT",
      "program_id": 88490,
      "customer_id": 102377856,
      "account_id": 102378693,
      "password_tries": 3,
      "transaction_limit": 750.05,
      "number_of_transactions": 40,
      "status": "SUSPENDED",
      "card_owner": "TN-f878e4a1-2879-48ba-be16-821e73ac98db"
    }
  ]
}
```

### Card mode API endpoints

The following endpoints pertain to modes:

* [Create card](https://developers.pismo.io/pismo-docs/reference/post-v2-card)—Issue a card setting mode parameters.
* [Add card mode](https://developers.pismo.io/pismo-docs/reference/post-v1-card-mode)—Add a mode (credit or debit account) to a card.
* [Get card modes](https://developers.pismo.io/pismo-docs/reference/get-v1-card-mode)—Get information about a specific card's modes. Each mode has an ID and an object.
* [Change card mode status](https://developers.pismo.io/pismo-docs/reference/put-v1-card-mode-status)—Change a card mode's status - active or suspended.

## Digital wallets - Pismo, Apple Pay, Google Pay, and others

Cards you issue through Pismo can be stored in digital wallets, which let you  *tokenize* cards and use them for payments without exposing sensitive data such as the CVV or PAN. Pismo provides its own digital wallet and supports those of other payment apps like Samsung Pay or Google Pay.

For more information refer to:

* [Pismo digital wallet](https://developers.pismo.io/pismo-docs/docs/wallet-overview)
* [Third-party wallets (such as Apple Pay)](https://developers.pismo.io/pismo-docs/docs/card-tokenization-process-and-onboarding)

## Mastercard's Automatic Billing Updater option

For a Mastercard card, you have the option to enable their Automatic Billing Updater (ABU) feature. When account credentials change, it’s challenging for consumers to inform all of their merchants. As a result, their card-not-present payments may be declined. This creates service disruptions for consumers, as well as lost revenue and decreased customer loyalty for merchants.

When a card is created, reissued, or a card's account credentials change, such as the card being lost, stolen, or closed, Pismo automatically notifies Mastercard if this feature is enabled. Mastercard, in turn, notifies the merchants it has on file for that card. Update notifications are sent to Mastercard on a daily basis.

To enable ABU for a program, create a [Service Desk](https://developers.pismo.io/pismo-docs/docs/opening-a-service-desk-ticket)  ticket with request type = `Settings/Configuration`.

You can disable ABU for a card via the following API endpoint:

* [Update card information](https://developers.pismo.io/pismo-docs/reference/patch-v2-card)

For more information, refer to Mastercard's <Anchor label="Automatic Billing Updater" target="_blank" href="https://developer.mastercard.com/product/automatic-billing-updater-abu/">Automatic Billing Updater</Anchor> documentation.

<br />
Type	Description
Physical (plastic/metal)	You can use physical or plastic/metal cards at terminals to not only make purchases and withdrawals from ATMs, but also online in e-commerce using the card's data. Pismo offers two ways to issue physical cards: Nominal - At [card creation](https://developers.pismo.io/pismo-docs/reference/post-v2-card) , the customer is designated the cardholder. Noname - Noname cards are [batch-generated](https://developers.pismo.io/pismo-docs/reference/create-bulk) and not initially associated with customers, which occurs later. Noname cards work well for special use cases like gift cards or in countries or scenarios where a password or chip might be required but not necessarily a printed card name. When you are ready, you can [assign a noname card to a customer and account](https://developers.pismo.io/pismo-docs/reference/post-v2-card-bind) . Refer to Cards Management > Noname for more APIs and endpoints in the [API Reference documentation](https://developers.pismo.io/pismo-docs/reference/create-bulk). The following applies to physical cards:\ Only one per customer and account.\ Customers can have more than one account and card.\ Can be [tokenized](https://developers.pismo.io/pismo-docs/docs/wallet-overview) for use in a [digital wallet](https://developers.pismo.io/pismo-docs/docs/wallet-overview)\ Have a fixed PAN and CVV\ Have to be [activated](https://developers.pismo.io/pismo-docs/reference/put-v1-card-activate) before use\ Can be both a [credit and debit](#create-a-combination-card-with-card-modes) card **Contactless physical card Contact transactions require inserting a card into a terminal. With contactless** transactions, you can simply hold or tap the card on a contactless-enabled card reader to complete a transaction. This requires that both the card and the terminal have [Near Field Communication (NFC)](https://en.wikipedia.org/wiki/Near-field_communication) technology. All APIs that generate an embossed card have a contactless card option and Pismo sends this information to your [configured embosser](https://developers.pismo.io/pismo-docs/docs/physical-card-embossing).
Virtual	A card that exists digitally, used in e-commerce and subscriptions. You can change a virtual card's [CVV](https://developers.pismo.io/pismo-docs/reference/post-v2-reset-cvv) periodically, increasing its security. Virtual cards provide greater customer flexibility to make a purchase as you can offer them via an application. The following applies to virtual cards:\ Can have multiple active cards per customer, but the card name needs to be different. Can be [tokenized](https://developers.pismo.io/pismo-docs/docs/wallet-overview) for use in a [digital wallet](https://developers.pismo.io/pismo-docs/docs/wallet-overview).\ Have a fixed PAN and dynamic CVV. (When you [create a virtual card](https://developers.pismo.io/pismo-docs/reference/post-v2-card), be aware that the `cvv_rotation_interval_hours` is a required field.) Have a transaction limit you set at card creation. If not set, the account limit is used. Later, you can change the transaction limit with the [Update card information](https://developers.pismo.io/pismo-docs/reference/patch-v2-card) endpoint. Are created with the same [endpoint](https://developers.pismo.io/pismo-docs/reference/post-v2-card) as a physical card. Do not need to be activated before use.
Temporary (virtual)	A virtual card with a fixed PAN and CVV originally meant for short-term use, typically 24 hours (default). By default, it is renewable. For more information, refer to [Configuring temporary cards](https://developers.pismo.io/pismo-docs/docs/cards-overview-1#configuring-temporary-cards) below.
Recurring (virtual)	A virtual card with a fixed PAN and CVV originally meant for use with recurring subscriptions. This type is being DEPRECATED and it is recommended you use Virtual instead.