As I see, the «API»-type integration does not provide an ability to create tokens for bank cards client-side, without the secret API key.
As I understand, the «Kart Saklama» service requires the secret API key, so it is insecure to use it client-side.
As I understand, iyzico does not provide an analog of the Stripe’s stripe.createToken()
client-side JavaScript function to tokenize bank card data without passing them to the merchant’s server.
So, is it possible to implement the «API»-type integration (Başlangıç - Prod) without a PCI DSS certification?
My addional exmplanations to iyzico:
Your API requires to pass bank card details from the merchant’s server side: Başlangıç - Prod
See thecardNumber
,expireYear
,expireMonth
,cvc
,cardHolderName
.
How is it possible for a merchant to have such bank card data on the server side without the PCI DSS certification?