Search code examples
mobilepayment-gatewaypaymentbalanced-payments

Best practice for using Balanced API on mobile app

I am implementing new Balanced API for the payment, and starting to think about putting it on our mobile (native) apps.

I see they have a javascript library for sending credit card information directly to their server. I obviously don't want payment info to go through our server (PCI), and I don't want to include my API key/secret in the app.

So what would be the best way to handle the credit card info on our mobile apps?

Solution

  • UPDATE

    Since you're writing for a smartphone you should be able to make a RESTful API call directly to Balanced to tokenize the card without using balanced.js.

    The card and bank account endpoints don't require authentication to tokenize these resources so you don't need to worry about including any API keys with the app. The documentation explains how to tokenize the card but let me explain it in more detail:

    TL;DR

    Make a POST directly from your mobile app to the card_uri or bank_account_uri that is associated with your Marketplace and it will return a response which includes the tokenized resource's URI.

    Example

    If your Marketplace's URI was /v1/marketplaces/M123-456-7890 then the flow would look like this:

    On the client

    The payload you pass through should look like:

    {
    "card_number": "5105105105105100",
    "expiration_month": "01",
    "expiration_year": "2020",
    "security_code": "123"
}

    This should then be submitted like such

    POST /v1/marketplaces/M123-456-7890/cards

    The response will look something like:

    {
  "brand": "visa",
  "name": null, 
  "expiration_year": 2020, 
  "uri": "/v1/marketplaces/TEST-MP991-204-5261/cards/CCfc1596189e0911e18ba9024f5cb9b783", 
  "expiration_month": 12, 
  "state": "new", 
  "last_four": 5100, 
  "address": null
}

    The client then only needs to return the uri of the response to your server, on the server you can associate the card with the user's account.

    On the server

    To associate the card's URI with an existing account you can make a PUT request to the account's URI with the URI of the card passed through as a parameter called card_uri. If you're creating a new account then POST to the marketplaces accounts_uri with the email address of the user.

    What you want to be careful of is that you don't log the user's card_number or security_code in any debugging log on the device as this would bring the device into PCI scope and could be bad if their phone was compromised.