HomeGuideMethod ReferenceAssess YourselfRequest Sandbox Account
Guide
Ask For AssistanceLogin

Card Display with OTP Authentication

Suggest Edits

Overview

The Card Display with OTP Authentication feature solves a common problem: you need your customers to verify card details, but you don't want to maintain credentials for your customers. With this feature, customers can securely view their stored card details directly through PCI Booking after confirming their identity via phone verification.

The process is straightforward. Your customer submits a request with the cardholder's email and phone number. PCI Booking sends a secure link via email. When the cardholder clicks that link, they verify their phone number through an SMS code, and then they can see their card details. The whole flow is designed to be frictionless for customers while keeping everything secure and PCI-compliant.

Real-World Use Cases

Travel and Hospitality - Travel agencies and hotel chains use this when customers book trips. Rather than calling support to confirm card details, customers get an email link, verify via text, and can instantly confirm their card is the one on file.

Post-Payment Verification - Some merchants want customers to confirm card details after initial payment, particularly in travel and hospitality where chargebacks are more common.

Security Features

Security is built in at every step. The initial email link goes only to the verified email address the request specified—if someone's email account is compromised, they'd need access to that account to get the link. The cardholder then has to prove they have access to a specific phone number by providing it on the verification screen. When they submit their phone number, PCI Booking sends a 6-digit SMS code that's valid for about 10 minutes. This two-factor approach (email + phone) means an attacker would need access to both to view card details.

Best Practices

Give your customers some context before they receive the email. If they're not expecting it, they might ignore it or think it's phishing. A simple explanation in your app ("We're sending you a secure link to verify your card") goes a long way.

Always validate phone numbers on your end before submitting the request. That means checking for the right format (country code + digits, no '+' prefix). A quick regex or phone validation library can catch issues before they create bad experiences for customers.

SMS delivery times vary by region and carrier. Set customer expectations accordingly—"Code arriving in 1-2 minutes" is better than "Code arriving instantly" when some carriers are slow.

What's Next

Ready to implement this feature? Check out the step-by-step flow guide to see exactly how the process works from your customer's perspective.

For complete technical details on the API endpoint, see the API reference manual.

Updated about 4 hours ago