As well as E-Commerce payments, SagePay Direct allows account holders to create payments "over the phone" (with details submitted directly from our server) or using Continuous Authority (with details submitted directly from our server). By the looks of things, the details submitted by our server would be identical apart from the payment type which is set to "C" for Continuous Authority and "M" for MOTO.
I am building a payment gateway and some of our users will have "M" and "C" and some of them will only have "M". In both cases cards can be added (with a token returned) and then a payment can be set up using that returned token. And as long as we tell SagePay that we want to keep using the token we can then submit subsequent payments without the customer present. My confusion is that it LOOKS as though there's nothing stopping the "M"-only users from making subsequent payment requests. Is that the case?
I realise they won't be able to repeat a transaction - but given that all the data is submitted by our website, would we be able to make MoTo payments that are, in effect, repeated use of the card token without interception by the cardholder? Or is there some protection to ensure that this does not happen?
