Update a card
Update a linked card and/or resubmit it for verification.
If a value is provided for CVV, a new verification ($0 authorization) will be submitted for the card. Updating the expiration date or address will update the information stored on file for the card but will not be verified.
Read our accept card payments guide to learn more.
Only use this endpoint if you have provided Moov with a copy of your PCI attestation of compliance.
To access this endpoint using an access token
you'll need to specify the /accounts/{accountID}/cards.write scope.
PATCH
/accounts/{accountID}/cards/{cardID}
curl -X PATCH "https://api.moov.io/accounts/{accountID}/cards/{cardID}" \
-H "Authorization: Bearer {token}" \
-H "X-Moov-Version: v2026.01.00" \
-d '{
"cardCvv": "456"
}'curl -X PATCH "https://api.moov.io/accounts/{accountID}/cards/{cardID}" \
-H "Authorization: Bearer {token}" \
-H "X-Moov-Version: v2026.01.00" \
-H "Content-Type: application/json" \
-d '{
"expiration": {
"month": "01",
"year": "28"
}
}'mc, _ := moov.NewClient()
var accountID string
var cardID string
mc.UpdateCard(ctx, accountID, cardID,
moov.WithCardOnFile(true),
)
import { Moov } from "@moovio/sdk";
const moov = new Moov({
security: {
username: "",
password: "",
},
});
async function run() {
const result = await moov.cards.update({
accountID: "7104688e-8434-482e-9556-4784be3ad3fe",
cardID: "01234567-89ab-cdef-0123-456789abcdef",
updateCard: {
cardCvv: "456",
},
});
console.log(result);
}
run();declare(strict_types=1);
require 'vendor/autoload.php';
use Moov\MoovPhp;
use Moov\MoovPhp\Models\Components;
$sdk = MoovPhp\Moov::builder()
->setSecurity(
new Components\Security(
username: '',
password: '',
)
)
->build();
$updateCard = new Components\UpdateCard(
cardCvv: '456',
);
$response = $sdk->cards->update(
accountID: '7104688e-8434-482e-9556-4784be3ad3fe',
cardID: '01234567-89ab-cdef-0123-456789abcdef',
updateCard: $updateCard
);
if ($response->card !== null) {
// handle response
}package hello.world;
import io.moov.sdk.Moov;
import io.moov.sdk.models.components.Security;
import io.moov.sdk.models.components.UpdateCard;
import io.moov.sdk.models.errors.GenericError;
import io.moov.sdk.models.errors.UpdateCardError;
import io.moov.sdk.models.operations.UpdateCardResponse;
import java.lang.Exception;
public class Application {
public static void main(String[] args) throws GenericError, UpdateCardError, Exception {
Moov sdk = Moov.builder()
.security(Security.builder()
.username("")
.password("")
.build())
.build();
UpdateCardResponse res = sdk.cards().update()
.accountID("7104688e-8434-482e-9556-4784be3ad3fe")
.cardID("01234567-89ab-cdef-0123-456789abcdef")
.updateCard(UpdateCard.builder()
.cardCvv("456")
.build())
.call();
if (res.card().isPresent()) {
System.out.println(res.card().get());
}
}
}from moovio_sdk import Moov
from moovio_sdk.models import components
with Moov(
security=components.Security(
username="",
password="",
),
) as moov:
res = moov.cards.update(account_id="7104688e-8434-482e-9556-4784be3ad3fe", card_id="01234567-89ab-cdef-0123-456789abcdef", e2ee={
"token": "eyJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTUyMSIsIngiOiJBS0NYVDM1WVdvTm8wbzExNy1SU0dqUGg3alN1NjFmLUhnYkx1dW0xVG1ueTRlcW5yX2hyU0hpY0w1d3gwODRCWDBRZjVTdEtkRUoydzY2ZUJqWHprRV9OIiwieSI6IkFIMEJfT2RaYTQtbG43dGJ4M3VBdlc1NDNQRE9HUXBCTDloRFFNWjlTQXNfOW05UWN3dnhRd1hrb1VrM3VzT1FnVV9ySVFrNFRoZ1NTUzV4UlhKcm5ZaTkifSwia2lkIjoiYmRvV3pLekpKUGw0TVFIaENDa05WYTZlZ1dmYi02V1haSjZKTFZqQ0hWMD0ifQ.HalyoHsfufBJEODd2lD9ThQvvVWw3b2kgWDLHGxmHhMv8rODyLL_Ug.rpQP178t8Ed_pUU2.Sn9UFeVoegAxiMUv11q7l3M0y9YHSLYi2n_JB7n7Pc777_47-icfaxstJemT0IC81w.akkq1EBxzWkBr4vEomSpWA",
}, billing_address={
"address_line1": "123 Main Street",
"address_line2": "Apt 302",
"city": "Boulder",
"state_or_province": "CO",
"postal_code": "80301",
"country": "US",
}, expiration={
"month": "01",
"year": "21",
}, card_cvv="456")
# Handle response
print(res)require 'moov_ruby'
Models = ::Moov::Models
s = ::Moov::Client.new(
security: Models::Components::Security.new(
username: '',
password: ''
)
)
res = s.cards.update(account_id: '7104688e-8434-482e-9556-4784be3ad3fe', card_id: '01234567-89ab-cdef-0123-456789abcdef', update_card: Models::Components::UpdateCard.new(
card_cvv: '456'
))
unless res.card.nil?
