Universal Tokenization

PCI Booking users (e-commerce sites) who pull card data from one (or more) third party as a response to an HTTP-based request should use this service.

Universal Tokenization Vs. Tokenization in Response

While these two services offered by PCI booking are very similar, the Universal Tokenization adds two key benefits to e-commerce sites who choose to work with this service:

  1. The integration with the third party is built-in: This means that the e-commerce site will not need to set up a profile for the response or know how to "read" it. All of this was already done by PCI Booking.
  2. Use multiple third parties to retrieve card details: The Universal Tokenization allows the e-commerce site to easily switch back and forth between different third parties (for example, Expedia and Booking.com) for retrieving card details. The only change that should be performed are the credentials for the third party and the message body sent to that third party.

Tokenization Flow


Single or multiple card details in the response

While this process refers to one card and one token, PCI Booking can tokenize all cards listed in the response - as many as are listed - so long that the content filter identifies their respective locations.

The request will go through the PCI Booking server and will be relayed to the third party.

  1. Retrieve the list of preset tokenization profiles in PCI Booking with the Get Tokenization Profiles method.
  2. Authenticate PCI Booking via an "access token" or a "session token". Read more about our authentication methods.
  3. Prepare the request body that should be sent to the third party.
  4. Follow the Tokenize on Response Using Preset Profiles method documentation to create the request to the third party to be sent via PCI Booking.
  5. The request is sent as is to the third party. They process it and send a response - the response includes card details.
  6. PCI Booking receives the response from the third party and takes the following actions:
    • The card data is extracted from the message and is securely stored on the PCI Booking server and a card token is issued.
    • PCI Booking masks the sensitive parts of the original card data, as per the PCI standard.
    • The card token is added to the response. (in a header as defined in the target profile).
      • If applicable, a tokenization error or warning message is added to the header list (read more on Tokenization Errors and Warnings
      • The customer can choose if they would like to allow duplicate cards to be stored in PCI Booking as separate, individual tokens or to use the same token for the same card (A duplicate card is defined two cards that have the same card number and expiration date).
    • The response is relayed back to the original sender.
  7. Process the response received from PCI Booking.