Handle credit card payouts without PCI DSS

If you don't hold PCI DSS certification and can't store raw card data, you can still process credit card payouts by tokenizing the card first and using the token in the payout request.

How it works

Tokenize the card data. Collect the card details from the recipient and submit number, expirationYear, and expirationMonth to POST /tokenize to generate a short-lived token. The tokenize endpoint does not require an API key and is designed to be called client-side, so raw card data never reaches your server. Check out the Tokenization quickstart here.
Use the token in the payout request. Pass the token in the paymentSource field of your POST /payout request instead of raw card details.

{
     "paymentSource": {
       "type": "token",
       "token": "d86bdcbb-c369-46d9-a9d0-9c5010e3bfdb"
     },
     "amount": 50.00,
     "currency": "USD",
     "consumerId": "cb-gateway-id",
     "url": {
       "ipnUrl": "https://your-server.example.com/webhooks/centrobill"
     }
   }

This approach keeps all sensitive card data out of your environment while allowing you to initiate payouts securely.

📘
Note
Tokens from POST /tokenize are short-lived. Submit the payout request immediately after tokenizing. If the token expires before you submit the payout, ask the recipient to re-enter their card details and tokenize again.