Request a Card Entry Form
Capture Cards
Request a Card Entry Form
Build a URL that renders a PCI Booking card capture form. Use it as an iframe src or redirect the cardholder to it.
GET
Request a Card Entry Form
Hosted Card Entry Form Guide
Embed a secure card capture form in your website
- iframe: set it as the
srcattribute of an iframe element on your page - Redirect: redirect the cardholder’s browser to this URL as a standalone page
success URL with the token details, or to your failure URL if something goes wrong.
- All parameter values must be URL-encoded.
- All URLs you pass (success, failure, postMessageHost) must use HTTPS.
- See the Hosted Card Entry Form guide for a visual preview of the rendered form.
If you prefer a clean iframe URL without query parameters, use the session-based card entry form instead. That method sends parameters in a server-side POST and returns a ready-to-use iframe URL.
Parameters
Authentication
Recommended. A long-lived token for browser-side calls. How to generate.
Alternative. Valid for 5 minutes. How to generate.
Core Parameters
Access token for authentication. Recommended over session token.
Session token for authentication.
Your PCI Booking username, used to identify your account.
Form language in ISO 639-1 format (e.g.
en, fr, de). Unsupported languages fall back to English. See custom translations.The domain of the host page where the iframe is displayed (e.g.
yoursite.com). Required for postMessage communication between the form and your page.URL to redirect to after successful card capture. The token details are appended as query parameters. Strongly recommended. See success/failure URLs.
URL to redirect to if the card capture fails. See success/failure URLs.
A reference value you define, which you can later use to query for this token.
Card Form Display
When
true, the form detects the card type from the card number automatically. When false, a dropdown menu is shown for manual card type selection.Which card type is pre-selected in the dropdown menu (only relevant when
autoDetectCardType is false).Comma-separated list of accepted card types. If omitted or no valid types are found, all card types are shown.
Show an “Owner ID” field on the form. Required in some countries.
Format of the expiration month dropdown.
numbers shows 01, 02, ..., names shows January, February, ...Minimum allowed expiration date in
mmyyyy format (e.g. 012027). Useful when the card must be valid past a check-in date.Additional validation for the Name on Card field.
NO_DIGITS prevents digits in the name.Auto-focus the first form field when the page loads. Focuses the card number field if
autoDetectCardType is true, or the card type dropdown otherwise.Styling
CSS resource name. See managing stylesheets. If omitted, PCI Booking’s default stylesheet is used.
When
true, removes PCI Booking’s base CSS entirely. The base CSS does not collide with your site’s styles, so this is rarely needed.CVV
When
true, saves the CVV in PCI Booking’s vault alongside the card. Remember to set a CVV Retention Policy to control how long the CVV is stored.3D Secure
Enable 3D Secure authentication after card entry. If using access token auth, provide two access tokens (see Authentication section above).
What to do if the 3DS service is unavailable.
Accept: skip 3DS and tokenize the card anyway. Reject: do not tokenize, redirect to the failure URL.Merchant name for 3DS authentication. Must be URL-encoded and match a configured 3DS merchant. Leave blank to use PCI Booking’s merchant (Visa and Mastercard only).
Transaction amount shown in the 3DS challenge screen. Must be paired with
currencyCode. If omitted, authentication uses 0 EUR.ISO 4217 currency code for the 3DS challenge amount. Must be paired with
amount.Cardholder email for 3DS authentication. Since August 2024, Visa requires either
email or phone for all 3DS authentications.Cardholder phone number for 3DS authentication (digits only, e.g.
00353112223344). Required by Visa if email is not provided.Advanced
When
true, removes PCI Booking’s submit button so you can trigger form submission from your own page via postMessage. See postMessage setup.When
true, PCI Booking checks if this card was previously stored and returns the existing token instead of creating a new one.When
true, PCI Booking sends the non-sensitive form data to your server via postMessage for custom validation before tokenizing. Your server has 3 seconds to respond.Request Example
Since this is a URL you build (not a server-side API call), the “request” is the fully constructed URL placed in an iframe or used as a redirect target. Here is an example using curl to test the URL directly:- curl
- Node.js
- Python
src of an iframe element on your page:
Success Response
On successful card capture, PCI Booking redirects the cardholder’s browser to yoursuccess URL with the token details appended as query parameters:
Errors
If the form cannot be rendered (invalid or missing parameters, authentication failure), PCI Booking redirects to yourfailure URL with error details. If no failure URL is configured, PCI Booking displays an error page.
Errors delivered to the
failure URL are appended as query parameters. See success/failure URLs for the format and available error fields.
