# App Development Guidelines
Whenever you begin developing an application for GoDaddy Poynt, it's essential to keep certain information in mind. Below, we have gathered some initial guidelines, including specific requirements, recommendations, restrictions, and legal considerations.
These guidelines are meant to provide existing and potential developers with an overview of their responsibilities with GoDaddy Poynt developer ecosystem and what we expect from the relationship.
You can also refer to the App Center section, where you will find specific information such as Developer Agreement and Application Compliance Requirements.
# Requirements
# Data Security & Privacy
You must ensure compliance with all applicable privacy and data collection laws and regulations if your application collects any customer or merchant data.
TLS 1.2 must be used for all HTTP-based network connections. This also applies to web content displayed in WebView. Invalid certificates are not allowed and will result in failed network connections.
- The complete list of TLS certificates installed on the device can be found under the following path:
Settings > Systems > Security > Trusted credentials
.
- The complete list of TLS certificates installed on the device can be found under the following path:
When transmitting data between your terminal app and your back-end services, you must use certificate pinning. For more information about certificate pinning on Android, check out the Certificate & Public Key Pinning (opens new window) documentation.
The device application must always use Poynt JWT tokens for authentication (do not store your private keys on the device).
WebView must only load content within your control, and it should not allow users to navigate to arbitrary web pages. For hostname whitelisting, see the
shouldOverrideUrlLoading
method in the Android docs.You must integrate crash reporting on your terminal application to help you identify, track, and fix issues. You can use Firebase Crashlytics or any other crash reporting tool of your choice. This integration must be completed before submitting your application for review.
Applications should only ask for permissions needed in the operations provided.
- For device applications, all permissions are configured in the Android manifest. For cloud applications, all permissions are defined through the Application Settings on the developer portal.
WARNING!
Applications that use any of the permissions tagged as Not for use by third-party applications in the Android Developer Documentation (opens new window) (e.g. android.permission.MOUNT_UNMOUNT_FILESYSTEMS) will not be accepted.
# Interoperability
If you are building an application that generates or operates on orders (POS, order taking, etc.), you can utilize the
IPoyntOrderService
(SDK (opens new window)) and theOrders
resource (API (opens new window)) to provide item-level details.Publish and subscribe to the following intents which carry
order_id
ororder_object
(if the order does not persist):poynt.intent.action.NEW_ORDER_CREATED
poynt.intent.action.ORDER_UPDATED
poynt.intent.action.ORDER_ITEM_ADDED
poynt.intent.action.ORDER_ITEM_REMOVED
poynt.intent.action.ORDER_ITEM_UPDATED
poynt.intent.action.ORDER_CANCELED
poynt.intent.action.ORDER_FULFILLED
poynt.intent.action.ORDER_CLOSED
This guideline is applicable regardless if your application utilizes the Poynt Products/Catalog resources.
# GoDaddy Poynt Specifics:
You should push order information to the GoDaddy Poynt cloud. This will allow merchants to access this information through their Poynt HQ Merchant Portal using web and mobile applications.
The application APK must be under 50MB.
You should use the Poynt Payment Fragment only to collect payments, tips, signatures, PINs and payment processor response information.
You must disable the Pay/Charge button when launching Payment Fragment to prevent multiple payment fragments from stacking up if the merchant clicks the button repeatedly.
Paid plans should start at $4.99, €4.99 or £4.99 (US, CA, UK, IE).
# Recommendations
# Interoperability
Use the Poynt Catalog API and Product Content Provider to enable interoperability with complimentary apps in the ecosystem.
Link your customer with GoDaddy Poynt's customer accounts.
TIP
Poynt creates a customer record for every card that is swiped/used to enable seamless interactions without needing additional identification credentials.
# Reliability, Usability & Responsiveness
Test your applications thoroughly to prevent NullPointerException (NPE) and ApplicationNotResponding (ANR) errors.
Optimize operations for battery usage (i.e. push long running tasks to the cloud).
Include an About or Help section with the support information to show how the merchant can get assistance with the application.
Provide support contact information to resolve customers' issues/questions.
Implement an error crashing library (e.g. Bugsnag, Rollbar, Crashlystics, etc) to detect issues proactively.
Authenticate users through a Login screen and Token service. PoyntOS security locks the screen and requires authentication. Any additional layers of authentication are unnecessary and time-consuming for merchants.
Keep in mind some of the suggestions mentioned below to create a snappy, responsive, simple, and intuitive UI:
- Make touch targets at least 48x48 pixels.
- Support standard gesture navigation.
- Ensure the product is still usable with larger font sizes.
- Use more than just color to convey critical information.
- Ensure critical text has enough contrast.
- Use the following dimensions for logo image assets: 70px(w) x 70px(h) (52dp x 52dp, tvdpi).
- Provide navigation features inside the application, including back and home buttons.
- Implement Native UI for better user experience.
- Consider a flat-color logo without any effects.
Non-native apps should use stylized components that present a native-like experience.
# GoDaddy Poynt Specifics:
Use or sync with GoDaddy Poynt's product catalog as applicable.
POS/register applications should use
IPoyntSecondScreenService
to display item information whenever items are being entered/scanned.
# Restrictions
# Data Security & Privacy
YOU MUST NOT:
Embed the credit card form inside your application (credit cards must be processed using only the payment fragment).
Send emails to customer contacts collected from GoDaddy Poynt without their permission. Customers who choose to receive an email receipt should not be targeted to receive marketing emails unless they have provided prior consent.
Resell or redistribute merchant information.
Collect sensitive consumer information such as debit or credit PINs, SSNs (social security numbers), credit card numbers, security codes, etc.
Store secure credentials in your binary APK. Instead, you should utilize the Poynt Token service for authentication and authorization.
Add your own authentication screen for secure operations. Instead, you should leverage PoyntOS authentication and Token service)
Scan or take pictures of payment cards.
# Usability
YOU MUST NOT:
Create a custom launcher.
Use landscape orientation.
Launch activity from a background service while Payment Fragment is up.
# GoDaddy Poynt Specifics
YOU MUST NOT:
Call Poynt Cloud API directly from the Smart Terminal. You should use Poynt Services via SDK.
Abuse Poynt Cloud API infrastructure by generating heavy API traffic outside of merchant operations.
Use external cloud messaging services. Instead, you should leverage Poynt Cloud Messaging.
Correlate customers across merchants and share GoDaddy Poynt customer information with other providers without explicit authorization.
Use the GoDaddy Poynt logo in your app without receiving prior authorization from GoDaddy Poynt.
Launch any activities when your application is not in the foreground (not currently used by the merchant), including when Payment Fragment is active.
NOTE
As a background service, you can rely on the Android notification framework to bring something to the merchant's attention.
# Compliance & Legal Guidelines
Added to the recommendations mentioned above, developers should follow a series of compliance and legal requirements created by GoDaddy Poynt. These requirements are meant to protect private information provided by consumers, merchants, and developers themselves.
The compliance requirements section will highlight best practices to provide a positive experience for consumers and merchants. On the other hand, the GDPR Guidelines are a number of regulations established by the European Union to explain how applications and other technological solutions should address data portability, consent (opt-in, opt-out), data breaches, and age checks, among other important items.
Please make sure to review these sections to make any necessary adjustments to your applications, features, and functionalities.