From my own reading of the rules it would seem there is room for an encrypted copy of the secret key to be on the client’s computer since it is not the secret key itself that is being shared with the client. But in the end, you must unencrypted the secret key at the client site before it can be included in the Amazon MWS call.
I am in touch with a number of developers trying to get through the developer approval process using various designs. One company trying to get their on-premise application approved received these comments from Amazon during their approval process:
“Based on our AUP and DPP by sharing your keys to other seller is violating the rules…” and also “API calls should be made…not directly from the seller’s machine.”
My current understanding is that Amazon is not allowing on-premise applications developed by 3rd parties to directly call MWS from the seller site. As a result, some developer are adjusting the design of their apps so the on-premise module calls the developers server, then developer’s server calls MWS after adding the secret key.
I don’t know if your design is the reason Amazon turned off PII for your developer ID. However, I think it could be, so that is the reason I was asking the questions.
It also may be that Amazon has such a large backlog of applications, they just can’t process them all in a reasonable amount of time, so they are putting a hold on things until they get caught up.
You can read here the FAQ #12 about how to appeal:
Dynamic Enterprise Technologies Inc
Seattle Wasington USA