API response: Credit card info coming back through my server?

The API response includes 10 out of the 16 digits of the card number, the card brand, the expiration month and year. The only thing missing is the CVV and the remaining few digits.

Should I be concerned that this much information about the card is running through my server? I thought one of the benefits here was that I need not worry about risk and liability on my end, that Square would handle it all.

Is there a way I can tell the API not to return this information?

Hi @jccc welcome to the forums!

There’s no way to tell the API to return partial data at this time. However, the first six and last four digits of a card meets the PCI DSS §3.3 PAN masking standard. All the information Square supplies will keep you (the developer) from having to get PCI certified, and we will never share information that would compromise that.