How It Works
- Create a profile. A profile is a set of instructions that tells PCI Booking how to parse the third party’s response and where to find card details in the message. You create profiles through the PCI Booking portal or with the help of our support team. You do this once per third-party message format.
- Send your request through PCI Booking. Instead of calling the third party directly, send the request through PCI Booking’s proxy endpoint. In the request, provide the profile name and the third party’s connection details.
- PCI Booking forwards the request. PCI Booking sends the request to the third party on your behalf and receives the response.
- Parse and tokenize. PCI Booking’s content engine parses the response using your profile, extracts all card details that match the defined locations, and creates a token for each card found.
- Sanitized response. PCI Booking masks the card details in the response body, adds the tokens to a custom header, and forwards the amended message back to you.
Profiles
A target profile defines how PCI Booking should parse a specific message format. Each profile includes content filters with XPath or JSONPath expressions pointing to where card data appears in the message. Profiles are reusable - define one once and apply it to every request going to that third party.Send a copy of the message you receive from the third party to support@pcibooking.net. Our support team will build the profile for you.
Universal Profiles (Pre-Built)
Many PCI Booking customers connect to the same third parties (booking platforms, OTAs, channel managers, GDS providers). For these common integrations, PCI Booking provides universal profiles that are already built and ready to use. The flow is the same. You reference the universal profile name in your request instead of a custom one. Check with support@pcibooking.net to see if a universal profile already exists for your third party.Security
- Relay restrictions. Your account can be configured with an endpoint whitelist. Requests to destinations not on the list are rejected. Contact support or use the Admin portal to manage your allowed endpoints.
- Client certificates. Target profiles can include client certificates for mutual TLS authentication with the destination.
- Timeout. Relay requests have a default timeout of 60 seconds.
Use Cases
- Receiving reservation data from booking platforms that include card details.
- Integrating with OTAs or channel managers that pass card data in API responses.
- Any scenario where a third party sends you card data that you need to store as tokens.
Next Steps
Universal Tokenization Profiles
Pre-built profiles for common third parties.
Capture Cards Overview
All available tokenization methods.

