Hey! These docs are for version 1.0, which is no longer officially supported. Click here for the latest version, 3.0!

Enhancing Security

PCI Booking takes client security very seriously. Our service is highly secure, our employees are prohibited, both technically and procedurally, to access card data stored by our clients, we comply with all security guidelines of PCI compliance, we provide access controls and others - however, in many cases. we know that customers may want or need to include additional security controls on top of the existing ones in order to fit their specific needs or comply with specific requirements.

The following is a list of security features available to you in PCI Booking which you can utilize based on your specific needs. We recommend to employ as many of these security features as possible.

  • IP Restrictions (read more) - allows you to set which IP address(es) can perform actions with the PCI Booking API.
  • Relay Restrictions (read more) - allows you to define the list of target URLs that credit card data can be sent to via PCI Booking's relay method (aka "Token replacement")).
  • User and Permission Management (read more) - allows you to set up multiple users (aka "Subaccounts") in your main account and provide each user with the permissions to perform only applicable actions.
  • Whitelisting with Third Parties - PCI Booking recommends that you whitelist the PCI Booking API IP addresses with the third parties that you retrieve data from and push data to.
  • Whitelisting senders (read more) - allows you to set up a list of approved addresses on your end to restrict who can send requests to you through the PCI Booking Gateway.
  • CVV Retention Policy (read more) - allows you to set a time frame for storing the CVV with the card details in the token before the CVV is deleted automatically. We recommend that the retention period be as short as possible.
    • Deleting the CVV value after completing processing the card is part of the requirements of PCI-DSS.
    • In addition to deleting the CVV, you can set PCI Booking to also delete, at the same time, the full card details.
  • Syncing Database of Tokens - PCI Booking recommends that you regularly review your database of tokens and match those to the ones in PCI Booking and ensure that both databases match. This is done in order to avoid any stale card data being stored in PCI Booking.