$50k–$200k / year
Enterprise PCI DSS Level 1 compliance: QSA audit, ASV scans, pen-tests, monitoring, dedicated security staff. Recurring annually.
The Card Data Reveal SDK lets your application display the full PAN, CVV and expiry date to a cardholder — without your servers, your application, or your developers ever touching the card data. A cross-origin iframe served by Codego's PCI‑DSS certified infrastructure renders the card to the end-user's browser. Browser Same-Origin Policy guarantees your code cannot read it. Drop from SAQ-D (300+ controls) to SAQ-A (22 controls) — without changing card issuer.
If your application ever stores, processes or transmits a full PAN — even to render it once on screen — you are inside the PCI DSS cardholder data environment. That means SAQ-D, a Level 1 QSA engagement, quarterly ASV scans, annual penetration tests, ongoing monitoring, and roughly $50,000 to $200,000 per year in compliance overhead — before you write a single line of product code.
Enterprise PCI DSS Level 1 compliance: QSA audit, ASV scans, pen-tests, monitoring, dedicated security staff. Recurring annually.
New card programmes routinely sit in the queue for half a year while compliance, infrastructure and processes catch up to a PCI Level 1 posture.
The full SAQ-D questionnaire pulls in adjacent systems — logging, backups, dev workstations. Auditors keep finding more in scope.
Most reveal SDKs ship from a single issuer (Marqeta.js, Stripe Issuing Elements, Galileo MyCardInfo) — you adopt the SDK only by adopting the issuer.
The technical guarantee is not policy — it is the browser. When your page embeds a cross-origin iframe from cardview.codegotech.com, the browser refuses to let your JavaScript read inside it. That is the same boundary that prevents arbitrary websites from reading your Gmail inbox. The PAN renders to pixels inside an isolated DOM, visible to your user but inaccessible to your code.
Your backend calls the Card Reveal API with the cardholder's identifier, your tenant credentials and the card ID. No card data is sent.
Codego returns a single-use 64-hex token bound to that exact card and user, valid 5 minutes. Token is SHA-256 hashed at rest; raw value never persists.
Your frontend drops <iframe src="cardview.../v/<token>"> into the page. The browser fetches the iframe directly from Codego.
The iframe receives the encrypted payload, decrypts it inside the browser context, and renders the PAN, CVV, holder and expiry as pixels.
The viewer clears its own DOM after 60 seconds, blocks print and screenshot shortcuts, and revokes the token on first view. Replay returns 403.
curl -X POST https://cardapi.codegotech.com/getCardInfo \
-H "Content-Type: application/json" \
-d '{
"authkey": "<tenant_api_key>",
"authekey": "<base64(user:pass)>",
"whitelabel_id": "<your_tenant_id>",
"user_id": "<end_user_id>",
"web_token": "<session_token>",
"cid": "<card_id>"
}'
# response
{
"status": true,
"token": "f5b3...c801",
"image_url": "https://cardview.codegotech.com/v/f5b3...c801"
}
Open the sandbox docs → Free key, no credit card. Same payload as production.
Most reveal SDKs are tied to a specific issuer — adopt the SDK by adopting the issuer. The Codego Card Reveal SDK is different. We retrieve the PAN from your existing issuer's authoritative source on each request. You don't need to migrate your card portfolio. You don't need to operate a token vault. You don't need to switch BIN sponsor.
If your cards are issued under a Codego BIN programme, the reveal SDK is enabled with a single admin toggle. Zero additional integration.
Pre-built connectors for the largest US and EU processors. We call their secure-element API on your behalf and serve the result through our viewer.
Compatible with reveal endpoints on Stripe Issuing and Adyen Card Issuing. Your card programme stays where it is.
If your issuer or BIN sponsor exposes a PAN-retrieval API, we build the connector — typically in 2–3 engineering days. Talk to us.
Display the virtual card to the user before the plastic arrives. Tap to copy CVV, see expiry, all under your app brand — no PCI footprint.
Show an employee or vendor their assigned card number for online booking. Single-use viewer, audit-logged, with IP and origin allowlists.
Push-to-card payout workflows where the recipient sees their freshly issued virtual card. Tokenised, time-bounded, single-view.
Crypto-funded cards rendered in your wallet UI. No vault, no SAQ-D, no engineering team turned compliance team.
Skyflow, Very Good Security and Basis Theory are PCI vaults — you move your card data into their store. Marqeta.js, Stripe Issuing Elements and Galileo MyCardInfo are reveal SDKs from card issuers — you can only use them if you're already their issuing customer. The Codego SDK sits in a different position: iframe reveal on top of your existing issuer, with no vault migration.
Free self-service sandbox. Sign up with your email, get a key in 30 seconds, fire your first request immediately. The sandbox returns 4 hard-coded test cards (Visa, Mastercard, Amex, Visa Declined) and uses the exact same payload as production — when you're ready, change one URL and you're live.
Codego Group LTD · Malta · Est. 2012
EUIPO 018922174 · PCI DSS Level 1 by Adsigo, 2025
Free key, no credit card, 30-second sign-up. Embed the iframe in your dev environment today.
Get sandbox key Read sandbox docsFor tenant-level allowlists, custom issuer connectors and production credentials. Response within 24 hours.
Open programme banking@codegotech.comProgrammatic Visa and Mastercard card issuing — Codego BIN programmes.
Authorisation, clearing and settlement layer underneath the card SDK.
Full banking infrastructure — IBAN, SEPA, SWIFT, cards in one stack.
Scope, levels, SAQ types, what triggers SAQ-D vs SAQ-A.
Free self-service sandbox · test cards · production-identical payload.