> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# How PCI Booking Works

> How PCI Booking removes PCI DSS scope from your systems. Card capture, token storage, and payment processing without handling card data.

## The Problem

Handling payment card data requires PCI DSS compliance, a costly, ongoing burden of audits, encryption infrastructure, network segmentation, and liability. Every system that touches card data is in scope. Even if you only pass card details from one entity to another without storing them, even for a split second, your systems are in PCI DSS scope.

## The Solution

PCI Booking handles **all** card data on your behalf. Your systems only work with tokens. These are random identifiers that carry no card information. This removes your systems from PCI DSS scope entirely.

PCI Booking is a PCI DSS Level 1 certified service provider. All card data is encrypted at rest and in transit, stored in isolated infrastructure, and protected by hardware security modules (HSMs) for key management.

## Architecture: The Three Pillars

Cards flow through three stages:

**Capture > Manage > Use**

### 1. Capture (Tokenize)

Card data enters PCI Booking through one of several methods, depending on your integration:

* **Hosted Card Entry Form** for web and mobile checkout
* **Card By Link (COTP)** for email and SMS-based capture
* **Payments Library** for client-side JavaScript integration
* **Tokenization on Response** for capturing cards from third-party API responses
* **Store Paycard API** for bulk migration from existing vaults

In every case, PCI Booking encrypts the card data and returns a token to your system. The token is a random URI that uniquely identifies the stored card but reveals nothing about it.

### 2. Manage (Store and Maintain)

Once tokenized, you store and reference tokens in your own systems freely. Tokens are safe to log, pass through APIs, and persist in databases. PCI Booking provides management capabilities including:

* Querying token metadata (masked card number, expiry, card brand)
* Updating expiration dates when cards are renewed
* Managing CVV retention policies
* Duplicating tokens across merchants or customer accounts
* Deleting tokens when they are no longer needed

### 3. Use (Detokenize)

When real card data is needed, PCI Booking substitutes the token with the actual card details and delivers them to the destination:

* **Universal Payment Gateway (UPG)** sends card data directly to a PSP to process a charge, refund, or authorization
* **Token Replacement in Request** injects card data into an outbound HTTP request to any third party
* **Card Display** renders the real card number in a secure iframe for authorized users

Your systems never see the real card data during detokenization. PCI Booking handles the substitution and delivery in its own secure environment.

## Who Handles What

| PCI Booking Handles       | You Handle                 |
| ------------------------- | -------------------------- |
| Card capture & encryption | Token storage & references |
| PCI DSS compliance        | Business logic             |
| Secure card storage       | UI integration             |
| PSP communication         | Transaction orchestration  |
| Key management & rotation | Merchant configuration     |

## PCI DSS Scope Reduction

Without PCI Booking, every server, database, and network segment that processes card data must be PCI-compliant. With PCI Booking, card data never enters your environment, significantly reducing your audit scope, cost, and risk.

<Info>
  PCI Booking supports SAQ A and SAQ A-EP compliance levels for merchants, depending on the integration method chosen. The hosted form and Card By Link methods provide the lowest compliance burden.
</Info>

[Talk to our PCI experts](https://pcibooking.net/talk-to-pci-experts/) to understand what PCI compliance requirements apply to your specific setup after integrating with PCI Booking.

## Security and Compliance

<Note>
  PCI Booking is a **PCI DSS Level 1** certified service provider (v4 compliant since December 2023). All card data is encrypted at rest and in transit, with key management handled by hardware security modules (HSMs). Personal data is stored on EU-located cloud infrastructure.

  * [PCI DSS compliance](https://pcibooking.net/pci-compliance/)
  * [ISO 27001:2022 certification](https://pcibooking.net/27001-certified)
  * [GDPR compliance and data residency](https://pcibooking.net/gdpr)
  * [PSD2 compliance](https://pcibooking.net/psd2)
  * [Security settings for your account](/account-setup/security-settings)
</Note>

## Related

* [Quickstart](/start-here/quickstart) - Get up and running with your first integration
* [Authentication](/getting-started/authentication) - Set up API keys and access tokens
* [Tokenization Explained](/concepts/tokenization-explained) - Deep dive into how tokenization works
* [How Do I...?](/use-cases/how-do-i) - Common integration scenarios and workflows
