Skip to main content
Permanently remove a token and its associated card data from the vault using the Delete Token endpoint.

What Gets Deleted

When you delete a token, the following data is permanently and irrecoverably removed from PCI Booking’s vault:
  • Card data including the full card number, expiration date, and cardholder name
  • CVV data if it was stored on the token
  • 3DS authentication data associated with the token
  • Merchant and customer associations linked to the token
  • The cardURI itself, which becomes invalid and cannot be reused or queried
There is no soft-delete or recycle bin. Once deleted, none of this data can be recovered.

When to Delete Tokens

Common scenarios for deleting tokens:
  • A guest checks out and you no longer need their card on file
  • A cardholder requests removal of their payment data (GDPR or similar data privacy requirements)
  • You have replaced an old token with a new one after a card renewal or CVV re-capture
  • A token was created in error or during testing
Before deleting, verify that the token is not referenced by any pending or future transactions. Deletion is permanent and cannot be undone. If a recurring charge or no-show policy depends on the token, deleting it will cause those operations to fail.

Bulk Deletion Considerations

PCI Booking does not provide a bulk delete endpoint. Each token must be deleted individually using its cardURI. If you need to delete a large number of tokens (for example, during a data cleanup or after a system migration), iterate through your stored token list and call the delete endpoint for each one. When planning a bulk cleanup:
  • Query tokens first. Use the Retrieve Token Metadata endpoint to verify each token’s status before deleting. This helps you avoid accidentally deleting tokens that are still in use.
  • Log deletions. Keep a record of deleted cardURI values in your system for audit purposes. Once deleted from PCI Booking’s vault, the data cannot be retrieved.
  • Rate limits. For large batch deletions, space your API calls to stay within your account’s rate limits. Contact support if you need temporary rate limit increases for a migration.

Duplicate Before Deleting

If you need to preserve the card data under a different account or reference, duplicate the token first to create a copy, then delete the original. This is useful when transferring card data between merchant accounts or customer profiles.

Data Retention and Compliance

Token deletion supports compliance with data privacy regulations such as GDPR, CCPA, and PCI DSS data minimization requirements. Under GDPR, a cardholder can request erasure of their personal data (right to be forgotten). Deleting the token satisfies this request for card data stored in PCI Booking’s vault. Your own systems must also remove any local references or metadata associated with the token. PCI DSS requires that cardholder data not be stored beyond business necessity. Regularly reviewing and deleting tokens that are no longer needed is a recommended practice to minimize your data footprint and reduce risk.

Next Steps

Token Management Overview

See all token management capabilities

CVV Management

Manage CVV data on existing tokens