DO NOT use/put your secret-key inside your Client Application (e.g. mobile app, javascript, html etc.) Only put and use it in your server-script / server hosted code.
DO NOT calculate your signature through your client application (e.g. mobile app, javascript, html etc.)
DO NOT communicate to RDP server directly through your client-code. ONLY use your server-side code to communicate with RDP server.
DO NOT record any card details inside your system.
Recommendation:
Install a SSL Certificate for your Server to communicate with us. This ensures that every communication from your client to your server is encrypted.
Code your communication with RDP only in your Server-Side Script/Code
Create a layer of API point in your server to service your client API, and utilize this server-point to communicate directly with RDP
Setup signature system per client-account to make your layer of API an authenticated system.
Send the request’s fields of client_user_agent and client_ip_address, these information are beneficial for increasing your payment safety and feed into RDP Fraud Detection System (FDS). This is due to the recommendation of (3) which means RDP face directly only Merchant server, and this server-to-server communication require Merchant to feed in the client’s information through request to RDP.
Request to RDP for your account to be setup with unique order_id enforcement. This ensures that the same order_id by the same mid cannot be resulted in a new transaction. This requires your system to have a more rigorous handling in terms of your order_id generation.