Skip to main content
The Store Paycard endpoint lets you send raw card data directly to PCI Booking via API. PCI Booking stores the card securely and returns a token.
Using this method means your system handles raw card details, which puts you in scope of PCI DSS compliance. We strongly recommend using this method only for:
  • Card migration. Moving cards from another storage system or third-party vault to PCI Booking.
  • Temporary workaround. Handling service interruptions where other tokenization methods are temporarily unavailable.
For all other scenarios, use Card Entry Form, Card By Link, or Payments Library. These methods keep card data off your servers entirely.

Prerequisites

Your system must be PCI DSS compliant to use this method, because it requires handling raw card numbers. If you are not PCI DSS compliant, use one of the other tokenization methods listed above.
Before starting a migration, ensure you have:
  • A valid PCI Booking API key (sandbox for testing, production for the actual migration)
  • PCI DSS compliance certification for the system sending card data
  • A clear inventory of the cards to migrate, including which fields are available (card number, expiry, CVV, cardholder name)

How It Works

Send card details directly to the Store Paycard API. PCI Booking stores the card securely and returns a token in the Location response header.
The response returns the token URI in the Location header. See the API reference for the full list of fields and query parameters.

Validation Options

PCI Booking can validate the card data during storage:
  • Luhn check verifies the card number is structurally valid
  • BIN lookup identifies the card brand, issuing bank, and card type (credit, debit, prepaid)
  • Expiry validation rejects cards that have already expired
These validations help catch data quality issues early in the migration rather than discovering them when you attempt to charge the card later.

Migration Best Practices

  • Test in sandbox first. Run your full migration script against the sandbox environment with test card numbers to validate the integration and error handling.
  • Migrate in batches. If migrating a large volume of cards, break them into manageable batches and track progress. This makes it easier to resume if something goes wrong.
  • Map old references to new tokens. Maintain a mapping table between your existing card references and the new PCI Booking tokens so you can update all dependent systems.
  • Delete source data. Once migration is complete and validated, permanently delete all raw card records from your source systems to eliminate PCI DSS scope.
  • Vault-to-vault transfers. If migrating from a third-party vault, check whether a direct vault-to-vault transfer is possible. Contact support@pcibooking.net for guidance.

Next Steps

Token Management

Manage your migrated tokens.

Capture Cards Overview

All available tokenization methods.