No, due to PCI-DSS compliance it is required that all handling of the credit card information is done through the iFrames.
Rate limiting is applied to many of our critical API's including our tokenizing, payments, gift card balance checks, and iFrame initialization services. These services are limited to 8 requests per customer per minute, meaning that a single customer on your site cannot process more than 8 requests for the same API within 60 seconds. We may set these rate limits to prevent system abuse, however, these can be adjusted based on your needs for your merchant.
It is preferable that the API key is not exposed to the public through front-end apps for security reasons. The common way is using a back-end server as a relay to fetch the API results and pass them on to your front-end. If for some reason you have to make an API call from the front end, there are ways to hide the API keys like keeping them as environment variables.
Wpay uses a combination of the API Key, Bearer Tokens and IP Whitelisting for security measures. When you sign up with us and receive the API keys, you also need to specify a list of IPs that are authorized to be used with this key. Therefore, even if your API key is found or stolen, only your servers will be able to use it.
The screen size value
acsWindowSize which is past to Cardinal for the size of the iFrame modal challenge response.
Updated almost 2 years ago