Skip to main content
The CVV Capture Form is a PCI Booking-hosted form that collects only the card security code (CVV) from the cardholder. Use it when you already have a card token but need the CVV for a transaction.

How It Works

  1. Your system calls the Request CVV Entry Form endpoint, passing the existing card token.
  2. PCI Booking returns a form URL that you embed as an iframe or redirect to.
  3. The cardholder enters only their CVV.
  4. PCI Booking duplicates the original card to a new token and attaches the captured CVV to the new token.
  5. The cardholder is redirected to your success URL with the new token.
The CVV capture form creates a new token with the card details copied from the original plus the captured CVV. The original token remains unchanged. It is your responsibility to delete the original token if it is no longer needed, otherwise it will continue to incur monthly storage fees.

Setting the CVV Retention Policy

After the new token is created with CVV, you have 60 minutes to set a CVV retention policy on it. If you don’t, your account-wide default applies. If no account default exists, the system default applies (CVV can be used once and is then cleared).

3D Secure

The CVV capture form supports 3DS authentication. If enabled, a 3DS challenge is presented to the cardholder after they enter their CVV. The cardholder has 5 minutes to complete the challenge. See 3DS Merchant Setup to configure your merchant details for the challenge screen.
If you are using 3DS authentication, you must provide either the cardholder’s email address or phone number in the request. This is required by Visa for all 3DS authentications.
You can also collect CVV remotely by sending the cardholder a link via email or SMS. See the CVV-Only Capture section in the Card By Link guide.

Next Steps

CVV Retention Policy

Configure how long CVV is retained.

CVV Management

Check CVV status, usage, or clear CVV on a token.

Capture Cards Overview

All tokenization methods.