PAYMENTS
/
Use cases
/
Partners not charging travellers
Last updated

No direct charge to travellers

Learn how to define the required payment data when creating an order using different credit cards and authorisation methods.

Is this use case for you?

If you are not entitled to directly charge your travellers (and are not the merchant of record), but your agreement allows you to use online payment methods, this scenario applies to you.

In this setup:

  • Booking.com charges the traveller’s credit card.
  • You forward the payment data via the Demand API.
  • The property receives the payout from Booking.com.
Partner type
Online available methods
partnerPartners not authorised to directly charge travellers.

Booking.com is the merchant of record.		✓ Credit Card + SCA

✓ Credit Card (non SCA)

✓ Credit Card (non SCA) + Riskified

✓ Credit card + MOTO

Follow these instructions and recommendations to create the payment data needed for your requests.

Use case

A traveller uses your application, finds a suitable property and product, and decides to book it. Pays online with credit card.

The flow

  • The traveller books a property in your application and chooses to pay online via credit card.
  • You collect the traveller’s card details.
  • You send these details to Booking.com, who charges the card.
  • Booking.com pays the property.

drawing

This option is available only if your partner agreement with Booking.com includes Online payments. Check the prerequisites for your authentication method before implementation.

1. Check available payment options

→ Use the Quick guide to:

  • Understand how to interpret /orders/preview responses.
  • Preview available payment methods, timings, and schedules.

2. Create your order

When using credit cards, you must define the correct payment.card.authentication method in your /orders/create request.

  • This ensures compliance with regional regulations (e.g. SCA in the EEA).
  • Each scenario below shows how to build the correct payment object.

Use these instructions to define the payment.card.authentication field, according to your business regional legislation.

Implementation steps:
  1. Use /orders/preview endpoint to check supported card methods.
  2. Call /orders/create.
  3. Provide payment details including the correct card.authentication method..

Example - Generic card payment object

In general, when using cards as the payment method, the payment field in your /orders/create request should look like this:

"payment": {
  "card": {
    "authentication": {
      "3d_secure": {
        "authentication_value": "xxxx",
        "eci": "xxxx"
      }
    },
    "cardholder": "xxxx",
    "cvc": "123",
    "expiry_date": "2030-10",
    "number": "1234123412341234"
  },
  "include_receipt": true,
  "method": "card",
  "timing": "pay_online_now"
}
Field
Notes

payment.card.authentication

Required when SCA, Riskified, or exemptions apply.

  • Credit card with SCA - Enter the SCA token using the 3d_secure field.
  • If using Riskified (non-SCA) - Enter the Riskified data.
  • For credit card MOTO (SCA exempted) - Indicate that you won't need SCA token.
payment.cardCredit card without SCA - no authentication is required.

cardholder, cvc, expiry_date,number.

Must be valid card details - Check the list of supported methods.cards returned in the /orders/preview response.

(See the Quick guide to learn how to get this information).

include_receiptThis is optional.
methodMust be "card".
timingAs this is online payment, must be pay_online_now.

For this case do not use the airplus or business information fields.

Supported card scenarios

Credit Card + SCA token

For transactions that require Strong Customer Authentication (SCA) under European Economic Area (EEA) regulations.

The flow

  • Traveller performs SCA on your platform, providing their card details.
  • You receive a 3DS token from your Payment Service Provider (PSP).
  • You send the traveller`s card SCA Token via Demand API.
  • Booking.com charges the card and pays the property.

Pre-requisites

Checklist
You work with a Payment Service Provider (PSP) that supports SCA token generation (and able to share SCA version 1 or 2 with Booking.com)
You must send us the generated SCA Token via Demand API.
Your Online Payment Addendum for CC + SCA is signed.

Define your request

In your /orders/create request:

Enter the SCA token in the payment.card.authentication field by using the 3d_secure field. It must contain the appropriate values for the 3D Secure 2 (3DS2) parameters:

  • authentication_value
  • eci
  • transaction.

You should obtain these values from your bank or Payment Service Provider (PSP).

For example:

"payment": {
  "card": {
    "authentication": {
      "3d_secure": {
        "authentication_value": "xxxx",
        "eci": "xxxx",
        "transaction": "xxxx"
      }
    },
    "cardholder": "xxxx",
    "cvc": 123,
    "expiry_date": "2030-10",
    "number": "1234123412341234"
  }
}

For this case use VCC_exemption but do not use the riskified or sca_exemption fields.

Credit card (non SCA)

For transactions where fraud checks are handled by your own fraud provider.

The flow

  • Traveller provides card details.
  • Fraud protection is handled externally.
  • You forward the traveller`s credit card details to Booking.com, with no token.
  • Booking.com pays the property.

Pre-requisites

Checklist
You have a Fraud risk prevention provider.
Demand API must be updated minimum to version 2.10.

Define your request

Do not use the payment.card.authentication field when using /orders/create.

For example:

"payment": {
  "card": {
    "cardholder": "xxxx",
    "cvc": 123,
    "expiry_date": "2030-10",
    "number": "1234123412341234"
  }
}

Credit Card (non SCA) + Riskified

For partners using Riskified to provide fraud detection.

The flow

  • Traveller provides card details.
  • Riskified validates the transaction.
  • You send card details plus Riskified session ID and IP address.
  • Booking.com charges the traveller credit card and pays the property.

Pre-requisites:

Checklist
You have an integration with Riskified.
Demand API version must be updated minimum to version 2.10.

Create your order request

In the payment.card.authentication.riskified field:

  • riskified.session_id: Must contain your Riskified-provided session ID for external fraud verification.
  • ip_address: This is a mandatory field.

Do not use the sca_exemption or 3d_secure fields in this scenario.

For example:

"payment": {
  "include_receipt": false,
  "card": {
    "number": "4111111111111111",
    "expiry_date": "2030-03",
    "cardholder": "io",
    "cvc": "xxx",
    "authentication": {
      "riskified": {
        "session_id": "00000000-0000-0000-0000-000000000000",
        "ip_address": "127.0.0.1"
      }
    }
  },
  "timing": "pay_online_now",
  "method": "card"
}

Mail order/telephone order (MOTO) (SCA exemption)

For Corporate partners, where SCA does not apply (telephone or email bookings).

Curious to know more?
  • Learn more about using the credit card method in the Payment methods section.
  • For detailed instructions on MOTO transactions, refer to Corporate partners use case.
  • Check the Orders section for more tips and examples on how to preview and create your order requests.
  • Use the common/payments/cards endpoint to understand the card IDs retrieved in your response.
Previous page
Next page