The CardPointe Mobile SDKs seamlessly connect your mobile applications to CardSecure to securely encrypt and tokenize customers' payment card data. Tokens and associated payment details can then be retrieved by your server application and securely transmitted to the CardPointe Gateway for authorization.
A complete mobile payment integration consists of two components:
Tokenization is handled by the CardPointe Mobile SDK (Android or iOS) integrated with your mobile application.
Authorization is handled by host scripts integrated with your server application.
The CardPointe Mobile SDK installs alongside your mobile application, and uses CardSecure to tokenize and encrypt payment card data. Card data can be manually entered in the application or captured, using a supported mobile payment reader device. Payment card data is encrypted and tokenized without being exposed to your software application or server.
Additionally, tokens can be stored in customer profiles for use in subsequent transactions.
See the CardPointe Gateway API documentation for more information on the features and capabilities of the CardPointe Gateway.
Tokenization and Authorization Flow
The following diagram illustrates the tokenization and payment flow using the Mobile SDK and server-side REST client.
Your mobile app collects payment card data from a connected mobile payment reader or by manual entry in the app and sends the data to CardSecure via the CardPointe Mobile SDK.
CardSecure returns a token to the mobile app.
The mobile app sends the token to your server, which is running a CardPointe Gateway REST client.
Your server application uses the token to make an authorization request to the CardPointe Gateway, via the REST client.
The CardPointe Gateway returns the authorization response to your server.
Your server passes the authorization response to the mobile app.
Using the CardPointe Mobile SDK to integrate secure payments with your mobile application can help reduce your PCI scope. The SDK provides direct tokenization methods that pass your customers' sensitive card data to CardSecure without ever sending the clear or unencrypted card data to your server.
The token returned from this process is not considered card data; therefore, as the token moves between your client application and your application server, the token does not bring any of those systems or data paths into scope for PCI security controls.
If you are developing an application to accept card-present payments, you must integrate a mobile payment reader (swiper) device with your solution. Currently, the CardPointe Mobile SDKs include support for the ID TECH VP3300.
The VP3300 is a Bluetooth-enabled mobile payment reader device that supports MSR (swipe) and EMV (chip) transactions. The VP3300 connects to your phone or tablet using Bluetooth 4.0, which supports Bluetooth Low Energy (BLE) and automatic pairing.
As described in the CardPointe Mobile SDK Overview, your server-side application must retrieve the token from your mobile application to then use in an authorization request to the CardPointe Gateway to complete a payment. The following topics provide sample server-side scripts that you can use to integrate the necessary CardPointe Gateway API requests with your application.
Sample scripts are currently available in the following languages: