Skip to main content
POST

CVV Capture Guide

Collect CVV from cardholders via hosted forms
Use this endpoint to send a secure CVV capture link to a cardholder who has already provided their card details. The cardholder clicks the link to enter only their CVV, which PCI Booking combines with the original card data to create a new token. This is useful when you already have a stored card token but need the CVV for a subsequent transaction.
This operation duplicates the original token. Once the cardholder enters the CVV, PCI Booking creates a new token with the original card details plus the captured CVV. The original token remains unchanged. Delete it if no longer needed, otherwise it will continue to incur monthly storage fees.

Error Responses

Parameter Constraints

Parameters

Headers

Authorization
string
required
Your API key prefixed with APIKEY. Example: APIKEY your-api-key. See the Authentication guide.

Request Configuration

SenderID
string
required
The user ID of the booker.
OriginCardUri
string
required
The card URI is the resource identifier for the card location within PCI Booking.
Language
string
default:"EN"
The form’s language in ISO 639-1 (2-letter) format. See supported languages. If an unsupported language is received, English will be displayed. Languages can be added through the user’s control panel.
Css
string
The CSS resource name. Follow the guide on managing stylesheets. If not provided, PCI Booking will apply the default CSS.
CallBackURL
string
A URL where PCI Booking will push the status of the request.
RequestTTL
integer
required
The number of hours the request will be valid for. Minimum 1 hour, maximum 24 hours.

Delivery

DestinationType
string
required
How to send the link to the card capture form. Values: email or sms.
Destination
string
required
The destination email address or phone number. Phone numbers should be formatted as international dial numbers: Country code + area code + phone number.
RecipientName
string
required
The recipient’s name. Max 70 characters.
Description
string
Free text description of this request. Max 50 characters.
SenderReference
string
A reference value that can be used to query for this card token.

Transaction Details

Amount
double
The transaction amount. Required if Currency is provided.
Currency
string
The transaction currency in ISO 4217 (3-letter) format. Required if Amount is provided. An incorrect value returns error code 401 BAD DATA.

Branding

CustomerSupportLink, CustomerSupportLinkText, CustomerSupportEmail, and CustomerSupportPhone can also be set in your account settings. Values provided in the request override the account defaults.
URLs in the request body (e.g. ClientLogoURL, Success, Failure) should not be URL-encoded, since they are sent in JSON, not as query parameters.
ClientLogoURL
string
URL to the logo displayed in the Card By Link email and landing page. Submit with a null value to hide the logo. If not supplied, the logo from your Booker profile in the portal is used. Images must be publicly accessible via HTTPS URL.
LogoTitle
string
The title of the logo. If not provided, the booker name from the portal is used. Submit with a null value to hide the logo title. Max 100 characters.
FaviconURL
string
URL to the favicon displayed in the Card By Link landing page. If not supplied, the browser default favicon is used. Images must be publicly accessible via HTTPS URL in ico or png format, size 16x16 or 32x32.
SiteTitle
string
The page title to be displayed. Max 40 characters.
CustomHeaderText
string
Text displayed in the header of the message to the recipient. Max 1000 characters. If RecipientName, Amount, and Currency placeholders are not listed in the CustomHeaderText or in the portal customizations but are provided in the request parameters, they will still be displayed in the email.
Text displayed in the footer of the message to the recipient. Max 1000 characters. If CustomerSupportEmail and CustomerSupportPhone placeholders are not listed in the CustomFooterText or in the portal customizations but are provided in the request parameters, they will still be displayed in the email.
CustomerSupportPhone
string
Phone number displayed in the email and landing page. Max 20 characters.
CustomerSupportEmail
string
Email address displayed in the email and landing page. Max 50 characters.
URL for customer support displayed in the email and landing page. Max 255 characters. Required if CustomerSupportLinkText is provided.
Display name for the customer support URL in the email and landing page. Max 100 characters. Required if CustomerSupportLink is provided.

Redirect URLs

Success
string
URL where a successful response will be redirected to. See setting up success/failure redirection pages.
Failure
string
URL where a failed response will be redirected to. See setting up success/failure redirection pages.

Response

201 - Empty body. A Location header is returned with the URI for this card request. Use this URI to retrieve the request status or delete the request.
Remember to set the CVV Retention Policy on the new token once the CVV is captured.