HomeGuideMethod ReferenceAssess YourselfRequest Sandbox Account
Guide
Ask For AssistanceLogin

Card Display with OTP Authentication - Flow Guide

Suggest Edits

How the Process Works

The verification happens in four distinct steps. First, your backend submits a card view request with the stored card token, cardholder email, phone number, and how long the link should stay valid. PCI Booking generates a unique link and emails it to the cardholder. When they click the link, they land on a phone verification screen where they enter their phone number, then receive an SMS with a 6-digit code. After they enter that code, they're taken to a card details screen showing their full card information.

Getting It Set Up

Start by calling the card-view-request/initView endpoint from your backend. You'll need the card token (from when the card was originally stored), the cardholder's email address and phone number, their name for display purposes, how many minutes the link should stay valid, and the language for the interface. The phone number needs to be in international format without the '+' prefix—so "1" for US country code followed by the number, or "353" for Ireland, etc.

Once you submit that request, PCI Booking immediately emails the link to the address you specified. The link includes a unique identifier and is valid for whatever TTL you set. Your customer receives a professional email with a clear button to click and instructions about what to expect.

When they click the email link, they land on a screen showing their phone number partially masked (last 4 digits visible, everything else hidden). They enter their complete phone number in the same international format you provided and click "Send Me Verification Code". This triggers PCI Booking to validate the format and dispatch an SMS.

The cardholder receives a text message with a 6-digit code. They enter these digits one at a time into the fields on the verification screen. As soon as they enter the sixth digit, the system automatically validates it. If the code is correct, they're immediately shown the card details screen.

On the final screen, they can see the full card number (first 4 and last 4 digits visible, middle masked), cardholder name, expiration date, CVV if you have it configured, and the card type. There are copy-to-clipboard buttons next to each field if they want to quickly capture the information.

Configuration Options

The API request lets you control a few key parameters. The TTL (Time To Live) determines how long the email link remains accessible—30 minutes is standard, but you might go shorter (10-15 minutes) if you need time-sensitive verification or longer (60+ minutes) if customers might not check email immediately. You pick the language for the interface; currently English is supported. You specify the viewer name, which shows up in the email and on the screens, so customers know what they're verifying. The email address is where the secure link gets sent, and the phone number is used for SMS delivery.

When Things Don't Go as Planned

Customer didn't receive the email

First check: is the email address correct? It's easy to have a typo. Check your logs to confirm what address the request was sent to. If that looks right, they should check their spam folder—sometimes these emails get caught. If their email client is configured aggressively, they might not see it. And if it's been a while and you set a short TTL, the link might have expired. Just create a new request and try again.

Customer didn't receive the SMS

Phone number formatting is the most common culprit here. Double-check that you submitted it in the right format—country code, no '+' prefix, no spaces or dashes. If the format's correct, the phone might not actually be able to receive SMS messages (prepaid plans in some regions, for example). Ask them to try from a different phone number if possible. SMS delivery can also be slower on international numbers—give it a couple minutes. If nothing works after a couple resend attempts, ask for an updated phone number and create a new request.

Invalid code error

Make sure all 6 digits were entered correctly—it's easy to misread a text message. If the error persists, the code might have expired (there's a timer on the screen showing remaining time). Just request a new code via SMS and try again.

OTP Code Timing

OTP codes expire after about 10 minutes, which is displayed on the screen with a countdown timer. If they exceed that window, the code stops working and they need to request a new one. They can click "Resend Code" on the verification screen, and a fresh SMS will be sent to their phone. There's a rate limit on resending OTP codes to prevent abuse. If someone requests too many codes in a short period, the system will tell them to wait a few minutes before trying again. The link itself stays valid for the full TTL regardless of how many OTP resend attempts were made.

Email Link Expiration

Email links expire based on the TTL you set when creating the request. If a cardholder waits too long to click the link—say you set a 30-minute TTL and they click after 35 minutes—the link becomes invalid and they'll see an error. They'd need to request a new card view link from you.

SMS Delivery Issues

In rare cases where the SMS delivery gets stuck (carrier issues, invalid phone number, etc.), the cardholder can keep using the "Resend Code" option, or you can create a new view request with updated information if needed.

Next Steps

For complete technical details on making the API request, error handling, and webhook events, see the API reference manual.

Back to the main guide.

Updated about 4 hours ago