# handle response
endusing Moov.Sdk;
using Moov.Sdk.Models.Components;
var sdk = new MoovClient(security: new Security() {
Username = "",
Password = "",
});
var res = await sdk.Cards.UpdateAsync(
accountID: "7104688e-8434-482e-9556-4784be3ad3fe",
cardID: "01234567-89ab-cdef-0123-456789abcdef",
body: new UpdateCard() {
CardCvv = "456",
}
);
// handle responseThe request completed successfully.
{
"billingAddress": {
"addressLine1": "123 Main Street",
"addressLine2": "Apt 302",
"city": "Boulder",
"country": "US",
"postalCode": "80301",
"stateOrProvince": "CO"
},
"bin": "411111",
"brand": "Visa",
"cardAccountUpdater": {
"updateType": "number-update",
"updatedOn": "2024-05-06T12:20:38.184Z"
},
"cardCategory": "CLASSIC",
"cardID": "01234567-89ab-cdef-0123-456789abcdef",
"cardOnFile": true,
"cardType": "credit",
"cardVerification": {
"accountName": {
"firstName": "match",
"fullName": "match",
"lastName": "match",
"middleName": "match"
},
"addressLine1": "match",
"cvv": "match",
"postalCode": "match"
},
"commercial": false,
"domesticPullFromCard": "supported",
"domesticPushToCard": "standard",
"expiration": {
"month": "01",
"year": "21"
},
"fingerprint": "9948962d92a1ce40c9f918cd9ece3a22bde62fb325a2f1fe2e833969de672ba3",
"holderName": "Jules Jackson",
"issuer": "GRINGOTTS BANK",
"issuerCountry": "US",
"issuerPhone": "8185551212",
"issuerURL": "HTTPS://WWW.EXAMPLE.COM/",
"lastFourCardNumber": "1111",
"merchantAccountID": "01234567-89ab-cdef-0123-456789abcdef",
"regulated": false
}Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The server could not understand the request due to invalid syntax.
{
"error": "string"
}Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The request contained missing or expired authentication.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The user is not authorized to make the request.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The requested resource was not found.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The request conflicted with the current state of the target resource.
{
"error": "string"
}Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The request was well-formed, but the contents failed validation. Check the request for missing or invalid fields.
{
"e2ee": {
"token": "string"
},
"billingAddress": "string",
"expiration": "string",
"cardCvv": "string",
"cardOnFile": "string",
"merchantAccountID": "string",
"verifyName": "string",
"holderName": "string"
}Response headers
x-request-id
string
required
A unique identifier used to trace requests.
Request was refused due to rate limiting.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The request failed due to an unexpected error.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The request failed because a downstream service failed to respond.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
Headers
X-Moov-Version
string
Set this header to v2026.01.00 to use the API described in this specification. When omitted, the server defaults to v2024.01.00, which may not match the behavior documented here.
Possible values:
v2026.01.00
Path parameters
accountID
string
required
cardID
string
required
Body
application/json
billingAddress
object
Updated billing address to store on file for the card.
Show child attributes
addressLine1
string
<=60 characters
Street address line 1.
addressLine2
string
<=32 characters
Street address line 2 (e.g., apartment or suite number).
city
string
<=32 characters
City name.
country
string
<=2 characters
Two-letter ISO 3166-1 country code.
postalCode
string
<=10 characters
Postal or ZIP code.
stateOrProvince
string
<=2 characters
Two-letter state or province code.
cardCvv
string
The card's 3- or 4-digit card verification value. Providing this triggers a new $0 verification authorization, which performs both CVV and address verification.
cardOnFile
boolean
Indicates cardholder has authorized card to be stored for future payments (e.g., recurring payments).
If true and no
merchantAccountID is provided, the partner account's ID is automatically used as the merchant account for verification.
e2ee
object
Wraps a compact-serialized JSON Web Encryption (JWE) token used for secure transmission of sensitive data (e.g., PCI information) through intermediaries.
This token is encrypted using the public key from /end-to-end-keys and wraps an AES key. For details and examples, refer to our
GitHub repository.
Show child attributes
token
string<jwe>
An RFC compact-serialized JSON Web Encryption (JWE) token.
expiration
object
Show child attributes
month
string
Two-digit month the card expires.
year
string
Two-digit year the card expires.
holderName
string
Updated name of the cardholder as it appears on the card.
merchantAccountID
string
Merchant account whose details (statement descriptor, address, etc.) are used for the card verification authorization.
