2

I intend to develop a mobile app for both Android and iOS using PhoneGap and this app will including a shopping cart to sell physical goods like shoes and clothes. Of course at the moment of payment, sensitive card data (card number, CVV, etc..) need to be collected. My intention is to communicate with a remote server via JSONP both to get the latest items available for sale and also to send the server the credit card details in order to process the payment.

Now my question is this, at apple, when you submit an app to stay on the market, apparently they test your application and accept/reject it based on the way it was programmed. If I:

  • collect the card details in a regular form on the mobile app
  • send the details to an SSL remote location via JSONP
  • in the remote location (PHP script) I forward the card details to a payment gateway and wait for a response
  • I forward the response back to the mobile app via JSONP
  • I inform the user whether the payment was successful or not

Questions:

  1. Will Apple or Android reject my app because it is not safe or whatever reason?
  2. Is it safe to collect and send card details in this manner?
  3. Am I free to use any payment gateway or must I only use something like the PayPal plugin of phonegap?
  4. Do I need to have something which is PCI compliant somewhere .. is it enough that I send card details via SSL?

Any help is much appreciated. :>

Gil Hamilton
  • 11,973
  • 28
  • 51
prince
  • 671
  • 2
  • 11
  • 26

4 Answers4

2

I'm looking to do a similar thing. The link to the Apple inApp purchase guide only really tells you what can be purchased using the inApp purchase mechanism, it doesn't say you can't use another method for selling physical goods. In fact searching my iPhone Apps Argos take credit card payments so it must be possible.

I would be interested in knowing if anyone else has done anything with Phonegap and credit card payments.

WelshLady
  • 68
  • 1
  • 7
1

I've started looking at Sage Pay. I have an asp page on the server to call Sage Pay which I call from the app using Ajax, i pass parameters such as price, description etc. I then pick up the Sage Pay "next" page from the response and load it into an iFrame within the app. This seems to be working and the app is now loading the payment pages directly from Sage Pay. There's a bit of an issue with formatting but it looks like I can customise the stylesheets for mobile and send to Sage Pay and they'll load them their end. So the app never stores any card info as the user will be entering directly onto a Sage Pay page.

WelshLady
  • 68
  • 1
  • 7
  • Can you return back to your app after finishing from the sage pay payment page? – prince Jul 26 '14 at 14:29
  • Well you never actually leave your app, the sage pay pages are loading into an iframe within the html page within the app, so as long as you have some other buttons on the page you can navigate off elsewhere in your app. – WelshLady Jul 28 '14 at 11:06
  • So for my iFrame I have: – WelshLady Jul 28 '14 at 11:13
  • Cancel

    Payment

     – WelshLady Jul 28 '14 at 11:27
  • My ajax call does something like this: $.ajax({ url: 'http://www.yourwebsite.com/asp/makePayment.asp', type: 'POST', data: requestStr, success: function (result) { $("#paymentiFrame").attr('src', result); setIFrameSize(); }, error: function (a, b, c) { $('#paymentDiv').html("Data Error" + a.responseText + b + c); } }) ; – WelshLady Jul 28 '14 at 11:27
  • And you can add a function to keep track of the iframe source url so your app can react to that. – WelshLady Jul 31 '14 at 08:52
0

Maybe you should read this first -> Apple In-App-Purchase Guideline

enter image description here

Apple will reject every app that circumvents the iOS inApp-Purchase like CreditCard payment, paypal or sth. like that.

Sithys
  • 3,655
  • 8
  • 32
  • 67
  • Hi Sithys, thank you for your reply. I think the table above states that buying physical goods or buying other virtual stuff that can be used OUTSIDE of the app where they were purchased, cannot be done through Apple In-App Purchase. Because In-App as the word implies refers only to virtual goods for use within the same app. However if one is purchasing out-of-app goods I guess they can use something else as long as it is not the in-app-purchase API. Or am I wrong? – prince Jul 07 '14 at 09:56
  • No, this is not possible. You can not use ANY other options to sell physical goods then the in-app-purchase for physical goods. It is not allowed to sell physical goods - thats what i know so far! – Sithys Jul 08 '14 at 12:00
  • i was wrong yesterday, maybe u have a look over here http://stackoverflow.com/questions/8762096/ios-integrating-credit-card-payments – Sithys Jul 09 '14 at 07:29
  • You're allowed to support payments of physical goods and services. This is how the [PayPal Mobile SDKs](https://developer.paypal.com/webapps/developer/docs/integration/mobile/mobile-sdk-overview/) are allowed to operate. – Jeff Brateman Jul 23 '14 at 04:46
0

You can send the card details to your backend, process the payment on server side and return a success/ failure response to your app, provided you have PCI compliance. If you don't want to get PCI compliance, you can use Stripe to process your payments. You can pass the card details to Stripe via their SDK. Stripe will create a Stripe token and send a response to the app. You can pass the stripe token to your server, process payment using the token and return a success/ failure of the payment to your app. This way, you'll not have to worry about man in the middle attacks as well.

v01d
  • 569
  • 6
  • 10
  • PCI compliance link is dead. You can check this https://www.pcisecuritystandards.org/documents/PCI_Mobile_Payment_Acceptance_Security_Guidelines_for_Developers_v2_0.pdf – Yigit Pilevne Sep 12 '20 at 09:17