> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Use Tokens Overview

> Use PCI Booking tokens to charge, authorize, refund, display cards, replace tokens in API requests, and transfer files, all without handling card data

Once a card is tokenized, you use the token to send card data wherever it needs to go. PCI Booking retrieves the real card data from the vault, substitutes it at the point of delivery, and your systems never handle sensitive card details.

## Assessing Risk

Before using a token, you can analyze the card for fraud risk indicators to decide whether you are willing to proceed with the transaction.

| Method                                             | How It Works                                                                                                                                                       |
| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **[Risk Assessment](/use-tokens/risk-assessment)** | Send a token to PCI Booking's risk assessment endpoint. Returns a risk score and contributing factors that you can use as input to your fraud prevention workflow. |

## Processing Payments

Use the Universal Payment Gateway to charge, authorize, or refund through a payment service provider (PSP).

| Method                                                                       | How It Works                                                                                                                                                                                                                                                                                                                            |
| ---------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **[Universal Payment Gateway (UPG)](/use-tokens/universal-payment-gateway)** | Send a token, amount, and your PSP credentials to PCI Booking's single API endpoint. PCI Booking detokenizes the card and sends the transaction to your chosen PSP. 100+ PSPs supported. Supports [charge](/use-tokens/charge), [authorize & capture](/use-tokens/authorize-capture), and [refunds & voids](/use-tokens/refunds-voids). |

## Inserting Card Data into Messages via HTTP

Send card data to third parties by routing HTTP traffic through PCI Booking. Tokens are replaced with real card data in transit.

| Method                                                                         | How It Works                                                                                                                                                                                                                                            |
| ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **[Token Replacement in Request](/use-tokens/token-replacement-in-request)**   | You send an HTTP request through PCI Booking as a proxy, with tokens in the request body. PCI Booking replaces tokens with real card data and forwards the request to the destination. Supports JSON, XML/SOAP, form-encoded, and query string formats. |
| **[Token Replacement in Response](/use-tokens/token-replacement-in-response)** | A third party sends a request to your API through a PCI Booking gateway. Your API responds with tokens. PCI Booking replaces the tokens with real card data before relaying the response back to the sender.                                            |

## Inserting Card Data into Messages via File

Send card data to third parties by routing file transfers through PCI Booking.

| Method                                                                             | How It Works                                                                                                                                           |
| ---------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **[File Transfer Token Replacement](/use-tokens/file-transfer-token-replacement)** | Upload a file containing tokens to PCI Booking. Tokens are replaced with real card data and the file is delivered to the destination via SFTP or FTPS. |

## Displaying Card Data

Use these methods when authorized staff need to view card details.

| Method                                                    | How It Works                                                                                                                 |
| --------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
| **[Card Display](/use-tokens/card-display)**              | Render stored card details in a secure iframe. Your application never receives the raw card data.                            |
| **[Card Display with OTP](/use-tokens/card-display-otp)** | Same as Card Display, with an additional one-time password verification step via SMS or voice before revealing card details. |

## Retrieving Raw Card Data via API

The [Token Replacement (API)](/use-tokens/token-replacement-api) endpoint returns the full, unmasked card number directly in the API response. Unlike all other methods above, this means your system receives raw card data, putting it in scope of PCI DSS compliance.

<Warning>
  This method is intended for sandbox testing only. If you need to view card details in production, use [Card Display](/use-tokens/card-display) instead. See the [Token Replacement (API)](/use-tokens/token-replacement-api) page for details and PCI compliance implications.
</Warning>
