Search code examples
cordovasecuritye-commercecredit-cardpci-compliance

Implementing card payment via PhoneGap SSL card payments on iOS and Android

I intend to develop a mobile app for both Android and iOS using PhoneGap and this app will including a shopping cart to sell physical goods like shoes and clothes. Of course at the moment of payment, sensitive card data (card number, CVV, etc..) need to be collected. My intention is to communicate with a remote server via JSONP both to get the latest items available for sale and also to send the server the credit card details in order to process the payment.

Now my question is this, at apple, when you submit an app to stay on the market, apparently they test your application and accept/reject it based on the way it was programmed. If I:

  • collect the card details in a regular form on the mobile app
  • send the details to an SSL remote location via JSONP
  • in the remote location (PHP script) I forward the card details to a payment gateway and wait for a response
  • I forward the response back to the mobile app via JSONP
  • I inform the user whether the payment was successful or not

Questions:

  1. Will Apple or Android reject my app because it is not safe or whatever reason?
  2. Is it safe to collect and send card details in this manner?
  3. Am I free to use any payment gateway or must I only use something like the PayPal plugin of phonegap?
  4. Do I need to have something which is PCI compliant somewhere .. is it enough that I send card details via SSL?

Any help is much appreciated. :>

Solution

  • I've started looking at Sage Pay. I have an asp page on the server to call Sage Pay which I call from the app using Ajax, i pass parameters such as price, description etc. I then pick up the Sage Pay "next" page from the response and load it into an iFrame within the app. This seems to be working and the app is now loading the payment pages directly from Sage Pay. There's a bit of an issue with formatting but it looks like I can customise the stylesheets for mobile and send to Sage Pay and they'll load them their end. So the app never stores any card info as the user will be entering directly onto a Sage Pay page.