cancel
Showing results for 
Search instead for 
Did you mean: 

iPhone AIM integration

Hi All,

 

I'm developing an iPhone application which allow user to use a credit card reader to capture the credit card details or the user can manually key in the credit card details.

 

My question is can the iPhone application directly post the credit card information to Authorise.Net payment gateway to perform the credit card transacation? If yes, do I need to comply to PCI DSS standard since the credit card information is captured in the iPhone application.

 

Can anyone give me the link on how to implement it?

 

Thanks,

Kenny

kennywen
Member
1 ACCEPTED SOLUTION

Accepted Solutions

Well yes. But you can get a reliable hosting account for probably $10 a month, the SSL for between $30 and $50 per year, so it's not a huge cost. Much less than the cost of the merchant account itself.

View solution in original post

5 REPLIES 5

Yes, it can pass it directly. And as far as the DSS standard goes, you'll be fine as long as you erase the credit card info as soon as your app is done sending to Authorize.net (write over the fields with random gibberish before undefining them if you are using a language with that level of control), and as long as you don't try to send the credit card info over an unsecured connection (obviously, you'll connect via https).

 

Haven't dealt with this specific situation myself, but my brother does 3D iPhone apps and I know the package he uses can send http and https posts, and I'm also fairly familiar with the DSS rules.

TJPride
Expert

Do you mean that I need to clean all the credit card details after I pass the credit card details via HTTPS request to authorize.net then I no need to be comply to PCI DSS standard?

 

Do you able to check with your brother for the details on how to perform the credit card charging in iPhone?

 

Thanks a lot.

It's just your standard XML posts. Any language with a library capable of doing https will be fine. I can't give you specific code because I implemented Authorize.net using the PHP API and not XML, but I know it can be done. My brother uses Unity 3D, which is more for 3D iPhone apps and less for interface sorts of apps, but even it has a WWW library.

 

In answer to your first question - if you don't store the credit card information, all transmissions to Authorize.net are secure, and you erase the credit card information from the phone after sending, then you're complying with PCI DSS. The only potential security flaw is if they can uncompile your app somehow and get the Authorize.net login ID and transaction key, but you could theoretically set up a web server as an intermediary - pass the credit card info to it, have it add the login ID and transaction key, transmit to Authorize.net, get a response back, pass that response back to the iPhone app. That way the app doesn't have the Authorize.net info. Also has the advantage of you being able to use the regular Authorize.net API's, since the transmission between the iPhone and your web server can be in any format you want, and the web server can run something like PHP that you probably won't have available on your phone.

 

That, now that I've thought about it, is probably a better way to go. Do you know anything about web programming?

Yes, I do know PHP and ASP.

 

From your suggestion of set up a web server as an intermediary that mean I need to purchase and install SSL certificated in order to make sure the secure connection from iPhone to the web server? I think this is a good suggestion too and it will involve extra cost of SSL certificated and server hosting fee.

 

Do correct me if I'm wrong. Thanks.

Well yes. But you can get a reliable hosting account for probably $10 a month, the SSL for between $30 and $50 per year, so it's not a huge cost. Much less than the cost of the merchant account itself.