How It Works
CVV retention is not part of the tokenization request itself. It is a separate step that happens after tokenization:- Card is tokenized (via any tokenization method) with CVV included.
- You have 60 minutes to set a per-token CVV retention policy via the Set CVV Retention Policy endpoint.
- If you don’t set one, the account-wide default policy is applied automatically. If no account-wide default exists, the system default applies: CVV can be used once and is then cleared.
Policy Levels
Policy Types
Destination Types
Per-destination policies support these destination types:Auto-Delete Card on CVV Expiry
You can optionally configure the policy to delete the entire card token when its CVV is cleared, using theDeleteCardUponCvvCleanup option. Use this when a token without CVV has no value in your workflow.
Setting the Account-Wide Default
To set a default CVV retention policy that applies automatically to all new tokens in your account:- Log in to the PCI Booking portal.
- Navigate to Booker Settings > CVV Store Rules.
- Under Storage Period, set the duration that CVV is stored (e.g., 12 months). Maximum is 4 years / 48 months.
- Under Destinations, define the approved list of destinations where CVV can be relayed. For each destination, specify:
- Destination type (see Destination Types above)
- Destination value (e.g., hostname, IP address)
- Quota (number of times the CVV can be relayed to this destination)
You can configure up to 50 different destinations. Each destination allows a quota of up to 50 relays.
Managing Per-Token Policies
Next Steps
CVV Management
Manage CVV data within a token: check status, capture separately, or clear manually.
Capture Cards Overview
All tokenization methods.

