Skip to main content
GET

CVV Capture Guide

Collect CVV from cardholders via hosted forms
The response is the HTML content of the CVV capture form itself. You can use the request URL either as the page URL that a customer is directed to or as the source URL of an iframe element on your page.
Submitting this form creates a new token that is a full copy of the original card details plus the captured CVV. The original token is not modified and does not contain the CVV. You are responsible for deleting the original token if it is no longer needed, otherwise it will continue to incur monthly storage fees. Remember to set the CVV Retention Policy on the new token.

Parameters

Authentication

This is a browser-facing endpoint. Use one of the authentication methods below instead of the API key shown above.
accessToken
string
Recommended. A long-lived token for browser-side calls. How to generate.
sessionToken
string
Alternative. Valid for 5 minutes. How to generate.
If both are provided, the session token takes precedence.

Form Configuration

brand
string
required
Your PCI Booking username, used to identify your account.
cardUri
string
required
The resource identifier (URI) for the card location within PCI Booking.
language
string
required
The form’s language in ISO 639-1 (2-letter) format - see here. If an unsupported language is provided, English will be displayed. To add languages, contact support.
css
string
The CSS resource name. See the guide on managing stylesheets. If omitted, the default CSS is applied.
removeBaseCss
boolean
default:"false"
Whether to remove the PCI Booking base CSS. The base CSS does not collide with the host site’s CSS. true: remove base CSS. false: use base CSS.
success
string
URL to redirect to on successful submission. See success/failure redirection pages.
failure
string
URL to redirect to on failed submission. See success/failure redirection pages.
submitWithPostMessage
boolean
Whether to exclude the PCI Booking submit button, allowing the host site to use its own button. true: exclude submit button. false: include submit button. See postMessage integration.
autoFocus
boolean
default:"true"
Whether the card security code field receives focus when the parent page loads.
postMessageHost
string
The domain name of the host site where the iframe is displayed.
creatorReference
string
A reference value that can be used to query for this card token later.

3D Secure

Visa requirement (Aug 2024): You must provide at least the cardholder’s email or phone for 3DS authentication.
ThreeDS
boolean
default:"false"
Whether to perform 3D Secure authentication after card entry. If enabled with Access Token authorization, provide two access tokens.
UnavailThreeDSAuth
string
default:"Accept"
Action to take if a technical problem occurs during 3DS processing. Accept: ignore 3DS failure and proceed with tokenization. Reject: do not tokenize the card; redirect to the failure URL.
merchantName
string
The merchant name for 3D Secure authentication. Must be URL-encoded and unique per 3DS merchant account. See 3DS merchant setup.
amount
integer
default:"0"
Transaction amount for the 3D Secure challenge screen. Must be provided together with currencyCode. If omitted, authentication uses a 0 EUR amount.
currencyCode
string
default:"EUR"
Currency code for the 3D Secure challenge screen amount. Must be provided together with amount. If omitted, authentication uses a 0 EUR amount.
email
string
Cardholder’s email address for 3D Secure authentication. Must be a valid email format, e.g. joe@bloggs.com.
phone
string
Cardholder’s telephone number for 3D Secure authentication. May only contain digits [0-9], e.g. 00353112223344.

Response

200 - HTML content of the CVV capture form.