IP Restrictions
Restrict which IP addresses can call the PCI Booking API. Only requests from approved IPs are accepted.Setup
- Log into the PCI Booking portal.
- Navigate to PCI Shield Settings > IP Restriction Settings.
- Add new IP ranges using the plus icon. Enter a descriptive name and specify starting/ending IP addresses. For a single IP, use the same value for both.
- Edit or delete existing entries by selecting them.
Relay Restrictions
Control which destination URLs can receive card data via token replacement. Only whitelisted destinations are permitted. Relay restrictions are configured per user. Each user can have different approved destinations.Setup
- Log into the PCI Booking portal.
- Navigate to Account Settings > View Accounts.
- Select the user.
- Under Whitelist endpoints for retrieving cards, add or remove destinations.
https://api.example.com/payments/process, enter https://api.example.com.
If no whitelist is configured, the user can relay to any destination without restriction. Once you add the first entry, only whitelisted destinations are allowed.
If you use a CVV retention policy, make sure the CVV relay destinations are included in the whitelist.
User and Permission Management
PCI Booking accounts support multiple users, each with specific permissions controlling what actions they can perform. When adding users who have card retrieval permissions, consider also setting up relay restrictions for them. See Manage Users for full details on viewing, adding, and configuring users and their API keys.Whitelisting PCI Booking at Third Parties
When PCI Booking sends requests to third parties on your behalf (via token replacement or the gateway), the requests come from PCI Booking’s IP addresses. We recommend whitelisting these IPs with the third parties you integrate with. Contact support@pcibooking.net for the current list of PCI Booking IP addresses.Gateway Sender Whitelisting
When using the PCI Booking gateway, third-party requests are forwarded to you from PCI Booking. From your server’s perspective, all requests come from PCI Booking’s servers, not the original sender. PCI Booking passes the original sender’s IP via theX-Forwarded-For header. This header contains multiple IP addresses:
- First IP - the original sender
- Middle IPs - PCI Booking internal addresses (can be ignored)
- Last IP - PCI Booking’s external web server
109.76.169.47 is the original sender and 34.243.68.114 is PCI Booking’s server.
To set up whitelisting on your end:
- Accept requests where the last IP in
X-Forwarded-Foris a PCI Booking IP (contact support@pcibooking.net for the current list). - Filter by the first IP to verify the original sender, just as you would without PCI Booking in the middle.

