# Display Card Details to the Cardholder
source: https://developer.mastercard.com/mastercard-processing-core/documentation/use-cases/card-lifecycle/disp-card-det-to-crdholder/index.md

## Overview {#overview}

Once the card has been created, you can display details of the card (PAN, CVC2, and expiry date) to the cardholder in the mobile application. If you also want to display the PIN to the cardholder, refer to the [Display a PIN](https://developer.mastercard.com/mastercard-processing-core/documentation/use-cases/pin-management/display-a-pin/index.md) use case.

As you may not want to store any sensitive data, Mastercard Processing can help you transfer it to the cardholder in a secure way by using the `Customer-Public-Rsa-Key` header in the `getCardContract` and `getCvc` requests. The `Customer-Public-Rsa-Key` header must contain the Public RSA key generated by the cardholder's mobile application and verified by your server that the Mastercard Processing API will use to encrypt the `encryptedCardContractNumber` and `encryptedCardVerificationCode` fields in the response so that only the cardholder's mobile application will be able to decrypt and display it. In the use case presented here, the server cannot decrypt any sensitive data acting only as a proxy server between Mastercard Procesing API and the cardholder device where the mobile application is installed.

## Sequence diagram {#sequence-diagram}

Diagram display-card-details-2 Note: The diagram does not contain end-to-end payload encryption which is part of every operation. Refer to [Encryption](https://developer.mastercard.com/mastercard-processing-core/documentation/api-basics-section/encryption/index.md) for more information.

### Explanation {#explanation}

1. The cardholder requests to display the card details in the mobile application.
2. The mobile application generates a pair of RSA keys.
3. The mobile application sends a `GET` request to the `/cards/{card_contract_id}` endpoint with the `Customer-Public-Rsa-Key` header containing the Public key generated in step 2 to retrieve details of the cardholder's card.
4. The API returns various data stored in the CMS for the `cardContractId`, including the fields `cardExpiryDate` and `encryptedCardContractNumber` storing PAN encrypted with the `Customer-Public-Rsa-Key` sent in step 3. Tip: To limit card contract data returned in response to the particular fields, you can use the `fields` query path parameter in the request. The `fields` is serialized with `explode: false` so each value must be separated with a comma. For example, with a `GET` request sent to the `cards/12345678?fields=encryptedCardContractNumber,cardExpiryDate` endpoint, the API will only return `encryptedCardContractNumber` and `cardExpiryDate` fields stored in the CMS for the `cardContractId` '12345678'.
5. The mobile application decrypts the `encryptedCardContractNumber` using the Private RSA key generated in step 2.
6. To get the CVC2, the mobile application needs to send a POST request to the `/cards/{card_contract_id}/card-verification-codes/searches` endpoint with the `Customer-Public-Rsa-Key` header containing the Public key generated in step 2.
7. The API returns the `encryptedCardVerificationCode` field encrypted with the `Customer-Public-Rsa-Key` sent in step 6.
8. The mobile application decrypts the `encryptedCardVerificationCode` using the Private RSA key generated in step 2.
9. The mobile application displays the cardholder card's details (PAN, expiry date, and CVC2).

Refer to [Sandbox testing](https://developer.mastercard.com/mastercard-processing-core/documentation/sandbox-testing/card-lifecycle-management/display-card-details-to-cardholder/index.md) for information on how to execute the use case in the Sandbox environment.

### Endpoints {#endpoints}


API Reference: `GET /cards/{card_contract_id}`


API Reference: `POST /cards/{card_contract_id}/card-verification-codes/searches`

<br />