retrieveCvv parameter is set, it also returns the CVV.
Unlike Token Replacement in Request or the Universal Payment Gateway, this method delivers raw card data to your system rather than routing it directly to a third party.
How It Differs from Token Replacement in Request
PCI Booking offers two distinct “token replacement” concepts. Understanding the difference is important:
For production use, Token Replacement in Request is the recommended approach. PCI Booking acts as a proxy, replacing tokens with real card data in the outbound request body and forwarding it to the destination. Your systems never see the real card details.
When to Use This Endpoint
- Sandbox verification. Confirm that card data was stored correctly during integration development.
- PCI-compliant environments. If your system is already fully PCI DSS compliant and you need raw card data for a workflow that cannot use proxy-based token replacement.
- Migration validation. After migrating cards from another vault, verify that the data was transferred accurately.
Recommended Alternatives
For most production scenarios, use one of these methods instead:- Token Replacement in Request to inject card data into outbound API calls to any HTTP endpoint
- Universal Payment Gateway to process payments through supported PSPs with built-in formatting
- Card Display to show card details to authorized users via a secure iframe
Next Steps
Card Display
View card details in a secure iframe without handling raw data.
Token Replacement in Request
Inject card data into outbound requests without PCI scope.
Use Tokens Overview
All ways to use your tokens.

