APIs for Mobile E-Commerce and In App Transactions

Padlock, Cloud Security, Padlock Cloud Security


Apigee announced today that it is offering a PCI-DSS compliant API solution, another step for in app transaction capabilities in the mobile e-commerce market.

That’s good news for service providers and solutions integrators. Companies are looking for training and a greater degree of assistance in developing an API infrastructure.  PCI compliance by itself is a major task. It requires companies to do audits on all its credit card transactions. Integrating cloud-based APIs into the already inherent complexity of this process is a hurdle for mobile e-commerce adoption.

In practical terms, people buy apps in a marketplace. That’s usually the end of the transaction. PCI compliance can push transactions into the app itself. For example, a travel company could offer a deal in an app and complete the transaction right there. That’s not practical right now.

Apigee’s offering works this way. Apigee is a software company. It will integrate the PCI compliant API infrastructure into the providers environment for apps that can scale in the cloud. The API management environment is designed to mask information such as a social security number. It provides the ability to encrypt information. The cloud in this equation is Data Pipe, a PCI-compliant data center. Each customer is kept as a separate instance in the Data Pipe environment.

Data Pipe has a practice dedicated to PCI-DSS compliance. Companies can outsource their PCI-DSS compliance requirements to Data Pipe. With Apigee, it is now offering the capability for customers to scale the use of their API n a compliant manner.

Mashery CEO Oren Michels said in an e-mail interview that PCI compliance has been a challenge in the cloud due to its mulit-tenant nature. But it is gaining acceptance as illustrated by Amazon Web Services recent certification.

Mashery’s multitenant API management platform powers apps for retailers, travel providers and financial services companies. He said there are various methods for meeting PCI compliance:

“For some use cases, running an appliance or a code instance in a PCI-compliant data center is sufficient; for others, higher levels of certification are required. We’ve been securely handling retailers’ transactions in our multitenant, cloud-based API management network for several years. Ultimately, it’s great to see more options for companies that need to manage the APIs that will grow their business.”

He added that “historically, it’s been hard for companies that run in the cloud to meet the PCI requirements because, among other reasons, the standard requires that the consultant needs to conduct site visits (which you can’t really do with many cloud providers) and inspect the actual hardware being used (which in the cloud is not really possible). Now, with the advent of the new PCI DSS2 standard that came out recently, several cloud and datacenter providers, including Amazon Web Services, have been able to gain PCI compliance, meaning that they can be part of a PCI compliant solution.”

It’s clear there are any number of complexities with PCI integration into an API infrastructure. Apigee’s solution is a step toward making the process more automated and easier to integrate. But the complexities are still enormous.

Apigee’s Sam Ramji says APIs have crossed into the mainstream.  As the enterprise transforms, there will be a far greater need for helping companies integrate API infrastructures. PCI compliance is a huge task but will be increasingly essential as the digital economy becomes more distributed in nature.

Further, this shows the rate of innovation occurring in the mobile space. Combine PCI-compliant API infrastructures with NFC technologies and you can see why Gartner Research believes the mobile e-commerce market will reach $450 billion by 2015.