First I'll explain the problem, then the solution I'm thinking.
I'm making an application where users will have accounts and can purchase physical goods. Therefore, In-app purchases are out and it looks like authorize.net or paypal it is. I would like a system where users could make an account, and then enter credit card information *on the phone*, which then "saves" to their account if they choose to do so. I don't want to store this information, because I'm not a security expert, etc.
It appears that CIM is the perfect solution to this, but doesn't exist for the iPhone SDK and even if it did, it appears each device needs to be manually added to even process transactions -- not fun.
So, here is a proposed solution. I'm not sure if this is allowed, let me know.
1. iPhone application takes data (Credit Card Number, Expiration, etc) and passes it with the current session to my rails server over https. None of this information is stored.
2. The session correlates to a user ID in rails which then contact authorize.net CIM, again over https, to add the requested profile, which we reference by correlated IDs. (Effectively making authorize.net to secure storage for our users data and the processor for transactions). Again, no security-critical information is stored on my servers.
3. Response that rails gets from authorize.net is then relayed back to the iPhone, and to the user, the whole thing seemed to just work.