Skip to main content
When two companies are both PCI Booking customers, they can share a token instead of relaying the card data and creating duplicate tokens. This is common in travel: an OTA tokenizes the guest’s card and shares the token with the hotel, so the hotel can charge for incidentals or no-shows without the guest re-entering their card. Sharing saves on transaction fees (no relay + re-tokenization) and storage fees (one token instead of two).

How token sharing works between merchants

  • Company A tokenizes the card and owns the token.
  • Company A associates the token with Company B.
  • Company B can now perform actions on the token (charge, relay, display, etc.) as if they created it.
  • Company A retains ownership, responsibility, and billing for all actions on the token.

Step 1: Tokenize the Card

Company A tokenizes the card using any available method:

Step 2: Associate the Token with Company B

Company A calls Associate with Customer to grant Company B access to the token. After association, Company A sends Company B the token URI. The token URI is not sensitive data and can be shared through any channel (email, API, etc.).

Step 3: Company B Uses the Token

Once associated, Company B can perform any action on the token:
Ownership stays with Company A. All fees for actions performed on the card are billed to Company A. CVV retention policy and long-term storage responsibility remain with Company A.

Step 4: Remove Access

When Company B no longer needs access, Company A calls Disassociate from Customer to revoke access.