How It Works
- Your system sends an HTTP request to the PCI Booking relay endpoint, specifying the destination URL and including card tokens in the request body.
- PCI Booking validates the destination against your account’s allowed endpoints (relay restrictions).
- PCI Booking retrieves the real card data for each token and substitutes it into the request body.
- The modified request is forwarded to the destination with the real card data.
- The destination’s response is returned to your system.
Supported Content Types
PCI Booking detects the content type automatically and applies the appropriate replacement engine:Bi-Directional: Tokenization on the Way Back
The same proxy call can also tokenize card data in the destination’s response. If your profile is configured for it, PCI Booking extracts card data from the response, tokenizes it, and returns tokens to you instead of raw card numbers. See Tokenization on Response for details on setting up profiles for this. When tokenization on response is active, the response includes:Target Profiles
Instead of specifying replacement rules in every request, you configure a target profile once per third-party message format and reference it by name. Each profile includes content filters that define where card fields appear in the message, plus optional client certificates for mutual TLS.Security
- Relay restrictions. Your account can be configured with an endpoint whitelist. Requests to destinations not on the list are rejected. Contact support or use the Admin portal to manage your allowed endpoints.
- Client certificates. Target profiles can include client certificates for mutual TLS authentication with the destination.
- Timeout. Relay requests have a default timeout of 60 seconds.
Next Steps
Token Replacement in Response
The reverse direction: third parties send requests to your API through PCI Booking.
File Transfer Token Replacement
Send card data via SFTP/FTPS.
Use Tokens Overview
All detokenization methods.

