Skip to main content
Card Display with OTP is a PCI Booking-hosted page that displays stored card details after verifying the viewer’s identity with two one-time passwords - one sent to their email and one sent to their phone number. Use this when you don’t have your own portal for managing user access to card details, or when you don’t want to deal with the security and PCI compliance implications of building user management for card viewing into your systems. PCI Booking handles the entire authentication and display flow. Unlike Card Display (which uses an iframe embedded in your portal), Card Display with OTP is a standalone hosted page. The viewer accesses it directly on PCI Booking’s domain.

How It Works

  1. Initiate a view request. Your system calls the initView endpoint with the card token, the viewer’s phone number, email, and name.
  2. Email verification. PCI Booking sends an email to the viewer containing a link. The first OTP is embedded in the link, so the viewer verifies email access simply by clicking it.
  3. Phone verification. After clicking the link, the viewer is prompted to verify their phone number. They choose to receive a code via SMS or voice call, then enter it on screen.
  4. Card revealed. After both verifications succeed, the card details are displayed on PCI Booking’s hosted page.

Security

  • Each OTP is a single-use 6-digit code, hashed and salted before storage. PCI Booking does not retain the plain-text code.
  • OTPs expire after a limited time window.
  • Two-factor verification (email link + phone code) ensures the viewer controls both channels.
Use Card Display with OTP when you want PCI Booking to handle the entire card viewing flow, including identity verification. Use Card Display when you already have a portal with your own user management and access control.

Next Steps

Card Display

Iframe-based card display for use within your own portal.

Use Tokens Overview

All detokenization methods.