Thank u so much for the explanation. Would u mind to say how do I accomplish Point 2 using API ? I mean I have got my tx block hash, but how do I check if it is part of the main chain ?
Using blockchain.info API?
By looking for "mainchain" value in the rawblock RPC using the blockhash from step 1.
https://blockchain.info/rawblock/00000000000007d0f98d9edca880a6c124e25095712df8952e0439ac7409738a{
"hash":"00000000000007d0f98d9edca880a6c124e25095712df8952e0439ac7409738a",
"ver":1,
"prev_block":"0000000000000a5d8e40fb83ef468e6d83d1bf5365a8dfad36c4271c4a68c7b5",
"mrkl_root":"4850536df3c620972a07df5bd4896c61212776059ad6be4f6b583f9186bc98e9",
"time":1322130562,
"bits":437129626,
"fee":2150000,
"nonce":2984497136,
"n_tx":99,
"size":26700,
"block_index":169706,
"main_chain":true,
"height":154594,
"received_time":1322130562,
"relayed_by":"127.0.0.1",
...
With blockchain.info the internals of their API are a blackbox so I wouldn't want to assume that however you can explicitly confirm that by
a) getting the blockhash of the tx (rawtx)
b) checking that block is still in the main chain (rawblock)
c) computing the confirmations as latestblock_height - txblock_height (latestblock)
Combined that allows you to verify that the tx is in a block, that the block is in the main chain and has the required number of confirmations.
If you have the ability to run bitcoind (can be run without server knowing the decryption passphrase or even better with a watching wallet copy) you can get the same information easier and without having to trust a third party. You can use the transaction and block callback to be notified when a tx is included in a block and when a block has found. By checking the status of the tx you can confirm it is in the main chain (orphaned tx will show 0 confirms).
If you want an easier option and can't run bitcoind, blockchain.info also has a receive payments API.
Understand this isn't zero-trust as payments will be sent to an address which blockchain.info has the private key for and then forwarded on to an address you designate. This means in theory funds could be stolen if blockchain.info is hacked or "hacked". It does however provide an easier higher level API and the potential loss is limited to payments that haven't yet been forwarded to you. Depending on your transaction value and risk tolerance this might be acceptable. Do your own due diligence I haven't used or researched this API.
https://blockchain.info/api/api_receive