I have dealt with about a dozen banks in about half a dozen countries. Of all of them, SBI knows banking the best. If you ask this question to SBI, you might not get an answer at all, which is the correct response.
OTOH, if you ask many other Issuer Banks who don’t know half as much banking as SBI, you might get to hear about PCI-DSS, PIN Mailer, Outsourcing of Shipping Credit Card, Software Security, RBI Mandate, and so on. But all of that is really BS, IMO.
If you want to understand the real situation at play here, please read on.
Credit Card is issued by Issuer Bank. Credit Cardholder is merely the user of Credit Card, never its Owner. Issuer Bank owns the Credit Card in perpetuity. It also determines Credit Card #, CVV and Expiry Date, owns this information at all times, and uses it to authorize transactions made by Cardholder on the said credit card on an ongoing basis.
To expect these details to be kept confidential at Issuer Bank is repugnant to the context of property rights and trying to ensure this is fool’s errand.
There’s the related issue of someone from the Issuer Bank laying his or her hands on these details before the credit card is shipped to the Cardholder and using them illicitly for their own benefit. If the real question is, how can Cardholder ensure this does not happen, well, s/he really can’t. And shouldn’t seek to, either.
When the Issuer Bank issues a credit card, it’s allowing a third party – i.e. cardholder – to spend its money (up to the credit limit). In other words, when a Cardholder uses a credit card, s/he is effectively using the Issuer Bank’s money. The Issuer Bank is taking the risk that the third party will repay the money back. That calls for the Issuer Bank to place a lot of trust on the Cardholder.
IMO, Cardholder needs to reciprocate that trust and accept it on faith that the card details will not be used illicitly by Issuer Bank before the credit card is shipped – or at any point in future.