Skip to main content
This workflow covers receiving card details from a third party such as an OTA (Booking.com, Expedia) or channel manager, tokenizing the data automatically, and charging the card through a payment gateway. This is how most hotel platforms process OTA virtual credit cards (VCCs). PCI Booking intercepts the card data in transit so it never reaches your servers, keeping you out of PCI scope even when processing payments from any channel manager integration.

Stage 1: Receive Card Details from Third Party

Two patterns depending on your integration:

Pull: You Fetch from the Third Party’s API

  1. Third party sends you a notification with a reservation ID (no card data).
  2. Your system calls the third party’s API to retrieve reservation details including card data.
  3. Route that API call through PCI Booking using Tokenization on Response. PCI Booking intercepts the response, extracts the card data, stores it, and returns a token to you.
  4. You store the reservation details and the token.

Push: Third Party Sends Data to Your API

  1. Third party sends reservation details (including card data) to your API endpoint.
  2. Configure your endpoint behind PCI Booking using Tokenization on Request. PCI Booking intercepts the incoming request, extracts the card data, stores it, and forwards the tokenized request to you.
  3. You store the reservation details and the token.

Stage 2: Charge the Card

Once you hold the token, charge the card through a payment gateway: Use the Universal Payment Gateway to charge the card directly.
  1. Send a Process Transaction request with the token, amount, currency, and gateway credentials.
  2. PCI Booking injects the real card data and sends the charge request to the payment gateway.
  3. You receive the gateway’s response.

Option B: Token Replacement

Use Token Replacement to send the card to the gateway’s API yourself.
  1. Build an API request to your payment gateway containing the card token.
  2. Route it through PCI Booking. PCI Booking replaces the token with real card data in transit.
  3. The gateway processes the charge and responds.

Frequently asked questions

How does PCI Booking handle OTA virtual credit cards?

PCI Booking intercepts the card data from the OTA’s API response (or incoming webhook), extracts the virtual card details, stores them as a token, and returns the token to your system. The card data never reaches your servers.

Does this work with Booking.com and Expedia?

Yes. PCI Booking’s tokenization works with any third party that sends card data via API, including Booking.com, Expedia, and all major channel managers.