[noveltyaccount]

I was thinking about this too--what access does that API key give someone? Even if it's just to charge a card, it's a risk since it can be used by bad people to validate stolen credit cards.

Either I put my secret key in the javascript and initiate the request in the browser (thus leaking my secret key), or I accept the inputs onto my server and forward the request to Pin, thus increasing PCI compliance burden because now sensitive data is passing through my server.

I'd like this more if it functioned closer to Braintree's transparent redirect. https://www.braintreepayments.com/developers/api-overview No sensitive data ever touches my servers (customer's POST goes to Braintree, and then they redirect to my server with a query string token that I use to validate the tx with Braintree).

[brycecammo]

It looks like they provide pin.js so that your server never has to accept the credit card details, but rather a single-use token (much like Stripe, I believe).

https://pin.net.au/docs/pin_js

[noveltyaccount]

Oh, that's cool, thanks for the docs link. I like the way the API hijacks the form submit and replaces the card with the token. I'm still a but curious as to what a nefarious user could do with your "publishable API key," but this is much better than I had initially thought.

[brycecammo]

> I'm still a but curious as to what a nefarious user could do with your "publishable API key,"

I suspect very little if they don't also have your 'secret' API key. I guess they could request a single-use token for a card, but I don't think they could then do anything with it.