| Term | Definition |
|---|---|
| 3DS (3D Secure) | Cardholder authentication protocol (e.g., Verified by Visa, Mastercard SecureCode) that adds a verification step during online payment. See 3DS merchant setup and 3DS auth management. |
| Access Token | Locally-generated, single-use authentication token (1-60 minute validity) created using your API key and the PCI Booking SSL certificate. No API call needed to generate. |
| API Key | Primary authentication credential for server-to-server PCI Booking API calls. Long-lived and reusable. Managed in the PCI Booking portal. |
| Authorization (Pre-Auth) | First step of two-step payment processing. Places a hold on cardholder funds without transferring them. Followed by a Capture. |
| BIN (Bank Identification Number) | First 6-8 digits of a card number. Identifies the issuing bank and card type. |
| Callback URL | HTTP endpoint on your server that PCI Booking calls to deliver card form results or status notifications. |
| Capture | Second step of two-step payment. Settles a previous authorization to transfer the held funds. |
| Card By Link | Feature that sends secure card capture links via email or SMS, enabling remote card collection without PCI scope. Formerly known as Card Over The Phone (COTP). You can customize the email and SMS with Card By Link templates. |
| Card Display Form | PCI Booking’s hosted form that displays masked or full card details to authorized users. |
| Card Display with OTP | Standalone hosted page that shows card details after two-factor verification (email link + phone OTP). |
| Card Entry Form | PCI Booking’s hosted form where cardholders enter payment card details securely inside an iframe. |
| CardURI | A URI-format token identifier used to reference a specific stored card. Template: https://service.pcibooking.net/api/paycards/bankcard/{cardToken}. |
| CAVV (Cardholder Authentication Verification Value) | Cryptographic value from a successful 3DS authentication proving the cardholder was verified. Sent to PSPs with the transaction. |
| Charge | Single-step payment transaction that authorizes and settles funds in one request. |
| Client Certificate | Certificate uploaded to PCI Booking for mutual TLS authentication when relaying card data to third-party destinations. See client certificates setup. |
| Contact Verification | Feature to verify a property’s email and phone number are valid and reachable, via email link and phone OTP. |
| Content Filter | XML configuration within a target profile that specifies where card fields are located in a message using XPath, JSONPath, or field name selectors. See content filters. |
| COTP (Card Over The Phone) | Legacy name for Card By Link. |
| Creator Reference | Custom identifier or metadata attached to a token for tracking its origin or purpose. Managed via the query and update APIs. |
| Credentials ID | Unique reference assigned when storing PSP credentials in PCI Booking via gateway credentials. Used in UPG payment requests. |
| CVV (Card Verification Value) | 3-4 digit security code on payment cards. PCI Booking can store it temporarily under a CVV retention policy. See also CVV capture. |
| CVV Retention Policy | Rules defining how long CVV data is stored and how many times it can be used before automatic deletion. See CVV retention policy and CVV management. |
| Data Block | Arbitrary non-card data (text, XML, images, PDFs) stored in PCI Booking’s vault for secure data handling. See data blocks. |
| Detokenization | Replacing a token with real card data for payment processing, relaying, or display. The reverse of tokenization. See use tokens overview. |
| ECI (Electronic Commerce Indicator) | Value indicating the outcome of 3D Secure authentication. Sent to PSPs alongside CAVV. |
| FTPS | FTP with TLS encryption. Used for secure batch file transfers and file transfer tokenization. |
| IP Restrictions | Whitelist of IP addresses permitted to call the PCI Booking API. Configured in the portal under security settings. |
| Merchant | A business account (sub-account) within your PCI Booking organization. Each merchant operates independently with its own credentials and tokens. See account creation and user management. |
| OTP (One-Time Password) | Temporary numeric code sent via SMS or voice call for identity verification. Used in card display with OTP. |
| PAN (Primary Account Number) | The full card number printed on a payment card. See card data XML structure. |
| Paycard | Collective term for bank cards, credit cards, and debit cards. See supported card types. |
| Payments Library | Client-side JavaScript SDK for collecting payments via alternative payment methods (Apple Pay, Google Pay, PayPal, BankPay, UPI). See the Payments Library overview and setup guide. |
| PCI DSS | Payment Card Industry Data Security Standard. The security standard PCI Booking is certified against, removing PCI scope from your systems. Learn more about how PCI Booking works. |
| PostMessage | Browser cross-domain messaging mechanism for secure communication between the PCI Booking iframe and the parent page. See PostMessage notifications. |
| Property | A specific location or entity (hotel, branch) registered under a merchant account. Tokens can be associated with properties for scoped card access. See property management. |
| PSP (Payment Service Provider) | A third-party payment gateway or processor (e.g., Stripe, Adyen, Worldpay). PCI Booking connects to PSPs through the Universal Payment Gateway. |
| Refund | Returns funds from a completed charge or captured authorization back to the cardholder. See refunds and voids. |
| Relay | The operation of securely sending card data from PCI Booking to an authorized destination via token replacement. Also called “Send”. |
| Relay Restrictions | Whitelist of destination URLs allowed to receive card data via token replacement. Configured per user under security settings. |
| Risk Assessment | Fraud scoring that cross-references card issuer country, billing address, and client IP geolocation to produce a risk level. See risk assessment. |
| Sandbox | Testing environment with test cards and a separate API key from production. See testing and going live. |
| Session Token | Short-lived (5 minute) token generated from your API key via the authentication endpoint. Used for browser-facing operations like card entry forms. |
| SFTP | SSH File Transfer Protocol. Used for secure batch card tokenization and token replacement. |
| Target Profile | Reusable configuration defining how PCI Booking parses or replaces card data in a specific third-party message format. Contains content filters, certificates, and other settings. See target profiles. |
| Token (Paycard) | A secure reference to a stored payment card. Replaces the actual card number in your systems. Learn how tokenization works. |
| Token Replacement | Process of substituting a token with real card data in outbound HTTP requests, file transfers, or responses. See token replacement in request and the token replacement API. |
| Tokenization on Request | Gateway mode where PCI Booking intercepts inbound HTTP requests from third parties, tokenizes card data, and forwards a sanitized version to your API. |
| Tokenization on Response | Forward proxy mode where PCI Booking tokenizes card data found in a third party’s HTTP response before passing it to you. |
| Universal Tokenization | Pre-built parsing profiles maintained by PCI Booking for commonly used third parties, so you do not need to create custom profiles. |
| UPG (Universal Payment Gateway) | PCI Booking’s payment proxy that intercepts merchant-to-PSP requests and injects real card data from tokens. Supports 100+ gateway integrations. |
| Void | Cancels a pre-authorization before capture, releasing the hold without any fund transfer. See refunds and voids. |
| XID | 3DS v1 transaction identifier that uniquely identifies a 3DS authentication session. |
Reference
Glossary
Definitions of key terms: tokenization, detokenization, PCI DSS, CVV retention, 3D Secure, card-on-file, and more.
Key terms used throughout PCI Booking documentation, listed alphabetically.

