> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Card Display

> Display stored card details to authorized users via a secure hosted form. Hotels can view guest card data without PCI scope.

The Card Display form is a secure iframe that renders stored card details for authorized viewing, without exposing raw card data to your application.

Use Card Display when you operate a portal for your customers and need to let authorized users view card details. You manage the credentials and access control on your side, deciding who can log in and who has permission to view cards. When an authorized user requests to see a card, your portal calls PCI Booking to generate the display iframe. This way you control access while PCI Booking handles the secure rendering of card data.

## How It Works

1. Your system builds a [Card Display URL](/api-reference/process-cards/request-card-display-form) with the card token, authentication credentials, and any display options as query parameters.
2. You set this URL as the `src` of an iframe on your page.
3. PCI Booking renders the card details directly inside the iframe. Your application never receives the raw card data.

## What Is Displayed

The card display form shows:

* Cardholder name.
* Card number (full or masked, based on permissions).
* Expiration date.
* Card type / brand.
* CVV (if stored and permitted).
* Virtual card details (if applicable).

## Customization

You can customize the display form appearance:

| Parameter       | Description                                                            |
| --------------- | ---------------------------------------------------------------------- |
| `language`      | ISO 639-1 language code for localized labels.                          |
| `css`           | Name of a custom CSS stylesheet configured in your account.            |
| `removeBaseCss` | Set to `true` to strip default styling and apply only your custom CSS. |

Custom stylesheets are managed through the PCI Booking Admin portal under account settings.

## Security

* **Authentication required**. API key, access token, or session-based authentication.
* **Session-limited**. Display URLs are time-limited and tied to the authenticated session.
* **Iframe isolation**. Card data is rendered inside PCI Booking's secure domain. Your application's JavaScript cannot access the iframe content due to cross-origin restrictions.

<Warning title="PCI compliance">
  Even though the card display form keeps raw data out of your systems, displaying full card numbers to users may have PCI DSS implications for your organization. Consult your QSA to determine if card display affects your compliance scope.
</Warning>

## Next Steps

<CardGroup cols={2}>
  <Card title="Card Display with OTP" icon="book" href="/use-tokens/card-display-otp">
    Add OTP verification for higher-security card viewing.
  </Card>

  <Card title="Use Tokens Overview" icon="book" href="/use-tokens/overview">
    All detokenization methods.
  </Card>
</CardGroup>
