Skip to main content
Use your sandbox account to build and test your integration before going live. If you have not set up your account yet, start with Create an Account and Authentication.

Sandbox Environment

Sandbox and production run on the same system with the same base URL:
The only difference is your API key. Sandbox and production are two separate accounts on the same environment, so there are no surprises when you go live. To switch from sandbox to production, just swap your API key. Your sandbox account stays active alongside your live account, so you can continue running tests or developing new features at any time.

What’s included in sandbox

A sandbox account is a full replica of a production account. Every API endpoint, feature, and configuration option available in production works identically in sandbox. The only differences are:
  • Sandbox is limited to 100 tokenizations per month. If you need more for testing, contact support@pcibooking.net to request a higher limit.
  • Sandbox uses test payment gateways (like NULLSuccess and NULLFailure) instead of real PSP connections.
  • Sandbox and production have separate API keys, users, and stored data.

Test cards vs. real cards

PCI Booking does not differentiate between “test cards” and “real cards.” For the system, all cards are the same. You can use test cards or real cards in both sandbox and production accounts. Since your sandbox account runs in the same PCI-certified environment as production, real cards are handled with the same level of security. However, we generally recommend using test cards in sandbox accounts to avoid any unnecessary exposure of real card data.
PCI Booking offers free sandbox accounts for development and testing. Request a sandbox account to get started.

Test Cards

Use these card numbers in the sandbox environment. All test cards use any future expiry date.

Standard Test Cards

3D Secure Test Cards

For all 3DS test cards, use cardholder name Three DS test and CVV 123. Frictionless flow (authenticates automatically, no user interaction): Device fingerprint flow (collects device info for risk analysis): Challenge flow (requires OTP entry): Device fingerprint + challenge flow (fingerprint first, then OTP):

Go-Live Checklist

Before switching to production:
  • All API calls work correctly in sandbox
  • Error handling covers all API error codes
  • API keys are stored securely (environment variables, not source code)
  • Webhook endpoints (if used) are configured and tested
  • Production API keys obtained from your PCI Booking account
  • Sandbox API keys swapped for production API keys
Talk to our PCI experts for a pre-launch review.