Step 1: Tokenize the Card
Capture and tokenize the card using any of PCI Booking’s methods:- Hosted Card Entry Form - embed a card form in your website
- Card By Link - send a secure capture link via email or SMS
- Tokenization on Response - tokenize card data from a third-party API response
- Universal Tokenization - tokenize cards from any source format
Step 2: Send the Card to the Hotel
How you deliver the card to the hotel depends on your integration approach:Option A: Card Display with OTP (Recommended)
Send the hotel contact a secure link. PCI Booking handles identity verification and card display. No portal setup or user accounts needed on the hotel’s side.- Call the Card Display OTP endpoint with the card token, the hotel contact’s email, phone number, and name.
- PCI Booking sends an email with a secure link.
- The hotel contact clicks the link and verifies their identity via SMS code.
- Card details are displayed on PCI Booking’s hosted page.
Option B: Card Display (iframe in your portal)
If you operate your own portal where hotels can log in, display the card details in a secure iframe embedded in your system.- Generate a Card Display Form link for the token.
- Embed the iframe in your portal. The card details render inside PCI Booking’s secure domain, so card data never touches your servers.
Option C: Token Replacement
Send the card details directly to the hotel’s API using Token Replacement.- Build an API request to the hotel’s system containing the card token.
- PCI Booking replaces the token with real card data in transit.
- The hotel receives the card details without you ever handling them.
Related
- Card Display with OTP. OTP-secured card display with no portal needed.
- Third-Party Permissions. Control which properties and merchants can access your tokens.
- CVV Retention Policy. If the hotel needs to see the CVV, set a retention policy before they access the card.
- Process OTA and Channel Manager Payments. Need to charge the card instead of sharing it? See this workflow.
- Share a Token Between Merchants. Both companies on PCI Booking? Share the token directly without relaying card data.

