How It Works
- PCI Booking sets up a gateway endpoint. The gateway is configured with your SSL certificate and a custom site name. Third parties send their requests to this gateway URL instead of directly to your API.
- Third party sends a request. The request arrives at the PCI Booking gateway.
- Request forwarded to your API. PCI Booking relays the request to your API endpoint (with optional tokenization of inbound card data).
- Your API responds with tokens. Your API processes the request and includes card tokens in the response body.
- Token replacement. PCI Booking parses your response, retrieves the real card data for each token, and substitutes it into the response body.
- Response relayed to sender. The third party receives the response with real card data. Your systems never handled raw card details.
Bi-Directional: Tokenize and Detokenize in One Call
The same gateway can handle both directions simultaneously:- Inbound: Tokenize card data in the third party’s request before it reaches your API (Tokenization on Request).
- Outbound: Replace tokens in your API’s response with real card data before relaying back to the sender (this page).
Target Profiles
The gateway uses a target profile to know where tokens appear in your response and how to replace them. Each profile includes content filters that define the location of card fields in the message. The PCI Booking support team configures this as part of the gateway setup.Setting Up the Gateway
Gateway setup is done by the PCI Booking support team. Contact support@pcibooking.net with:- Your PCI Booking username.
- The target URI where requests should be relayed to (your API endpoint).
- How to identify which responses contain tokens that need replacement.
- A sample of your response structure (XML or JSON) showing where tokens appear.
If you already have a Tokenization on Request gateway set up, the same gateway can be enhanced to also perform token replacement on the response. Contact support to enable it.
Use Cases
- Sending card details back to a booking platform or OTA that originally sent you the reservation.
- Responding to a channel manager’s request with card data for payment processing on their end.
- Any scenario where a third party expects real card data in your API response.
Next Steps
Token Replacement in Request
The forward direction: you send requests to a third party through PCI Booking.
File Transfer Token Replacement
Send card data via SFTP/FTPS.
Use Tokens Overview
All detokenization methods.

