Skip to main content
The postMessage mechanism enables secure cross-domain communication between your page and the embedded PCI Booking iframe. It works with the Card Entry Form, Card Display, and CVV capture forms. Use postMessage to:
  • Know when the iframe is ready.
  • Validate the form programmatically from your page.
  • Submit the form programmatically.
  • Receive tokenization results without a page redirect.
  • Resize the iframe dynamically based on form content.
  • Intercept card details before tokenization for custom approval logic.

Setup

Add the postMessageHost parameter to your iframe URL. Set it to your page’s origin (URL-encoded):
On your page, listen for messages from the iframe:

Events from the Iframe

Field-level validation events are also sent as JSON objects with {field, validationResult} for each field as the user interacts with the form.

Commands to the Iframe

Your page can send commands to the iframe:

Receiving Results via PostMessage

To receive tokenization results via postMessage instead of a redirect, add submitWithPostMessage=true to your iframe URL. On success, the iframe sends a CardSubmitSuccess message containing the token details. On failure, it sends CardSubmitFailure with the error.

Dynamic Iframe Resizing

When the form content changes (e.g. validation errors appear), the iframe sends frameDimensionsChanged:{width}:{height}. Use this to resize the iframe:

Custom Validation

Custom validation lets your page inspect card details before tokenization and approve or reject the submission. Enable it by adding useCustomValidation=true to the iframe URL. When the cardholder submits the form, the iframe pauses tokenization and sends a CustomValidation message with masked card details:
Your page has 3 seconds to respond. If no response is received, tokenization proceeds automatically.

Approving

Rejecting

When rejected, the form displays the message as a validation error and the cardholder can correct their input or try a different card.

Use Cases

  • Restrict accepted card types or BIN ranges before tokenization.
  • Check card details against your business rules (e.g. reject corporate cards, enforce expiry minimums).
  • Log or audit card submissions before they are tokenized.

Next Steps

Hosted Card Entry Form

Set up the card entry form iframe.

Capture Cards Overview

All tokenization methods.

Stylesheets

Customize the look of your card entry form.

Card Entry Form Callback

API reference for form callback notifications.