Skip to main content
POST

Card By Link Guide

Send secure card capture links via email or SMS
Use this endpoint to send a secure card capture link to a cardholder via email or SMS. The recipient clicks the link to open a PCI-compliant form where they enter their card details, which are tokenized and stored by PCI Booking. This is ideal for scenarios like phone bookings or back-office operations where you need to collect card data without handling it directly.

Error Responses

Parameter Constraints

Parameters

Headers

Authorization
string
required
Your API key prefixed with APIKEY. Example: APIKEY your-api-key. See the Authentication guide.

Request Configuration

SenderID
string
required
The user ID of the booker.
Language
string
default:"EN"
The form’s language in ISO 639-1 (2-letter) format. See supported languages. If an unsupported language is received, English will be displayed.
Css
string
The CSS resource name. Follow the guide on managing stylesheets. If not provided, PCI Booking will use the default CSS.
CallBackURL
string
A URL where the status of the request will be pushed to by PCI Booking.
RequestTTL
integer
required
The number of hours the request will be valid for. Minimum 1 hour, maximum 24 hours.

Card Form Settings

CardTypes
string[]
Limits the list of card types. If omitted or no valid card types are found, all types will be displayed. Separate card types by comma. Read more on supported card types.
ShowOwnerID
boolean
default:"false"
Whether to display the Owner ID field in the form (required in some countries). true: include the field. false: exclude the field.
DefaultCardType
string
Which card type will be set as default in the card drop down menu. Read more on supported card types.
AutoDetectCardType
boolean
default:"false"
Whether to use card detection according to card number. true: use card detection. false: show a drop down menu for card type selection.
MinExpiration
string
Minimum expiration month/year. Format: mmyyyy. The expiration validation will be checked against this date. Must be a valid date in the specified format. Use case: when the card expiration should be later than a check-in date.
CVV
boolean
default:"false"
Whether to add the CVV field. true: include the CVV and save it in the database. false: exclude the field.
nameOnCardValidation
string
Additional input validation on the Name On Card field. Possible values: NO_DIGITS - the field cannot contain digits.
eliminateCardDuplication
boolean
Whether PCI Booking should look up this card in previously stored cards and return the existing token (if found) or always return a new token. True: look up in existing cards. False: always create new tokens. If not specified, the default behavior is taken from the account settings.

Delivery

DestinationType
string
required
How to send the link to the card capture form. Values: email or sms.
Destination
string
required
The destination of the message - email address or phone number. For phone numbers, format as international dial number: Country code + area code + phone number.
RecipientName
string
required
The recipient’s name. Max 70 characters.
Description
string
Free text description of this request. Max 50 characters.
SenderReference
string
A reference value that can be used to query for this card token later.

Branding

CustomerSupportLink, CustomerSupportLinkText, CustomerSupportEmail, and CustomerSupportPhone can also be set in your account settings. Values provided in the request override the account defaults.
URLs in the request body (e.g. ClientLogoURL, Success, Failure) should not be URL-encoded, since they are sent in JSON, not as query parameters.
CompanyName
string
The name of the company sending the message. Required when sending via SMS.
ClientLogoURL
string
URL to the logo displayed in the Card By Link email and landing page. Submit with a null value to hide the logo. If not supplied, the logo from the Booker information in the portal is used. Images must be publicly accessible, HTTPS URL.
LogoTitle
string
The title of the logo. If not provided, the booker name (as set in the portal) is used. Submit with a null value for no title. Max 100 characters.
FaviconURL
string
URL to the favicon displayed in the Card By Link landing page. If not supplied, the browser default is used. Images must be publicly accessible, HTTPS URL in ico or png format, size 16x16 or 32x32.
SiteTitle
string
default:"Card Display"
The page title to be displayed. Max 40 characters.
CustomHeaderText
string
Text displayed in the header of the message to the recipient. Max 1000 characters. If RecipientName, Amount and Currency placeholders are not listed here or in the portal customizations, but are provided in other request parameters, they will not be displayed.
Text displayed in the footer of the message to the recipient. Max 1000 characters. If CustomerSupportEmail and CustomerSupportPhone placeholders are not listed here or in the portal customizations, but are provided in other request parameters, they will not be displayed.
CustomerSupportPhone
string
Phone number displayed in the email message and landing page. Max 20 characters.
CustomerSupportEmail
string
Email address displayed in the email message and landing page. Max 50 characters.
URL for customer support displayed in the email message and landing page. Max 255 characters. Required if CustomerSupportLinkText is provided.
Display name for the customer support URL in the email message and landing page. Max 100 characters. Required if CustomerSupportLink is provided.

Redirect URLs

Success
string
URL where a successful response will be redirected to. Read more on setting up success / failure redirection pages.
Failure
string
URL where a failed response will be redirected to. Read more on setting up success / failure redirection pages.

3D Secure

  • The 3DS challenge window has a 5 minute timeout. If the cardholder does not respond in time, authentication is rejected.
  • Do not use merchantName unless you have configured your 3DS merchant information. To use PCI Booking’s merchant, set ThreeDS to True and leave merchantName blank (Visa and Mastercard only).
  • Visa requirement (Aug 2024): You must provide at least the cardholder’s email or phone for 3DS authentication.
ThreeDS
boolean
default:"False"
Whether to perform 3D Secure authentication following card entry. If enabled with access token authorization, provide two access tokens.
UnavailThreeDSAuth
string
default:"Accept"
What to do if there is a technical problem with the 3DS process. Accept - ignore 3DS and proceed with tokenizing the card. Reject - do not continue or tokenize; the card owner will be directed to the failure page URL.
merchantName
string
The merchant to use for 3D Secure authentication. Must match a merchant name registered in your 3DS merchant setup.
Amount
double
The transaction amount, also displayed in the 3DS challenge screen. Required if Currency is provided.
Currency
string
The transaction currency in ISO 4217 (3-letter) format, also displayed in the 3DS challenge screen. Required if Amount is provided.
email
string
Cardholder’s email address for 3D Secure authentication. Must be in a valid email format, e.g. joe@bloggs.com.
phone
string
Cardholder’s telephone number for 3D Secure authentication. May only contain digits [0-9], e.g.: 00353112223344.

Response

201 - Empty body. A Location header is returned with the URI for this card request. Use this URI to retrieve the request status or delete the request.
Remember to set the CVV Retention Policy on the token once the card is captured.