Credit card CVV/CVC is only available on the first retrieval

The CVV/CVC of a credit card is only returned on the first successful retrieval of a reservation's payment details, and only when the CVC flag is set to true on the request. Every subsequent call for the same reservation returns the card details without the CVV/CVC. When the CVV/CVC appears to be missing, it is almost always because the payment details have already been fetched once — often by an automated process on the integrator's side — which consumed that single retrieval. This is not driven by elapsed time; it depends solely on whether the CVV/CVC has already been fetched.

The CVV/CVC must also be retrieved within 7 days of the reservation. After that period it is no longer available, regardless of how many times it was previously fetched.

This limitation is deliberate and exists for compliance reasons. Under PCI-DSS regulations the CVV/CVC must not be stored, so NextPax does not retain it. The platform relies on a third-party tokenization vault service to handle sensitive card data, and that service does not hold the CVV/CVC beyond the 7-day window. In other words, the short retrieval window is not a technical shortcoming but a direct consequence of how NextPax stays PCI-compliant by avoiding long-term storage of card security codes.

This is NextPax platform behaviour rather than a channel-specific rule. It applies identically on production and across any channel that supports credit card retrieval (Booking.com, Expedia, and others where applicable). Channels that do not expose card details are not affected.

For Supply API partners: when retrieving reservation payment details via the Supply API, set the CVC flag to true, capture and log your own first retrieval, account for any automation that may fetch the payment details before your own process does, and always retrieve within the 7-day window.