Skip to main content
Tokenization on Response lets you route HTTP requests through PCI Booking to a third party. When the third party responds with card data, PCI Booking parses the response, extracts and tokenizes the card details, and forwards a sanitized version back to you. You never see raw card numbers. This is the mirror of Token Replacement in Request in the Use Tokens section. Both use the same forward proxy infrastructure, but in opposite directions: Tokenization on Response tokenizes card data in the third party’s response, while Token Replacement in Request detokenizes tokens in your outbound request.

How It Works

  1. Create a profile. A profile is a set of instructions that tells PCI Booking how to parse the third party’s response and where to find card details in the message. You create profiles through the PCI Booking portal or with the help of our support team. You do this once per third-party message format.
  2. Send your request through PCI Booking. Instead of calling the third party directly, send the request through PCI Booking’s proxy endpoint. In the request, provide the profile name and the third party’s connection details.
  3. PCI Booking forwards the request. PCI Booking sends the request to the third party on your behalf and receives the response.
  4. Parse and tokenize. PCI Booking’s content engine parses the response using your profile, extracts all card details that match the defined locations, and creates a token for each card found.
  5. Sanitized response. PCI Booking masks the card details in the response body, adds the tokens to a custom header, and forwards the amended message back to you.

Profiles

A target profile defines how PCI Booking should parse a specific message format. Each profile includes content filters with XPath or JSONPath expressions pointing to where card data appears in the message. Profiles are reusable - define one once and apply it to every request going to that third party.
Send a copy of the message you receive from the third party to support@pcibooking.net. Our support team will build the profile for you.

Universal Profiles (Pre-Built)

Many PCI Booking customers connect to the same third parties (booking platforms, OTAs, channel managers, GDS providers). For these common integrations, PCI Booking provides universal profiles that are already built and ready to use. The flow is the same. You reference the universal profile name in your request instead of a custom one. Check with support@pcibooking.net to see if a universal profile already exists for your third party.

Security

  • Relay restrictions. Your account can be configured with an endpoint whitelist. Requests to destinations not on the list are rejected. Contact support or use the Admin portal to manage your allowed endpoints.
  • Client certificates. Target profiles can include client certificates for mutual TLS authentication with the destination.
  • Timeout. Relay requests have a default timeout of 60 seconds.

Use Cases

  • Receiving reservation data from booking platforms that include card details.
  • Integrating with OTAs or channel managers that pass card data in API responses.
  • Any scenario where a third party sends you card data that you need to store as tokens.

Next Steps

Universal Tokenization Profiles

Pre-built profiles for common third parties.

Capture Cards Overview

All available tokenization methods.