Skip to main content
GET
Request a Card Entry Form

Hosted Card Entry Form Guide

Embed a secure card capture form in your website
This is not a typical API call that you make from your server. Instead, you build a URL with query parameters and use it in one of two ways:
  • iframe: set it as the src attribute of an iframe element on your page
  • Redirect: redirect the cardholder’s browser to this URL as a standalone page
The URL renders a secure card capture form hosted by PCI Booking. When the cardholder submits the form, PCI Booking tokenizes the card and redirects to your success URL with the token details, or to your failure URL if something goes wrong.
  • All parameter values must be URL-encoded.
  • All URLs you pass (success, failure, postMessageHost) must use HTTPS.
  • See the Hosted Card Entry Form guide for a visual preview of the rendered form.
If you prefer a clean iframe URL without query parameters, use the session-based card entry form instead. That method sends parameters in a server-side POST and returns a ready-to-use iframe URL.

Parameters

Authentication

This is a browser-facing endpoint. Use one of the authentication methods below instead of the API key shown above.
accessToken
string
Recommended. A long-lived token for browser-side calls. How to generate.
sessionToken
string
Alternative. Valid for 5 minutes. How to generate.
If both are provided, the session token takes precedence. All parameters are passed as query string parameters in the URL.

Core Parameters

accessToken
string
Access token for authentication. Recommended over session token.
sessionToken
string
Session token for authentication.
brand
string
required
Your PCI Booking username, used to identify your account.
language
string
required
Form language in ISO 639-1 format (e.g. en, fr, de). Unsupported languages fall back to English. See custom translations.
postMessageHost
string
required
The domain of the host page where the iframe is displayed (e.g. yoursite.com). Required for postMessage communication between the form and your page.
success
string
URL to redirect to after successful card capture. The token details are appended as query parameters. Strongly recommended. See success/failure URLs.
failure
string
URL to redirect to if the card capture fails. See success/failure URLs.
creatorReference
string
A reference value you define, which you can later use to query for this token.

Card Form Display

autoDetectCardType
boolean
default:"false"
When true, the form detects the card type from the card number automatically. When false, a dropdown menu is shown for manual card type selection.
defaultCardType
string
Which card type is pre-selected in the dropdown menu (only relevant when autoDetectCardType is false).
cardTypes
string
Comma-separated list of accepted card types. If omitted or no valid types are found, all card types are shown.
showOwnerId
boolean
default:"false"
Show an “Owner ID” field on the form. Required in some countries.
expirationMonths
string
default:"numbers"
Format of the expiration month dropdown. numbers shows 01, 02, ..., names shows January, February, ...
minExpiration
string
Minimum allowed expiration date in mmyyyy format (e.g. 012027). Useful when the card must be valid past a check-in date.
nameOnCardValidation
string
Additional validation for the Name on Card field. NO_DIGITS prevents digits in the name.
autoFocus
boolean
default:"true"
Auto-focus the first form field when the page loads. Focuses the card number field if autoDetectCardType is true, or the card type dropdown otherwise.

Styling

css
string
CSS resource name. See managing stylesheets. If omitted, PCI Booking’s default stylesheet is used.
removeBaseCss
boolean
default:"false"
When true, removes PCI Booking’s base CSS entirely. The base CSS does not collide with your site’s styles, so this is rarely needed.

CVV

cvv
boolean
default:"false"
When true, saves the CVV in PCI Booking’s vault alongside the card. Remember to set a CVV Retention Policy to control how long the CVV is stored.

3D Secure

If you enable 3D Secure, the challenge window has a 5-minute timeout. If the cardholder does not complete the challenge in time, the authentication is rejected.
ThreeDS
boolean
default:"false"
Enable 3D Secure authentication after card entry. If using access token auth, provide two access tokens (see Authentication section above).
UnavailThreeDSAuth
string
default:"Accept"
What to do if the 3DS service is unavailable. Accept: skip 3DS and tokenize the card anyway. Reject: do not tokenize, redirect to the failure URL.
merchantName
string
Merchant name for 3DS authentication. Must be URL-encoded and match a configured 3DS merchant. Leave blank to use PCI Booking’s merchant (Visa and Mastercard only).
amount
integer
default:"0"
Transaction amount shown in the 3DS challenge screen. Must be paired with currencyCode. If omitted, authentication uses 0 EUR.
currencyCode
string
default:"EUR"
ISO 4217 currency code for the 3DS challenge amount. Must be paired with amount.
email
string
Cardholder email for 3DS authentication. Since August 2024, Visa requires either email or phone for all 3DS authentications.
phone
string
Cardholder phone number for 3DS authentication (digits only, e.g. 00353112223344). Required by Visa if email is not provided.
Do not use the merchantName parameter unless you have configured a 3DS merchant account. Providing an unconfigured merchant name will cause 3DS processing to fail.

Advanced

submitWithPostMessage
boolean
default:"false"
When true, removes PCI Booking’s submit button so you can trigger form submission from your own page via postMessage. See postMessage setup.
eliminateCardDuplication
boolean
default:"false"
When true, PCI Booking checks if this card was previously stored and returns the existing token instead of creating a new one.
useCustomValidation
boolean
default:"false"
When true, PCI Booking sends the non-sensitive form data to your server via postMessage for custom validation before tokenizing. Your server has 3 seconds to respond.

Request Example

Since this is a URL you build (not a server-side API call), the “request” is the fully constructed URL placed in an iframe or used as a redirect target. Here is an example using curl to test the URL directly:
In production, you would set this URL as the src of an iframe element on your page:

Success Response

On successful card capture, PCI Booking redirects the cardholder’s browser to your success URL with the token details appended as query parameters:
If you are using postMessage instead of redirect, the token details are sent via a postMessage event.

Errors

If the form cannot be rendered (invalid or missing parameters, authentication failure), PCI Booking redirects to your failure URL with error details. If no failure URL is configured, PCI Booking displays an error page. Errors delivered to the failure URL are appended as query parameters. See success/failure URLs for the format and available error fields.