Using the server-to-server Gateway Payment API means you will be hosting the payment pages yourself. Since you will be collecting and handling credit card data, you must do so in compliance with the PA-DSS standard.
Handling credit card data requires your platform (website, app, e-commerce store) to be PCI compliant. There's a specific standard for that called PA-DSS. It's your own responsibility to understand the requirements and ensure that they are implemented, audited and certified when required.
When you start requesting real transactions using our Gateway Payment API, you will need an API secret from us to authenticate the requests.
Anyone with access to this secret can initiate transactions in your name so it is of utmost importance to keep this secret safe and only share it with people you can trust and on a need-to-know bases.
Best practices includes not writing it down physically and not copying it into any email.