Skip to main content
Card By Link lets you capture card details securely by sending a link to the cardholder via email or SMS. The cardholder enters their card on a PCI Booking-hosted page, customized by you, and PCI Booking tokenizes it. No card data passes through your systems.

How It Works

  1. Initiate request. Your system calls the Send Card Form API to create a Card By Link request, specifying the cardholder’s email or phone number.
  2. Secure link sent. PCI Booking sends a short-lived secure link to the cardholder.
  3. Cardholder enters card. The cardholder clicks the link and enters their card details on the hosted form.
  4. Token created. PCI Booking tokenizes the card and notifies your system via callback.
You can check the request status at any time, or cancel a pending request if needed.

Key Features

  • Email and SMS delivery. Send the capture link through either channel (or both).
  • Customizable templates. Brand the email or SMS message with your own templates.
  • Status tracking. Query the request status at any time to check if the cardholder has completed the form.
  • Callback notifications. Receive a POST callback when the card is captured.
  • Short-lived links. Links expire after a configurable period, ensuring security.
  • 3D Secure. 3DS verification is supported. When enabled, a 3DS challenge is presented to the cardholder after they enter their card. The cardholder has 5 minutes to complete the challenge before it expires. See 3DS Merchant Setup to configure your merchant details.

Security

The cardholder enters card data directly into a PCI Booking-hosted page, customized by you. No one else sees or handles the card details. This is ideal for call centers, remote collection, and any scenario where the cardholder is not on your website.
An agent on the phone says: “I’ve just sent you a secure link to enter your card details.” The cardholder receives the link, enters their card, and the agent sees confirmation that the token was created, without ever handling card data.
Card By Link URLs are time-limited. If the cardholder doesn’t complete the form before expiration, you’ll need to generate a new request.

CVV-Only Capture

Card By Link also supports collecting just the CVV on an existing token. Use the Send CVV Form endpoint instead of the card form endpoint. The cardholder receives a link, enters only their CVV, and PCI Booking creates a new token with the original card details plus the captured CVV.
The CVV capture creates a new token. The original token remains unchanged. Delete the original token if it is no longer needed, otherwise it will continue to incur monthly storage fees.
Remember to set a CVV retention policy on the new token within 60 minutes, or your account default will apply.

White Label Emails

By default, Card By Link emails come from the pcibooking.net domain. To send them from your own domain instead, configure a White Label Email Domain.

Next Steps

Customize Card By Link Templates

Brand your Card By Link emails, SMS messages, and landing pages.

Card Validation Errors

Error messages the cardholder may see when entering invalid card data.

Capture Cards Overview

All available tokenization methods.