The Problem
Handling payment card data requires PCI DSS compliance, a costly, ongoing burden of audits, encryption infrastructure, network segmentation, and liability. Every system that touches card data is in scope. Even if you only pass card details from one entity to another without storing them, even for a split second, your systems are in PCI DSS scope.The Solution
PCI Booking handles all card data on your behalf. Your systems only work with tokens. These are random identifiers that carry no card information. This removes your systems from PCI DSS scope entirely. PCI Booking is a PCI DSS Level 1 certified service provider. All card data is encrypted at rest and in transit, stored in isolated infrastructure, and protected by hardware security modules (HSMs) for key management.Architecture: The Three Pillars
Cards flow through three stages: Capture > Manage > Use1. Capture (Tokenize)
Card data enters PCI Booking through one of several methods, depending on your integration:- Hosted Card Entry Form for web and mobile checkout
- Card By Link (COTP) for email and SMS-based capture
- Payments Library for client-side JavaScript integration
- Tokenization on Response for capturing cards from third-party API responses
- Store Paycard API for bulk migration from existing vaults
2. Manage (Store and Maintain)
Once tokenized, you store and reference tokens in your own systems freely. Tokens are safe to log, pass through APIs, and persist in databases. PCI Booking provides management capabilities including:- Querying token metadata (masked card number, expiry, card brand)
- Updating expiration dates when cards are renewed
- Managing CVV retention policies
- Duplicating tokens across merchants or customer accounts
- Deleting tokens when they are no longer needed
3. Use (Detokenize)
When real card data is needed, PCI Booking substitutes the token with the actual card details and delivers them to the destination:- Universal Payment Gateway (UPG) sends card data directly to a PSP to process a charge, refund, or authorization
- Token Replacement in Request injects card data into an outbound HTTP request to any third party
- Card Display renders the real card number in a secure iframe for authorized users
Who Handles What
PCI DSS Scope Reduction
Without PCI Booking, every server, database, and network segment that processes card data must be PCI-compliant. With PCI Booking, card data never enters your environment, significantly reducing your audit scope, cost, and risk.PCI Booking supports SAQ A and SAQ A-EP compliance levels for merchants, depending on the integration method chosen. The hosted form and Card By Link methods provide the lowest compliance burden.
Security and Compliance
PCI Booking is a PCI DSS Level 1 certified service provider (v4 compliant since December 2023). All card data is encrypted at rest and in transit, with key management handled by hardware security modules (HSMs). Personal data is stored on EU-located cloud infrastructure.
Related
- Quickstart - Get up and running with your first integration
- Authentication - Set up API keys and access tokens
- Tokenization Explained - Deep dive into how tokenization works
- How Do I…? - Common integration scenarios and workflows

