Sandbox Environment
Sandbox and production run on the same system with the same base URL:What’s included in sandbox
A sandbox account is a full replica of a production account. Every API endpoint, feature, and configuration option available in production works identically in sandbox. The only differences are:- Sandbox is limited to 100 tokenizations per month. If you need more for testing, contact support@pcibooking.net to request a higher limit.
- Sandbox uses test payment gateways (like
NULLSuccessandNULLFailure) instead of real PSP connections. - Sandbox and production have separate API keys, users, and stored data.
Test cards vs. real cards
PCI Booking does not differentiate between “test cards” and “real cards.” For the system, all cards are the same. You can use test cards or real cards in both sandbox and production accounts. Since your sandbox account runs in the same PCI-certified environment as production, real cards are handled with the same level of security. However, we generally recommend using test cards in sandbox accounts to avoid any unnecessary exposure of real card data.PCI Booking offers free sandbox accounts for development and testing. Request a sandbox account to get started.
Test Cards
Use these card numbers in the sandbox environment. All test cards use any future expiry date.Standard Test Cards
3D Secure Test Cards
For all 3DS test cards, use cardholder nameThree DS test and CVV 123.
Frictionless flow (authenticates automatically, no user interaction):
Device fingerprint flow (collects device info for risk analysis):
Challenge flow (requires OTP entry):
Device fingerprint + challenge flow (fingerprint first, then OTP):
Go-Live Checklist
Before switching to production:- All API calls work correctly in sandbox
- Error handling covers all API error codes
- API keys are stored securely (environment variables, not source code)
- Webhook endpoints (if used) are configured and tested
- Production API keys obtained from your PCI Booking account
- Sandbox API keys swapped for production API keys
Talk to our PCI experts for a pre-launch review.
Related
- Quickstart. End-to-end integration walkthrough.
- Authentication. How API keys work and how to include them in requests.
- Create an Account. Set up your sandbox and production accounts.
- Return Codes. Full list of API error codes for your error handling logic.

