> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Glossary

> Definitions of key terms: tokenization, detokenization, PCI DSS, CVV retention, 3D Secure, card-on-file, and more.

Key terms used throughout PCI Booking documentation, listed alphabetically.

| Term                                                    | Definition                                                                                                                                                                                                                                                                                               |
| ------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **3DS (3D Secure)**                                     | Cardholder authentication protocol (e.g., Verified by Visa, Mastercard SecureCode) that adds a verification step during online payment. See [3DS merchant setup](/account-setup/3ds-merchant-setup) and [3DS auth management](/manage-tokens/3ds-auth-management).                                       |
| **Access Token**                                        | Locally-generated, single-use [authentication](/getting-started/authentication) token (1-60 minute validity) created using your API key and the PCI Booking SSL certificate. No API call needed to generate.                                                                                             |
| **API Key**                                             | Primary [authentication](/getting-started/authentication) credential for server-to-server PCI Booking API calls. Long-lived and reusable. Managed in the PCI Booking portal.                                                                                                                             |
| **Authorization (Pre-Auth)**                            | First step of [two-step payment processing](/use-tokens/authorize-capture). Places a hold on cardholder funds without transferring them. Followed by a [Capture](#capture).                                                                                                                              |
| **BIN (Bank Identification Number)**                    | First 6-8 digits of a card number. Identifies the issuing bank and [card type](/reference/card-types).                                                                                                                                                                                                   |
| **Callback URL**                                        | HTTP endpoint on your server that PCI Booking calls to deliver [card form results](/capture-cards/postmessage-notifications) or status notifications.                                                                                                                                                    |
| **Capture**                                             | Second step of [two-step payment](/use-tokens/authorize-capture). Settles a previous authorization to transfer the held funds.                                                                                                                                                                           |
| **Card By Link**                                        | Feature that sends [secure card capture links](/capture-cards/card-by-link) via email or SMS, enabling remote card collection without PCI scope. Formerly known as Card Over The Phone (COTP). You can customize the email and SMS with [Card By Link templates](/account-setup/card-by-link-templates). |
| **Card Display Form**                                   | PCI Booking's hosted form that [displays masked or full card details](/use-tokens/card-display) to authorized users.                                                                                                                                                                                     |
| **Card Display with OTP**                               | Standalone hosted page that [shows card details after two-factor verification](/use-tokens/card-display-otp) (email link + phone OTP).                                                                                                                                                                   |
| **Card Entry Form**                                     | PCI Booking's [hosted form](/capture-cards/hosted-card-entry-form) where cardholders enter payment card details securely inside an iframe.                                                                                                                                                               |
| **CardURI**                                             | A URI-format [token](/concepts/tokenization-explained) identifier used to reference a specific stored card. Template: `https://service.pcibooking.net/api/paycards/bankcard/{cardToken}`.                                                                                                                |
| **CAVV (Cardholder Authentication Verification Value)** | Cryptographic value from a successful [3DS authentication](/manage-tokens/3ds-auth-management) proving the cardholder was verified. Sent to PSPs with the transaction.                                                                                                                                   |
| **Charge**                                              | Single-step payment transaction that [authorizes and settles funds](/use-tokens/charge) in one request.                                                                                                                                                                                                  |
| **Client Certificate**                                  | Certificate uploaded to PCI Booking for mutual TLS authentication when relaying card data to third-party destinations. See [client certificates setup](/account-setup/client-certificates).                                                                                                              |
| **Contact Verification**                                | Feature to [verify a property's email and phone number](/additional-functions/contact-verification) are valid and reachable, via email link and phone OTP.                                                                                                                                               |
| **Content Filter**                                      | XML configuration within a [target profile](/account-setup/target-profiles) that specifies where card fields are located in a message using XPath, JSONPath, or field name selectors. See [content filters](/account-setup/content-filters).                                                             |
| **COTP (Card Over The Phone)**                          | Legacy name for [Card By Link](/capture-cards/card-by-link).                                                                                                                                                                                                                                             |
| **Creator Reference**                                   | Custom identifier or metadata attached to a token for tracking its origin or purpose. Managed via the [query and update](/manage-tokens/query-retrieve) APIs.                                                                                                                                            |
| **Credentials ID**                                      | Unique reference assigned when storing PSP credentials in PCI Booking via [gateway credentials](/account-setup/gateway-credentials). Used in [UPG](/use-tokens/universal-payment-gateway) payment requests.                                                                                              |
| **CVV (Card Verification Value)**                       | 3-4 digit security code on payment cards. PCI Booking can store it temporarily under a [CVV retention policy](/capture-cards/cvv-retention-policy). See also [CVV capture](/capture-cards/cvv-capture).                                                                                                  |
| **CVV Retention Policy**                                | Rules defining how long CVV data is stored and how many times it can be used before automatic deletion. See [CVV retention policy](/capture-cards/cvv-retention-policy) and [CVV management](/manage-tokens/cvv-management).                                                                             |
| **Data Block**                                          | Arbitrary non-card data (text, XML, images, PDFs) stored in PCI Booking's vault for secure data handling. See [data blocks](/additional-functions/data-blocks).                                                                                                                                          |
| **Detokenization**                                      | Replacing a [token](/concepts/tokenization-explained) with real card data for payment processing, relaying, or display. The reverse of [tokenization](/concepts/tokenization-explained). See [use tokens overview](/use-tokens/overview).                                                                |
| **ECI (Electronic Commerce Indicator)**                 | Value indicating the outcome of [3D Secure authentication](/manage-tokens/3ds-auth-management). Sent to PSPs alongside CAVV.                                                                                                                                                                             |
