Skip to main content
The Hosted Card Entry Form is a PCI Booking-hosted page where cardholders enter their card details securely. You embed it as an iframe or redirect to it as a standalone page. Card data never touches your servers.
This is a non-functional preview showing the default card entry form. The form’s appearance can be fully customized with your own CSS stylesheet.
There are two ways to create a card entry form: URL with query parameters or API session. Both produce the same form. The difference is how you configure it and how you receive the result.

Option 1: URL with Query Parameters

Build the form URL directly by appending configuration as query parameters. This is the simpler approach and requires no server-side API call to set up the form.
Embed it in your page:
When the cardholder submits the form, PCI Booking redirects to your success URL with the token appended. You can also specify a failure URL for declined or cancelled submissions. See the full parameter reference for all available query parameters.

Option 2: API Session

Create a card entry form session via a server-side API call. Configuration is set in the request body rather than in the URL, so nothing is exposed to the client. Results are delivered via a server-to-server callback.
1

Set up a callback endpoint

Create an endpoint on your server to receive tokenization results from PCI Booking. This is a one-time setup. See the callback reference for the payload format.
2

Create a card entry form session

Send a POST request to create the session:
The response returns a RequestID and a Location header containing the form URL.
3

Embed the form

Take the URL from the Location header and set it as the iframe source in your page:
4

Receive the callback

When the cardholder submits the form, PCI Booking sends a POST to your CallBackURL with the token details. You can also poll the session status using the request ID:
5

Clean up (optional)

Delete the session if the cardholder abandons the form or you no longer need it.

Which Should I Use?

For quick integrations and prototyping, the URL approach is fastest. For production use, the API session provides better security, callback support, and session management.

Key Features

Both approaches support:
  • CSS customization. Style the form to match your brand by storing a stylesheet. See the Stylesheets guide for details.
  • 3D Secure. 3DS verification is supported during card capture. When enabled, a 3DS challenge is presented to the cardholder automatically if required by the issuing bank. The cardholder has 5 minutes to complete the challenge before it expires. See the 3DS Merchant Setup page to configure your merchant details for 3DS.
  • Multi-language. Set the form language via the Language parameter (ISO 639-1 two-letter code).
When embedding in an iframe, ensure your Content Security Policy allows framing from service.pcibooking.net.

Next Steps

Card Validation Errors

Error messages the cardholder may see when entering invalid card data.

Stylesheets Guide

Customize the look and feel of your card entry form.

Capture Cards Overview

All available tokenization methods.