> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Share a Card Token Between Two Merchants

> Let two merchants use the same card token without duplicating card data. Saves on tokenization and storage fees while keeping both parties PCI compliant.

When two companies are both PCI Booking customers, they can share a token instead of relaying the card data and creating duplicate tokens. This is common in travel: an OTA tokenizes the guest's card and shares the token with the hotel, so the hotel can charge for incidentals or no-shows without the guest re-entering their card. Sharing saves on transaction fees (no relay + re-tokenization) and storage fees (one token instead of two).

## How token sharing works between merchants

* **Company A** tokenizes the card and owns the token.
* Company A **associates** the token with **Company B**.
* Company B can now perform actions on the token (charge, relay, display, etc.) as if they created it.
* Company A retains ownership, responsibility, and billing for all actions on the token.

## Step 1: Tokenize the Card

Company A tokenizes the card using any available method:

* [Hosted Card Entry Form](/capture-cards/hosted-card-entry-form)
* [Card By Link](/capture-cards/card-by-link)
* [Tokenization on Response](/capture-cards/tokenization-on-response)
* [Tokenization on Request](/capture-cards/tokenization-on-request)
* [Universal Tokenization](/capture-cards/universal-tokenization)

## Step 2: Associate the Token with Company B

Company A calls [Associate with Customer](/api-reference/manage-tokens/associate-with-customer) to grant Company B access to the token.

After association, Company A sends Company B the token URI. The token URI is not sensitive data and can be shared through any channel (email, API, etc.).

## Step 3: Company B Uses the Token

Once associated, Company B can perform any action on the token:

* Charge via [Universal Payment Gateway](/use-tokens/universal-payment-gateway)
* Relay to a third party via [Token Replacement](/use-tokens/token-replacement-in-request)
* View card details via [Card Display](/use-tokens/card-display)
* [Delete the token](/manage-tokens/delete-tokens) (removes their association, not the token itself)

<Info>
  **Ownership stays with Company A.** All fees for actions performed on the card are billed to Company A. CVV retention policy and long-term storage responsibility remain with Company A.
</Info>

## Step 4: Remove Access

When Company B no longer needs access, Company A calls [Disassociate from Customer](/api-reference/manage-tokens/disassociate-from-customer) to revoke access.

## Related

* [Third-Party Permissions](/manage-tokens/third-party-permissions). Overview of property and customer token associations.
* [CVV Retention Policy](/capture-cards/cvv-retention-policy). If Company B needs CVV access, Company A must set a retention policy first.
* [Send Stored Card Details to a Hotel](/use-cases/capture-and-send-to-hotel). Need to send the actual card data to a hotel instead of sharing the token?
* [Process OTA and Channel Manager Payments](/use-cases/third-party-to-gateway). Receiving cards from a third party and need to charge them?
