I want to add a custom form to my mobile app where the user enters PAN and Expiry and I send to ResAddCC to get a data key for later use.
I think this would require doing a custom XML post directly to the gateway, which would also require having the Store ID and API Token in the mobile app somehow (hardcoded or via HTTPS fetch from my server).
Is this possible or even allowed? I am thinking the API Token should maybe not be exposed this way?
In reply to jasonaa:
We recommend not having your store id and api token located within the app as that could expose you to someone decompiling the app and having access to your credentials. With those credentials they could then run transactions through your account (including purchases and even refunds). For this reason we'd recommend using an app to server to gateway approach. This means your server would be the keeper of the store id and api token. This also means that if ever you need to update the api token you can do this on the fly on your server. If these are held within the app, you need to deploy a new app to update the credentials meaning downtime and potential loss sales due to users being unable to checkout.
This being said you need to look at the PCI implications. If you gather the card info within the app then transfer the info to your server, to finally process to our gateway it brings your app and server within PCI scope. Easiest approach would be to in fact use the hosted tokenization approach that way the card details are encrypted prior to being sent to our host. You then get a temporary token back, you can do a card verification or preauth using the temporary token to validate the data. Once you've confirmed card/expiry/CVD you can then convert the temporary token into a permanent token using the "res add token" transaction and then you have a permanent token.