The CardPointe Mobile SDKs seamlessly connect your mobile applications to CardSecure to securely encrypt and tokenize customers' payment card data. Tokens and associated payment details can then be retrieved by your server application and securely transmitted to the CardPointe Gateway for authorization.
This guide provides an overview of the Mobile SDKs. See the CardPointe Mobile SDK Developer Guides for detailed information on integrating payments with your mobile app.
Overview
A complete mobile payment integration consists of two components:
Tokenization is handled by the CardPointe Mobile SDK (Android or iOS) integrated with your mobile application.
Authorization is handled by host scripts integrated with your server application.
Tokenization (Client-side)
The CardPointe Mobile SDK installs alongside your mobile application, and uses CardSecure to tokenize and encrypt payment card data. Card data can be manually entered in the application or captured, using a supported mobile payment reader device. Payment card data is encrypted and tokenized without being exposed to your software application or server.
Additionally, tokens can be stored in customer profiles for use in subsequent transactions.
The CardPointe Gateway REST clients install on your application server to integrate your solution to the CardPointe Gateway.
Using a REST client, your sever authenticates with the CardPointe Gateway, makes authorization requests using tokens retrieved from the mobile app, and handles responses from the Gateway.
See the CardPointe Gateway API documentation for more information on the features and capabilities of the CardPointe Gateway.
Tokenization and Authorization Flow
The following diagram illustrates the tokenization and payment flow using the Mobile SDK and server-side REST client.
Your mobile app collects payment card data from a connected mobile payment reader or by manual entry in the app and sends the data to CardSecure via the CardPointe Mobile SDK.
CardSecure returns a token to the mobile app.
The mobile app sends the token to your server, which is running a CardPointe Gateway REST client.
Your server application uses the token to make an authorization request to the CardPointe Gateway, via the REST client.
The CardPointe Gateway returns the authorization response to your server.
Your server passes the authorization response to the mobile app.
PCI Compliance
Using the CardPointe Mobile SDK to integrate secure payments with your mobile application can help reduce your PCI scope. The SDK provides direct tokenization methods that pass your customers' sensitive card data to CardSecure without ever sending the clear or unencrypted card data to your server.
The token returned from this process is not considered card data; therefore, as the token moves between your client application and your application server, the token does not bring any of those systems or data paths into scope for PCI security controls.
Supported Devices
If you are developing an application to accept card-present payments, you must integrate a mobile payment reader (swiper) device with your solution. Currently, the CardPointe Mobile SDKs include support for the ID TECH VP3300.
The VP3300 is a Bluetooth-enabled mobile payment reader device that supports MSR (swipe) and EMV (chip) transactions. The VP3300 connects to your phone or tablet using Bluetooth 4.0, which supports Bluetooth Low Energy (BLE) and automatic pairing.
As described in the CardPointe Mobile SDK Overview, your server-side application must retrieve the token from your mobile application to then use in an authorization request to the CardPointe Gateway to complete a payment. The following topics provide sample server-side scripts that you can use to integrate the necessary CardPointe Gateway API requests with your application.
Sample scripts are currently available in the following languages:
These sample scripts provide the following CardPointe Gateway API request methods:
Authorization
Capture
Void
Refund
Funding
Profile
Signature Capture
These sample scripts are intended to serve as example implementations, and do not represent the current and full capabilities of the CardPointe Gateway API.
See the CardPointe Gateway API for detailed, up-to-date information on using these request methods and handling response data.