Skip to main content
Token Replacement in Response lets you send card data to a third party without making the outbound call yourself. PCI Booking sits as a gateway in front of your API. When a third party sends a request, your API processes it and responds with tokens. PCI Booking replaces the tokens with real card data before relaying the response back to the sender. This is the mirror of Tokenization on Request in the Capture Cards section. Both use the same gateway infrastructure, but in opposite directions: Tokenization on Request tokenizes card data in the third party’s inbound request, while Token Replacement in Response detokenizes tokens in your outbound response.

How It Works

  1. PCI Booking sets up a gateway endpoint. The gateway is configured with your SSL certificate and a custom site name. Third parties send their requests to this gateway URL instead of directly to your API.
  2. Third party sends a request. The request arrives at the PCI Booking gateway.
  3. Request forwarded to your API. PCI Booking relays the request to your API endpoint (with optional tokenization of inbound card data).
  4. Your API responds with tokens. Your API processes the request and includes card tokens in the response body.
  5. Token replacement. PCI Booking parses your response, retrieves the real card data for each token, and substitutes it into the response body.
  6. Response relayed to sender. The third party receives the response with real card data. Your systems never handled raw card details.

Bi-Directional: Tokenize and Detokenize in One Call

The same gateway can handle both directions simultaneously:
  • Inbound: Tokenize card data in the third party’s request before it reaches your API (Tokenization on Request).
  • Outbound: Replace tokens in your API’s response with real card data before relaying back to the sender (this page).
This means a single gateway endpoint can keep card data off your systems in both directions.

Target Profiles

The gateway uses a target profile to know where tokens appear in your response and how to replace them. Each profile includes content filters that define the location of card fields in the message. The PCI Booking support team configures this as part of the gateway setup.

Setting Up the Gateway

Gateway setup is done by the PCI Booking support team. Contact support@pcibooking.net with:
  • Your PCI Booking username.
  • The target URI where requests should be relayed to (your API endpoint).
  • How to identify which responses contain tokens that need replacement.
  • A sample of your response structure (XML or JSON) showing where tokens appear.
If you already have a Tokenization on Request gateway set up, the same gateway can be enhanced to also perform token replacement on the response. Contact support to enable it.

Use Cases

  • Sending card details back to a booking platform or OTA that originally sent you the reservation.
  • Responding to a channel manager’s request with card data for payment processing on their end.
  • Any scenario where a third party expects real card data in your API response.

Next Steps

Token Replacement in Request

The forward direction: you send requests to a third party through PCI Booking.

File Transfer Token Replacement

Send card data via SFTP/FTPS.

Use Tokens Overview

All detokenization methods.