How It Works
- Your system builds a Card Display URL with the card token, authentication credentials, and any display options as query parameters.
- You set this URL as the
srcof an iframe on your page. - PCI Booking renders the card details directly inside the iframe. Your application never receives the raw card data.
What Is Displayed
The card display form shows:- Cardholder name.
- Card number (full or masked, based on permissions).
- Expiration date.
- Card type / brand.
- CVV (if stored and permitted).
- Virtual card details (if applicable).
Customization
You can customize the display form appearance:
Custom stylesheets are managed through the PCI Booking Admin portal under account settings.
Security
- Authentication required. API key, access token, or session-based authentication.
- Session-limited. Display URLs are time-limited and tied to the authenticated session.
- Iframe isolation. Card data is rendered inside PCI Booking’s secure domain. Your application’s JavaScript cannot access the iframe content due to cross-origin restrictions.
Next Steps
Card Display with OTP
Add OTP verification for higher-security card viewing.
Use Tokens Overview
All detokenization methods.

