Tokenization in Response

PCI Booking users (e-commerce sites) who pull card data from a third party as a response to an HTTP-based request should use this service.

Typical use cases

  • A business sending a request to a virtual card provider to start a payment process and receives a response containing card data.
  • A hotel chain's central reservation system (CRS), which queries an online travel agent (OTA) for new bookings and receives the reservation data, along with card data.


Universal Tokenization

Please also review our Universal Tokenization service which works the in similar fashion to the Tokenize on Response method, only with predefined connection to many common third parties (such as, Expedia and others)

Tokenization Flow


Single or multiple card details in the response

While this process refers to one card and one token, PCI Booking can tokenize all cards listed in the response - as many as are listed - so long that the content filter identifies their respective locations.

The request will go through the PCI Booking server and will be relayed to the third party.

  1. Prepare a tokenization target profile.
  2. Authenticate PCI Booking via an "access token" or a "session token". Read more about our authentication methods.
  3. Prepare the request body that should be sent to the third party.
  4. Follow the Tokenization in Response method documentation to create the request to the third party to be sent via PCI Booking.
  5. The request is sent as is to the third party. They process it and send a response - the response includes card details.
  6. PCI Booking receives the response from the third party and takes the following actions:
    • The card data is extracted from the message and is securely stored on the PCI Booking server and a card token is issued.
    • PCI Booking masks the sensitive parts of the original card data, as per the PCI standard.
    • The card token is added to the response. (in a header as defined in the target profile).
      • If applicable, a tokenization error or warning message is added to the header list (read more on Tokenization Errors and Warnings
      • The customer can choose if they would like to allow duplicate cards to be stored in PCI Booking as separate, individual tokens or to use the same token for the same card (A duplicate card is defined two cards that have the same card number and expiration date).
    • The response is relayed back to the original sender.
  7. Process the response received from PCI Booking.
  8. Optionally, set the CVV Retention Policy for this token.

Flow charts

Below are two flow charts describing the process of retrieving credit card details from a third party without using PCI Booking and when using PCI Booking.