How It Works
- Initiate a view request. Your system calls the initView endpoint with the card token, the viewer’s phone number, email, and name.
- Email verification. PCI Booking sends an email to the viewer containing a link. The first OTP is embedded in the link, so the viewer verifies email access simply by clicking it.
- Phone verification. After clicking the link, the viewer is prompted to verify their phone number. They choose to receive a code via SMS or voice call, then enter it on screen.
- Card revealed. After both verifications succeed, the card details are displayed on PCI Booking’s hosted page.
Security
- Each OTP is a single-use 6-digit code, hashed and salted before storage. PCI Booking does not retain the plain-text code.
- OTPs expire after a limited time window.
- Two-factor verification (email link + phone code) ensures the viewer controls both channels.
Use Card Display with OTP when you want PCI Booking to handle the entire card viewing flow, including identity verification. Use Card Display when you already have a portal with your own user management and access control.
Next Steps
Card Display
Iframe-based card display for use within your own portal.
Use Tokens Overview
All detokenization methods.

