diff --git a/apiserver/apiserver/api/serializers.py b/apiserver/apiserver/api/serializers.py
index 99e2ebd..36c654c 100644
--- a/apiserver/apiserver/api/serializers.py
+++ b/apiserver/apiserver/api/serializers.py
@@ -159,6 +159,34 @@ class AdminSearchSerializer(serializers.Serializer):
 
 
 
+# member viewing his own cards
+class CardSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.Card
+        fields = '__all__'
+        read_only_fields = [
+            'id',
+            'card_number',
+            'member_id',
+            'notes',
+            'last_seen_at',
+            'active_status',
+            'user',
+        ]
+
+# admin viewing member details
+class AdminCardSerializer(CardSerializer):
+    card_number = serializers.CharField()
+    class Meta:
+        model = models.Card
+        fields = '__all__'
+        read_only_fields = [
+            'id',
+            'last_seen_at',
+        ]
+
+
+
 class UserTrainingSerializer(serializers.ModelSerializer):
     class Meta:
         model = models.Training
diff --git a/apiserver/apiserver/api/views.py b/apiserver/apiserver/api/views.py
index 7efa2ec..ac32cb5 100644
--- a/apiserver/apiserver/api/views.py
+++ b/apiserver/apiserver/api/views.py
@@ -27,7 +27,13 @@ class RetrieveUpdateViewSet(
         mixins.RetrieveModelMixin,
         mixins.UpdateModelMixin):
     def list(self, request):
-        raise exceptions.PermissionDenied
+        return Response([])
+
+class CreateRetrieveUpdateDeleteViewSet(
+        RetrieveUpdateViewSet,
+        mixins.CreateModelMixin,
+        mixins.DestroyModelMixin):
+    pass
 
 
 search_strings = {}
@@ -105,6 +111,17 @@ class MemberViewSet(RetrieveUpdateViewSet):
             return serializers.MemberSerializer
 
 
+class CardViewSet(CreateRetrieveUpdateDeleteViewSet):
+    permission_classes = [AllowMetadata | IsAuthenticated, IsOwnerOrAdmin]
+    queryset = models.Card.objects.all()
+
+    def get_serializer_class(self):
+        if is_admin_director(self.request.user):
+            return serializers.AdminCardSerializer
+        else:
+            return serializers.CardSerializer
+
+
 class CourseViewSet(viewsets.ModelViewSet):
     permission_classes = [AllowMetadata | IsAuthenticated]
     queryset = models.Course.objects.annotate(date=Max('sessions__datetime')).order_by('-date')
diff --git a/apiserver/apiserver/urls.py b/apiserver/apiserver/urls.py
index a9bee18..9de0323 100644
--- a/apiserver/apiserver/urls.py
+++ b/apiserver/apiserver/urls.py
@@ -11,6 +11,7 @@ router.register(r'members', views.MemberViewSet, basename='members')
 router.register(r'courses', views.CourseViewSet, basename='course')
 router.register(r'sessions', views.SessionViewSet, basename='session')
 router.register(r'search', views.SearchViewSet, basename='search')
+router.register(r'cards', views.CardViewSet, basename='card')
 #router.register(r'me', views.FullMemberView, basename='fullmember')
 #router.register(r'registration', views.RegistrationViewSet, basename='register')