Methods and systems enable merchants to accept payments through a service provider from a consumer using an app on a mobile device, for example, without redirecting the consumer to the service provider and without collecting the customer's service provider password (a separate PIN may be used). An example of an app on a mobile device is given, but secure payments are also enabled for purchases and other transactions for a website, a merchant, or a service provider who needs to accept payments from customers. A two-key approach allows a merchant, using the two keys—a collection key for merchant apps and general servers and a private, more secure, charge key for merchant “back-end” systems—to collect a user's username and personal identification number (PIN) for acquiring payments through a service provider without compromising the user's service provider username and password (the PIN is distinct from the password).