An additional level of security is provided in the hosted model through the use of certificates. Hosted web applications must have a server certificate in order to handle QBMS callbacks and they must also have a client certificate to POST transaction requests to QBMS. (A list of root certificate authorities that are known to work with QBMS are provided in Appendix D.)
The hosted security model can be used for most types of applications but is required for hosted applications that are accessible over the Internet and that support multiple merchants. Also, you might want to consider this model if your application is an Internetaccessible application that supports refund and void transactions.