How It Works
- Initiate request. Your system calls the Send Card Form API to create a Card By Link request, specifying the cardholder’s email or phone number.
- Secure link sent. PCI Booking sends a short-lived secure link to the cardholder.
- Cardholder enters card. The cardholder clicks the link and enters their card details on the hosted form.
- Token created. PCI Booking tokenizes the card and notifies your system via callback.
Key Features
- Email and SMS delivery. Send the capture link through either channel (or both).
- Customizable templates. Brand the email or SMS message with your own templates.
- Status tracking. Query the request status at any time to check if the cardholder has completed the form.
- Callback notifications. Receive a POST callback when the card is captured.
- Short-lived links. Links expire after a configurable period, ensuring security.
- 3D Secure. 3DS verification is supported. When enabled, a 3DS challenge is presented to the cardholder after they enter their card. The cardholder has 5 minutes to complete the challenge before it expires. See 3DS Merchant Setup to configure your merchant details.
Security
The cardholder enters card data directly into a PCI Booking-hosted page, customized by you. No one else sees or handles the card details. This is ideal for call centers, remote collection, and any scenario where the cardholder is not on your website.An agent on the phone says: “I’ve just sent you a secure link to enter your card details.” The cardholder receives the link, enters their card, and the agent sees confirmation that the token was created, without ever handling card data.
CVV-Only Capture
Card By Link also supports collecting just the CVV on an existing token. Use the Send CVV Form endpoint instead of the card form endpoint. The cardholder receives a link, enters only their CVV, and PCI Booking creates a new token with the original card details plus the captured CVV. Remember to set a CVV retention policy on the new token within 60 minutes, or your account default will apply.White Label Emails
By default, Card By Link emails come from thepcibooking.net domain. To send them from your own domain instead, configure a White Label Email Domain.
Next Steps
Customize Card By Link Templates
Brand your Card By Link emails, SMS messages, and landing pages.
Card Validation Errors
Error messages the cardholder may see when entering invalid card data.
Capture Cards Overview
All available tokenization methods.

