Important information for securing your application when using the Gateway Payment API and dealing with credit card numbers.
IMPORTANT!
Using the server-to-server Gateway Payment API means you will be hosting the payment pages yourself. Since you will be collecting and handling credit card data, you must do so in compliance with the PA-DSS standard.
PA-DSS compliance
Handling credit card data requires your platform (website, app, e-commerce store) to be PCI compliant. There's a specific standard for that called PA-DSS. It's your own responsibility to understand the requirements and ensure that they are implemented, audited and certified when required.
Keeping the API secret safe
When you start requesting real transactions using our Gateway Payment API, you will need an API secret from us to authenticate the requests.
Anyone with access to this secret can initiate transactions in your name so it is of utmost importance to keep this secret safe and only share it with people you can trust and on a need-to-know bases.
Best practices includes not writing it down physically and not copying it into any email.