Authentication Errors
401 Unauthorized
Symptom: API returns error code-1003 with “Not authorized to access this resource.”
What to check:
- Verify the
Authorizationheader uses the correct format:Authorization: APIKEY your-key-here - If using a session token, confirm it has not expired (sessions time out after 15 minutes of inactivity).
- If using an access token, verify it was generated for the correct endpoint.
- Check that the authenticated user has the required permission for the operation (e.g.,
CanTokenizefor card storage,ForceCVVRetentionPolicyfor CVV policy updates).
Multiple auth methods provided
PCI Booking accepts API Key, Session Token, and Access Token authentication. If multiple are provided, precedence is: Session Token > Access Token > API Key. If you are getting unexpected auth errors, make sure you are not accidentally sending conflicting credentials.Card Tokenization Issues
Card validation failures
Symptom: Tokenization fails with error code-179 or validation errors.
What to check:
- Luhn check: The card number must pass the Luhn algorithm. You can disable this with
validateLuhn=falsefor cards that intentionally fail (e.g., some test cards). - Expiration date: If
ValidateExpiration=trueis set, expired cards are rejected. Set tofalseif you need to store expired cards (e.g., during migration). - CVV format: CVV must be 3 digits (4 for AMEX).
- Card number length: Must be between 12 and 22 digits.
Hosted card form redirect not received
Symptom: A token is created in PCI Booking, but your server never receives the redirect to the success URL. You see tokens in your PCI Booking account that have no corresponding record in your system. What is happening: When using the URL-parameter card entry form, the redirect to your success URL happens entirely in the guest’s browser. PCI Booking’s server returns an HTTP response to the iframe that instructs the browser to navigate to your success URL. If the guest closes the tab, loses internet connectivity, or their browser blocks the redirect, the token exists on PCI Booking’s side but your server never receives it. What to do:- Quick fix: Use a unique
creatorReferenceper reservation instead of a generic value. This lets you query tokens by reference to find any that were created but not received. - Recommended fix: Switch to the session-based card entry form, which provides a server-to-server
CallBackURLin addition to the browser redirect. The callback goes directly from PCI Booking’s servers to yours and cannot be lost due to client-side issues.
- Server-to-server callback guarantees you receive the token
- Success page redirect continues to work for the guest’s user experience
- Unique creator reference lets you query tokens as a safety net
Token not found (error -160)
Symptom: API returns error code-160 when trying to use a token.
What to check:
- Verify the token URI is correct and complete (e.g.,
https://service.pcibooking.net/api/payments/paycard/tok_abc123). - The token may have been deleted. Deletions are permanent and cannot be reversed.
- The token may have been auto-deleted by a CVV retention policy with
DeleteCardUponCVVCleanupset totrue. - Confirm the token belongs to the authenticated user. Tokens created by one user cannot be accessed by another unless third-party permissions have been set up.
CVV Issues
CVV retention policy locked (error -1010)
Symptom: Cannot update the CVV retention policy. API returns error code-1010.
What is happening: CVV retention policies can only be modified within 60 minutes of being set. After this window, the policy is locked.
What to do: Create a new token with the CVV and set the correct policy from the start. The 60-minute window is a PCI compliance requirement and cannot be bypassed.
CVV not included in transaction
Symptom: A payment gateway transaction does not include the CVV, even though the token has a CVV stored. What to check:- Verify the CVV has not expired. Check the
CvvEndRetentionDateusing Get CVV Retention Policy. - Check the destination whitelist. The CVV is only sent to destinations listed in the retention policy. If your payment gateway is not in the whitelist, the CVV is stripped.
- Check the quota. Each destination has a maximum number of times the CVV can be sent to it. Once the quota is exhausted, the CVV is no longer included.
Payment Gateway Issues
Transaction rejected
Symptom: A transaction returnsRejected status.
What to check:
- Read the
GatewayDescriptionandAcquirerDescriptionfields. These contain the gateway’s own rejection reason (e.g., insufficient funds, do-not-honor). - Review gateway-specific guidance for your payment gateway. Some gateways have unique requirements:
- AMEX:
myRefis required and must be 6+ characters - Authorize.net:
ECCenabledaffects refund behavior - Azul, First Data: Require a client certificate
- AMEX:
- Verify the gateway credentials. If using
credentialsId, confirm the stored credentials are still valid with List Credentials.
Transaction timeout (error -175)
Symptom: API returns error code-175 or the call times out.
What to do:
- Do not retry the charge immediately. The original transaction may still be processing at the gateway.
- Check the transaction status in your payment gateway’s dashboard using the
myRefyou provided. - If the transaction went through at the gateway, use the gateway reference for subsequent Capture, Void, or Refund operations.
- If using fallback routing, PCI Booking automatically tries the next gateway in your
FallbackUpgslist.
Token Replacement Issues
Card data not replaced in request
Symptom: The outbound request to the third party still contains the token URI instead of real card data. What to check:- Verify the token URI format matches what PCI Booking expects. The token must be the full URI (e.g.,
https://service.pcibooking.net/api/payments/paycard/tok_abc123). - Check the content type. Token replacement works with JSON, XML/SOAP, form-encoded, and query string formats. The request body must be parseable in the declared content type.
- For SFTP token replacement, verify the file type filter matches your file format. See Supported File Types.
Network Tokenization Issues
Card cannot be network-tokenized
Symptom: Network tokenization returns “Card cannot be Network-tokenized.” What to check:- Only Visa, Mastercard, and Amex cards support network tokenization.
- The card must be active and not expired.
- The issuing bank may not support network tokenization for this card.
- Verify the cardholder details (name, address, IP) are provided. The card network uses these for risk scoring.
Debugging Tips
Use ref and creatorReference consistently
Always include a unique reference in every API call that supports it. This makes it easy to trace operations in the PCI Booking portal, match tokens to your internal records, and do reconciliation.
- Tokenization: Use the
refquery parameter on Store Paycard orcreatorReferenceon the hosted card form. - Gateway transactions: Use the
myRefbody parameter on Process Transaction. - Token queries: Search by reference with Query Tokens.
Check the response format
PCI Booking returns errors in the same format as the request. If you send XML, errors come back as XML. If you send JSON, errors come back as JSON. Make sure your error handling parses both thecode (or returnCode) and moreInfo fields for the full error detail.
Contact support with context
When reaching out to support, include:- The full API response body (especially the
code,message, andmoreInfofields) - The token URI or
myRefvalue - The endpoint URL you called and the HTTP method
- Whether you are using test or production credentials
Related
- Return Codes - Full list of PCI Booking error codes
- Card Validation Errors - Card number, expiration, and CVV validation errors
- API Conventions - Request and response formats, compression, pagination
- Gateway-Specific Guidance - Per-gateway parameter requirements

