> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Settings

> Configure IP restrictions, callback URL whitelisting, and card display permissions in your PCI Booking account

PCI Booking provides several security features you can enable to restrict access and control how card data flows through your account. We recommend employing as many of these as possible based on your needs.

## IP Restrictions

Restrict which IP addresses can call the PCI Booking API. Only requests from approved IPs are accepted.

### Setup

1. Log into the [PCI Booking portal](https://users.pcibooking.net).
2. Navigate to **PCI Shield Settings** > **IP Restriction Settings**.
3. Add new IP ranges using the plus icon. Enter a descriptive name and specify starting/ending IP addresses. For a single IP, use the same value for both.
4. Edit or delete existing entries by selecting them.

<Warning>
  Before enabling IP restrictions, make sure your current IP address is included. These settings also control portal access, so an incorrect configuration can lock you out.
</Warning>

## Relay Restrictions

Control which destination URLs can receive card data via [token replacement](/use-tokens/token-replacement-in-request). Only whitelisted destinations are permitted.

Relay restrictions are configured per user. Each user can have different approved destinations.

### Setup

1. Log into the [PCI Booking portal](https://users.pcibooking.net).
2. Navigate to **Account Settings** > **View Accounts**.
3. Select the user.
4. Under **Whitelist endpoints for retrieving cards**, add or remove destinations.

When whitelisting, provide the domain with protocol. For example, if relaying to `https://api.example.com/payments/process`, enter `https://api.example.com`.

<Info>
  If no whitelist is configured, the user can relay to any destination without restriction. Once you add the first entry, only whitelisted destinations are allowed.
</Info>

<Info>
  If you use a [CVV retention policy](/capture-cards/cvv-retention-policy), make sure the CVV relay destinations are included in the whitelist.
</Info>

## User and Permission Management

PCI Booking accounts support multiple users, each with specific permissions controlling what actions they can perform. When adding users who have card retrieval permissions, consider also setting up [relay restrictions](#relay-restrictions) for them.

See [Manage Users](/account-setup/manage-users) for full details on viewing, adding, and configuring users and their API keys.

## Whitelisting PCI Booking at Third Parties

When PCI Booking sends requests to third parties on your behalf (via token replacement or the gateway), the requests come from PCI Booking's IP addresses. We recommend whitelisting these IPs with the third parties you integrate with.

Contact [support@pcibooking.net](mailto:support@pcibooking.net) for the current list of PCI Booking IP addresses.

## Gateway Sender Whitelisting

When using the PCI Booking [gateway](/capture-cards/tokenization-on-request), third-party requests are forwarded to you from PCI Booking. From your server's perspective, all requests come from PCI Booking's servers, not the original sender.

PCI Booking passes the original sender's IP via the `X-Forwarded-For` header. This header contains multiple IP addresses:

* **First IP** - the original sender
* **Middle IPs** - PCI Booking internal addresses (can be ignored)
* **Last IP** - PCI Booking's external web server

```http theme={null}
X-Forwarded-For: 109.76.169.47, 172.200.3.67, 34.243.68.114
```

In this example, `109.76.169.47` is the original sender and `34.243.68.114` is PCI Booking's server.

To set up whitelisting on your end:

1. Accept requests where the **last** IP in `X-Forwarded-For` is a PCI Booking IP (contact [support@pcibooking.net](mailto:support@pcibooking.net) for the current list).
2. Filter by the **first** IP to verify the original sender, just as you would without PCI Booking in the middle.

## CVV Retention Policy

Set automatic deletion timelines for CVV data and control where cards with CVV can be relayed. This is a separate feature with its own configuration. See [CVV Retention Policy](/capture-cards/cvv-retention-policy) for full details.

## Token Housekeeping

We recommend regularly auditing your token database against PCI Booking's records to identify and remove stale card data. Delete tokens you no longer need using the [Delete Token](/manage-tokens/delete-tokens) operation.
