HomeGuideMethod ReferenceAssess YourselfRequest Sandbox Account
Guide
Ask For AssistanceLogin

Card Display with OTP Authentication

Suggest Edits

Overview

The Card Display with OTP Authentication feature enables cardholders to securely view their stored card details directly from PCI Booking. This is useful when you need customers to verify card information without managing credentials or exposing card data through your systems.

The feature uses a two-factor verification approach: the cardholder receives a secure link via email and must verify their phone number using an SMS code before viewing card details.

Common Use Cases

Travel and Hospitality - Customers booking through travel agencies or hotels can verify their stored card before payment processing. They receive an email link, verify via SMS, and confirm their card details on file.

Post-Payment Verification - Merchants can request customers to confirm card details after payment, particularly useful in industries where chargebacks are common.

How It Works

  1. Your backend submits a request to the /api/card-view-request/initView endpoint with the cardholder's email, phone number, and the card token.
  2. PCI Booking sends a secure link to the provided email address.
  3. The cardholder clicks the link, enters their phone number, and receives an SMS code.
  4. After entering the code, the cardholder can view their card details: full card number (first 4 and last 4 digits visible), expiration date, cardholder name, and card type.
  5. The session remains active for 15 minutes and cannot be reused.

Security

This feature implements two-factor verification through email and SMS, ensuring that viewing card details requires access to both channels. Card details are only displayed in PCI Booking and never transmitted through your systems. Email links expire based on the configured TTL (Time To Live) period.

Phone numbers are partially masked during verification to protect privacy. The initial email link is tied to the specific email address provided in the request.

Key Considerations

  • Validate phone number format on your end before submitting the request. Format should be international (country code followed by number, no '+' prefix).
  • SMS delivery times vary by region and carrier. International delivery may take 1-2 minutes.
  • Set appropriate TTL values for your use case. 30 minutes is suitable for most scenarios.
  • Each card view link is single-use. Requesting the same card details again requires a new API call.

Related Documentation

Updated 18 days ago