| **FTPS**                                                | FTP with TLS encryption. Used for secure [batch file transfers](/use-tokens/file-transfer-token-replacement) and [file transfer tokenization](/capture-cards/file-transfer-tokenization).                                                                                                                |
| **IP Restrictions**                                     | Whitelist of IP addresses permitted to call the PCI Booking API. Configured in the portal under [security settings](/account-setup/security-settings).                                                                                                                                                   |
| **Merchant**                                            | A business account (sub-account) within your PCI Booking organization. Each merchant operates independently with its own credentials and tokens. See [account creation](/getting-started/create-account) and [user management](/account-setup/manage-users).                                             |
| **OTP (One-Time Password)**                             | Temporary numeric code sent via SMS or voice call for identity verification. Used in [card display with OTP](/use-tokens/card-display-otp).                                                                                                                                                              |
| **PAN (Primary Account Number)**                        | The full card number printed on a payment card. See [card data XML structure](/reference/card-data-xml-structure).                                                                                                                                                                                       |
| **Paycard**                                             | Collective term for bank cards, credit cards, and debit cards. See [supported card types](/reference/card-types).                                                                                                                                                                                        |
| **Payments Library**                                    | Client-side JavaScript SDK for collecting payments via [alternative payment methods](/payments-library/supported-methods) (Apple Pay, Google Pay, PayPal, BankPay, UPI). See the [Payments Library overview](/payments-library/overview) and [setup guide](/payments-library/setup).                     |
| **PCI DSS**                                             | Payment Card Industry Data Security Standard. The security standard PCI Booking is certified against, removing PCI scope from your systems. Learn more about [how PCI Booking works](/concepts/how-pci-booking-works).                                                                                   |
| **PostMessage**                                         | Browser cross-domain messaging mechanism for secure communication between the PCI Booking iframe and the parent page. See [PostMessage notifications](/capture-cards/postmessage-notifications).                                                                                                         |
| **Property**                                            | A specific location or entity (hotel, branch) registered under a merchant account. Tokens can be associated with properties for scoped card access. See [property management](/additional-functions/property-management).                                                                                |
| **PSP (Payment Service Provider)**                      | A third-party payment gateway or processor (e.g., Stripe, Adyen, Worldpay). PCI Booking connects to PSPs through the [Universal Payment Gateway](/use-tokens/universal-payment-gateway).                                                                                                                 |
| **Refund**                                              | Returns funds from a completed charge or captured authorization back to the cardholder. See [refunds and voids](/use-tokens/refunds-voids).                                                                                                                                                              |
| **Relay**                                               | The operation of securely sending card data from PCI Booking to an authorized destination via [token replacement](/use-tokens/token-replacement-in-request). Also called "Send".                                                                                                                         |
| **Relay Restrictions**                                  | Whitelist of destination URLs allowed to receive card data via token replacement. Configured per user under [security settings](/account-setup/security-settings).                                                                                                                                       |
| **Risk Assessment**                                     | Fraud scoring that cross-references card issuer country, billing address, and client IP geolocation to produce a risk level. See [risk assessment](/use-tokens/risk-assessment).                                                                                                                         |
| **Sandbox**                                             | Testing environment with test cards and a separate API key from production. See [testing and going live](/getting-started/testing-and-going-live).                                                                                                                                                       |
| **Session Token**                                       | Short-lived (5 minute) token generated from your API key via the [authentication](/getting-started/authentication) endpoint. Used for browser-facing operations like [card entry forms](/capture-cards/hosted-card-entry-form).                                                                          |
| **SFTP**                                                | SSH File Transfer Protocol. Used for secure [batch card tokenization](/capture-cards/file-transfer-tokenization) and [token replacement](/use-tokens/file-transfer-token-replacement).                                                                                                                   |
| **Target Profile**                                      | Reusable configuration defining how PCI Booking parses or replaces card data in a specific third-party message format. Contains [content filters](#content-filter), certificates, and other settings. See [target profiles](/account-setup/target-profiles).                                             |
| **Token (Paycard)**                                     | A secure reference to a stored payment card. Replaces the actual card number in your systems. Learn how [tokenization works](/concepts/tokenization-explained).                                                                                                                                          |
| **Token Replacement**                                   | Process of substituting a token with real card data in outbound HTTP requests, file transfers, or responses. See [token replacement in request](/use-tokens/token-replacement-in-request) and the [token replacement API](/use-tokens/token-replacement-api).                                            |
| **Tokenization on Request**                             | Gateway mode where PCI Booking intercepts inbound HTTP requests from third parties, [tokenizes card data](/capture-cards/tokenization-on-request), and forwards a sanitized version to your API.                                                                                                         |
| **Tokenization on Response**                            | Forward proxy mode where PCI Booking [tokenizes card data found in a third party's HTTP response](/capture-cards/tokenization-on-response) before passing it to you.                                                                                                                                     |
| **Universal Tokenization**                              | [Pre-built parsing profiles](/capture-cards/universal-tokenization) maintained by PCI Booking for commonly used third parties, so you do not need to create custom profiles.                                                                                                                             |
| **UPG (Universal Payment Gateway)**                     | PCI Booking's [payment proxy](/use-tokens/universal-payment-gateway) that intercepts merchant-to-PSP requests and injects real card data from tokens. Supports 100+ [gateway integrations](/use-tokens/gateway-guidance).                                                                                |
| **Void**                                                | Cancels a pre-authorization before capture, releasing the hold without any fund transfer. See [refunds and voids](/use-tokens/refunds-voids).                                                                                                                                                            |
| **XID**                                                 | 3DS v1 transaction identifier that uniquely identifies a [3DS authentication](/manage-tokens/3ds-auth-management) session.                                                                                                                                                                               |