If omitted, the partner account's details are used instead.
verifyName
boolean
If true, submits the cardholder's name to the card network for verification as part of the $0 authorization.
Only supported for Visa and Mastercard; requesting name verification for American Express or Discover will return an error.
Response
billingAddress
object
required
The billing address associated with the card.
Show child attributes
addressLine1
string
<=60 characters
Street address line 1.
addressLine2
string
<=32 characters
Street address line 2 (e.g., apartment or suite number).
city
string
<=32 characters
City name.
country
string
<=2 characters
Two-letter ISO 3166-1 country code.
postalCode
string
<=10 characters
required
Postal or ZIP code.
stateOrProvince
string
<=2 characters
Two-letter state or province code.
bin
string
[6 to 8] characters
required
The first six to eight digits of the card number, which identifies the financial institution that issued the card.
brand
string<enum>
required
The card brand.
Possible values:
American Express,
Discover,
Mastercard,
Visa,
Unknown
cardID
string
required
ID of the card.
cardType
string<enum>
required
The type of the card.
Possible values:
debit,
credit,
prepaid,
unknown
cardVerification
object
required
The results of submitting cardholder data to a card network for verification.
Show child attributes
addressLine1
string
required
Verification result of the billing address line 1.
Derived from the same AVS code as
postalCode; the card network returns a single code covering both address fields.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
cvv
string
required
Verification result of the card's CVV.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
postalCode
string
required
Verification result of the billing address postal code.
Derived from the same AVS code as
addressLine1; the card network returns a single code covering both address fields.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
accountName
object
Verification results of the cardholder's name, broken down by name component.
The results of submitting cardholder name to a card network for verification.
Show child attributes
firstName
string
Verification result of the cardholder's first name.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
fullName
string
Verification result of the cardholder's full name.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
lastName
string
Verification result of the cardholder's last name.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
middleName
string
Verification result of the cardholder's middle name.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
expiration
object
required
The expiration date of the card or token.
Show child attributes
month
string
2 characters
required
Two-digit month the card expires.
year
string
2 characters
required
Two-digit year the card expires.
fingerprint
string
<=100 characters
required
Uniquely identifies a linked payment card or token.
For Apple Pay, the fingerprint is based on the tokenized card number and may vary based on the user's device.
This field can be used to identify specific payment methods across multiple accounts on your platform.
lastFourCardNumber
string
4 characters
required
Last four digits of the card number
cardAccountUpdater
object
The results of the most recent card update request.
Show child attributes
updateType
string<enum>
The results of the card update request.
Possible values:
unspecified,
account-closed,
contact-cardholder,
expiration-update,
no-change,
no-match,
number-update
updatedOn
string<date-time>
Timestamp from the card network indicating when the card update was processed.
cardCategory
string
The category or level of the card defined by the issuer.
Examples include, but not limited to, "REWARDS", "TRADITIONAL REWARDS", "CLASSIC", and "CORPORATE PURCHASING".
cardOnFile
boolean
Indicates cardholder has authorized card to be stored for future payments.
commercial
boolean
If true, the card is for commercial use, or associated with a business.
If false, the card is associated with a general consumer.
domesticPullFromCard
string<enum>
Indicates if the card supports domestic pull-from-card transfer.
Possible values:
not-supported,
supported,
unknown
domesticPushToCard
string<enum>
Indicates which level of domestic push-to-card transfer is supported by the card, if any.
Possible values:
not-supported,
standard,
fast-funds,
unknown
holderName
string
The name of the cardholder as it appears on the card.
issuer
string
Financial institution that issued the card.
issuerCountry
string
Country where the card was issued.
issuerPhone
string
Phone number of the issuer.
issuerURL
string<uri>
URL of the issuer.
merchantAccountID
string
Merchant account whose details (statement descriptor, address, etc.) are used for the card verification authorization.
If omitted, the partner account's details are used instead.
paymentMethods
array<object>
Includes any payment methods created as a result of linking a card with the x-wait-for header set to payment-method.
Only returned by the link card endpoint; not included when getting or listing cards.
Show child attributes
paymentMethodID
string
ID of the payment method.
paymentMethodType
string<enum>
The payment method type that represents a payment rail and directionality
Possible values:
moov-wallet,
ach-debit-fund,
ach-debit-collect,
ach-credit-standard,
ach-credit-same-day,
rtp-credit,
card-payment,
push-to-card,
pull-from-card,
apple-pay,
card-present-payment,
instant-bank-credit
regulated
boolean
If true, the card issuing bank is regulated, and the scheme fees for debit transactions will be limited based on the Durbin Amendment.
If false, the card issuing bank is not regulated, and the scheme fees will not be limited.