FAQs

Can we tokenize a credit or debit card without the iframes?

No, due to PCI-DSS compliance it is required that all handling of the credit card information is done through the iFrames.

Are any rate limits applied to your API's?

Rate limiting is applied to many of our critical API's including our tokenizing, payments, gift card balance checks, and iFrame initialization services. These services are limited to 8 requests per customer per minute, meaning that a single customer on your site cannot process more than 8 requests for the same API within 60 seconds. We may set these rate limits to prevent system abuse, however, these can be adjusted based on your needs for your merchant.

Is it safe to expose your API key in the front end application / browser?

It is preferable that the API key is not exposed to the public through front-end apps for security reasons. The common way is using a back-end server as a relay to fetch the API results and pass them on to your front-end. If for some reason you have to make an API call from the front end, there are ways to hide the API keys like keeping them as environment variables.

Wpay uses a combination of the API Key, Bearer Tokens and IP Whitelisting for security measures. When you sign up with us and receive the API keys, you also need to specify a list of IPs that are authorized to be used with this key. Therefore, even if your API key is found or stolen, only your servers will be able to use it.

What are the 3DS Model challenge response screen size values?

The screen size value acsWindowSize which is past to Cardinal for the size of the iFrame modal challenge response.