> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Request a Card Security Code Entry Form

> Create a PCI Booking CVV capture form for use in an iFrame.

<Card title="CVV Capture Guide" icon="book" href="/capture-cards/cvv-capture">
  Collect CVV from cardholders via hosted forms
</Card>

The response is the HTML content of the CVV capture form itself. You can use the request URL either as the page URL that a customer is directed to or as the source URL of an iframe element on your page.

<Warning>
  Submitting this form creates a **new token** that is a full copy of the original card details plus the captured CVV. The original token is not modified and does not contain the CVV. You are responsible for [deleting](/api-reference/manage-tokens/delete-token) the original token if it is no longer needed, otherwise it will continue to incur monthly storage fees. Remember to set the [CVV Retention Policy](/capture-cards/cvv-retention-policy) on the new token.
</Warning>

## Parameters

### Authentication

<Warning>
  This is a browser-facing endpoint. Use one of the authentication methods below instead of the API key shown above.
</Warning>

<ParamField query="accessToken" type="string">
  Recommended. A long-lived token for browser-side calls. [How to generate](/getting-started/authentication#access-token).
</ParamField>

<ParamField query="sessionToken" type="string">
  Alternative. Valid for 5 minutes. [How to generate](/api-reference/general/start-temporary-session).
</ParamField>

If both are provided, the session token takes precedence.

### Form Configuration

<ParamField query="brand" type="string" required>
  Your PCI Booking username, used to identify your account.
</ParamField>

<ParamField query="cardUri" type="string" required>
  The resource identifier (URI) for the card location within PCI Booking.
</ParamField>

<ParamField query="language" type="string" required>
  The form's language in ISO 639-1 (2-letter) format - [see here](/account-setup/custom-translations). If an unsupported language is provided, English will be displayed. To add languages, [contact support](mailto:support@pcibooking.net).
</ParamField>

<ParamField query="css" type="string">
  The CSS resource name. See the guide on [managing stylesheets](/account-setup/stylesheets). If omitted, the [default CSS](/account-setup/stylesheets) is applied.
</ParamField>

<ParamField query="removeBaseCss" type="boolean" default="false">
  Whether to remove the PCI Booking base CSS. The base CSS does not collide with the host site's CSS. **true**: remove base CSS. **false**: use base CSS.
</ParamField>

<ParamField query="success" type="string">
  URL to redirect to on successful submission. See [success/failure redirection pages](/account-setup/success-and-failure-urls).
</ParamField>

<ParamField query="failure" type="string">
  URL to redirect to on failed submission. See [success/failure redirection pages](/account-setup/success-and-failure-urls).
</ParamField>

<ParamField query="submitWithPostMessage" type="boolean">
  Whether to exclude the PCI Booking submit button, allowing the host site to use its own button. **true**: exclude submit button. **false**: include submit button. See [postMessage integration](/account-setup/success-and-failure-urls).
</ParamField>

<ParamField query="autoFocus" type="boolean" default="true">
  Whether the card security code field receives focus when the parent page loads.
</ParamField>

<ParamField query="postMessageHost" type="string">
  The domain name of the host site where the iframe is displayed.
</ParamField>

<ParamField query="creatorReference" type="string">
  A reference value that can be used to query for this card token later.
</ParamField>

### 3D Secure

<Note>
  **Visa requirement (Aug 2024):** You **must** provide at least the cardholder's `email` or `phone` for 3DS authentication.
</Note>

<ParamField query="ThreeDS" type="boolean" default="false">
  Whether to perform 3D Secure authentication after card entry. If enabled with Access Token authorization, provide two access tokens.
</ParamField>

<ParamField query="UnavailThreeDSAuth" type="string" default="Accept">
  Action to take if a technical problem occurs during 3DS processing. **Accept**: ignore 3DS failure and proceed with tokenization. **Reject**: do not tokenize the card; redirect to the failure URL.
</ParamField>

<ParamField query="merchantName" type="string">
  The merchant name for 3D Secure authentication. Must be URL-encoded and unique per 3DS merchant account. See [3DS merchant setup](/account-setup/3ds-merchant-setup).
</ParamField>

<ParamField query="amount" type="integer" default="0">
  Transaction amount for the 3D Secure challenge screen. Must be provided together with `currencyCode`. If omitted, authentication uses a 0 EUR amount.
</ParamField>

<ParamField query="currencyCode" type="string" default="EUR">
  Currency code for the 3D Secure challenge screen amount. Must be provided together with `amount`. If omitted, authentication uses a 0 EUR amount.
</ParamField>

<ParamField query="email" type="string">
  Cardholder's email address for 3D Secure authentication. Must be a valid email format, e.g. `joe@bloggs.com`.
</ParamField>

<ParamField query="phone" type="string">
  Cardholder's telephone number for 3D Secure authentication. May only contain digits \[0-9], e.g. `00353112223344`.
</ParamField>

<RequestExample>
  ```javascript Node.js theme={null}
  const params = new URLSearchParams({
    brand: 'your-username',
    cardUri: 'https://service.pcibooking.net/api/payments/paycard/865ed8bec1f84366b97112a69cdbf915',
    language: 'en',
    success: 'https://example.com/success',
    failure: 'https://example.com/failure'
  });

  const response = await fetch(
    `https://service.pcibooking.net/api/payments/cvvcapturecard?${params}`,
    {
      headers: {
        'Authorization': 'Bearer your-access-token'
      }
    }
  );

  const html = await response.text();
  console.log(html);
  ```

  ```python Python theme={null}
  import requests

  response = requests.get(
      'https://service.pcibooking.net/api/payments/cvvcapturecard',
      headers={'Authorization': 'Bearer your-access-token'},
      params={
          'brand': 'your-username',
          'cardUri': 'https://service.pcibooking.net/api/payments/paycard/865ed8bec1f84366b97112a69cdbf915',
          'language': 'en',
          'success': 'https://example.com/success',
          'failure': 'https://example.com/failure'
      }
  )

  print(response.text)
  ```
</RequestExample>

## Response

**200** - HTML content of the CVV capture form.

<ResponseExample>
  ```html 200 theme={null}
  HTML content of form
  ```
</ResponseExample>
