> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Testing & Going Live

> Test your PCI Booking integration in sandbox mode with test cards for standard and 3D Secure flows. Go-live checklist for production.

Use your sandbox account to build and test your integration before going live. If you have not set up your account yet, start with [Create an Account](/getting-started/create-account) and [Authentication](/getting-started/authentication).

## Sandbox Environment

Sandbox and production run on the **same system** with the **same base URL**:

```
https://service.pcibooking.net/api
```

The only difference is your **API key**. Sandbox and production are two separate accounts on the same environment, so there are no surprises when you go live. To switch from sandbox to production, just swap your API key.

Your sandbox account stays active alongside your live account, so you can continue running tests or developing new features at any time.

### What's included in sandbox

A sandbox account is a **full replica of a production account**. Every API endpoint, feature, and configuration option available in production works identically in sandbox. The only differences are:

* Sandbox is limited to **100 tokenizations per month**. If you need more for testing, contact [support@pcibooking.net](mailto:support@pcibooking.net) to request a higher limit.
* Sandbox uses test payment gateways (like `NULLSuccess` and `NULLFailure`) instead of real PSP connections.
* Sandbox and production have separate API keys, users, and stored data.

### Test cards vs. real cards

PCI Booking does not differentiate between "test cards" and "real cards." For the system, all cards are the same. You can use test cards or real cards in both sandbox and production accounts.

Since your sandbox account runs in the same PCI-certified environment as production, real cards are handled with the same level of security. However, we generally recommend using test cards in sandbox accounts to avoid any unnecessary exposure of real card data.

<Info title="Request a free sandbox">
  PCI Booking offers free sandbox accounts for development and testing. [Request a sandbox account](https://pcibooking.net/sandbox/) to get started.
</Info>

## Test Cards

Use these card numbers in the sandbox environment. All test cards use any future expiry date.

### Standard Test Cards

| Brand      | Number                | CVV          |
| ---------- | --------------------- | ------------ |
| Visa       | `4111 1111 1111 1111` | Any 3 digits |
| Mastercard | `5500 0000 0000 0004` | Any 3 digits |
| Amex       | `3400 0000 0000 009`  | Any 4 digits |

### 3D Secure Test Cards

For all 3DS test cards, use cardholder name `Three DS test` and CVV `123`.

**Frictionless flow** (authenticates automatically, no user interaction):

| Brand      | Number                |
| ---------- | --------------------- |
| Visa       | `4761 7390 0006 0016` |
| Mastercard | `5455 3302 0000 0016` |

**Device fingerprint flow** (collects device info for risk analysis):

| Brand      | Number                |
| ---------- | --------------------- |
| Visa       | `4761 7390 0101 0010` |
| Mastercard | `5185 5200 5000 0010` |

**Challenge flow** (requires OTP entry):

| Brand      | Number                | Success OTP | Fail OTP |
| ---------- | --------------------- | ----------- | -------- |
| Visa       | `4018 8100 0015 0015` | `0101`      | `3333`   |
| Mastercard | `5299 9100 1000 0015` | `4445`      | `9999`   |

**Device fingerprint + challenge flow** (fingerprint first, then OTP):

| Brand      | Number                | Success OTP | Fail OTP |
| ---------- | --------------------- | ----------- | -------- |
| Visa       | `4018 8100 0019 0011` | `0101`      | `3333`   |
| Mastercard | `5420 7110 0040 1011` | `4445`      | `9999`   |

## Go-Live Checklist

Before switching to production:

* [ ] All API calls work correctly in sandbox
* [ ] Error handling covers all [API error codes](/reference/return-codes)
* [ ] API keys are stored securely (environment variables, not source code)
* [ ] Webhook endpoints (if used) are configured and tested
* [ ] Production API keys obtained from your PCI Booking account
* [ ] Sandbox API keys swapped for production API keys

<Info title="Need help going live?">
  [Talk to our PCI experts](https://pcibooking.net/talk-to-pci-experts/) for a pre-launch review.
</Info>

## Related

* [Quickstart](/start-here/quickstart). End-to-end integration walkthrough.
* [Authentication](/getting-started/authentication). How API keys work and how to include them in requests.
* [Create an Account](/getting-started/create-account). Set up your sandbox and production accounts.
* [Return Codes](/reference/return-codes). Full list of API error codes for your error handling logic.
