Skip to main content
General conventions that apply across all PCI Booking API calls.

Response Content Format

PCI Booking supports responses in both JSON and XML. Set the Accept header to control the format:

JSON Conventions

  • DateTime fields use ISO 8601 format
  • Enum values are serialized as strings

Currency Format

Currency codes follow the ISO 4217 standard (e.g., USD, EUR, GBP).

Message Compression

PCI Booking supports response compression in gzip and deflate formats. If your request includes an Accept-Encoding header, PCI Booking compresses the response accordingly. Make sure your client can decompress the format(s) you request.
If you do not send an Accept-Encoding header, responses are returned uncompressed.

Tokenization Errors and Warnings

When performing tokenization via Tokenization on Request, Tokenization on Response, or Universal Tokenization, PCI Booking may encounter cards that cannot be tokenized. In these cases, card data is relayed as-is and the reason is returned in a response header.
Only valid, non-expired cards are tokenized. Card data with incorrect numbers or past expiry dates does not fall under PCI compliance and is not tokenized.

Error Header

When a card fails tokenization, the reason appears in the X-pciBooking-Tokenization-Errors header. If the message contains multiple cards, errors are separated by double semicolons (;;). The position in the list matches the card’s position in the message. Successfully tokenized cards have an empty entry. Example with 3 cards where the second fails:

Warning Header

A X-pciBooking-Tokenization-Warnings header is added when a card was tokenized but some information is mismatched. Most common with Tokenization on Request.

Gateway Request Headers

When PCI Booking relays requests through the gateway (token replacement), it adds the following headers to the outbound request. See Gateway Request Headers for details.

Supported File Types for FTP Transfer

When using File Transfer Token Replacement or File Transfer Tokenization, PCI Booking supports:

Pagination

Some list and search endpoints return paginated results. PCI Booking uses offset-based pagination with two parameters: Both use zero-based offsets. To page through results, increment the offset by the number of items returned:
Responses do not include a total count or next-page indicator. Continue requesting pages until fewer items than requested are returned.

System Limits

CVV Storage

PCI compliance requires that CVV cannot be stored indefinitely. CVV can only be stored until it is “used,” with the definition varying by workflow. PCI Booking enforces this through a CVV Retention Policy that lets you set relay restrictions and storage period limits.

Card Storage

PCI Booking does not limit how long cards can be stored. Cards remain in the system as long as needed, regardless of expiration date. You can delete cards on demand or automatically as part of the CVV retention policy.

Password Character Set

Passwords for PCI Booking portal accounts accept alphanumeric characters plus these symbols: ! " # $ % & ' ( ) * + , - . / ; < = > ? @ [ \ ] and space.