0

I'm trying to integrate with Braintree using the javascript SDK and the dropin plugin, but there is something I find hard to understand. It seems that the user gives a free permission with his "payment_method_nonce" to charge his credit without him knowing how much he is being charged for. let me explain:

Looking at the flow overview:

enter image description here 1. Client request an authorization token from my server. the server then creates a new token using his unique "Braintree SDK and credantials", the sever send the token back to the client.

  1. The User enters his credit card number and submits -> client sends a request to Braintree server.
  2. Braintree server returns an "payment_method_nonce" to the client.
  3. The Client send the "payment_method_nonce" to my server.
  4. Using the "payment_method_nonce" my server create a transaction, set a price to charge and send a request to Braintree server. The user doesn't knows how much he was charged since the request was sent from the server.

When I worked with Paypal directly (without Braintree SDK) the user was redirected to the "paypal domain" to complete the transaction. there he was presented with all the details about the transaction, price and all, but with "Braintree" this step is missing.

what am i missing here?

Community
  • 1
  • 1
Tal Humy
  • 1,197
  • 1
  • 18
  • 41

1 Answers1

1

Full disclosure: I work at Braintree. If you have any further questions, feel free to contact support.

The Drop-In is a pre-made UI for accepting cards and PayPal. It should not be used as the sole part of your checkout.

You are responsible for incorporating the Drop-In UI into an existing checkout workflow within your store, which should include confirmations of meaningful transaction information such as address, amount, etc. By contrast- PayPal, who has security concerns for their account holders, includes some checkout steps to their UI as a means of providing trust and security to their customers.

hollabaq
  • 597
  • 3
  • 13
  • Hi hollabaq, Thank you for your help. I download the nodejs example from the Braintree site, and follow the steps in client and server side. I noticed that the client send the request to the braintree server without any price bound to it, and then receive a payment_method_nonce. now the server can charge the user with any price .It seems that the payment_method_nonce should have be bound to a price. if the server try to claim a different price then it should failed. – Tal Humy Oct 19 '17 at 07:41
  • Did you checked it if payment_method_nonce has validation against the price? It might make sense since in your 2) when you show Drop-in UI to the user you create DropInRequest (Android here) and you can set amount to it. DropInRequest is sent to Braintree server and you get payment_method_nonce so it might be that it has some checksum for amount. However at least the same amount and the same cc info generates different payment_method_nonce everytime. I will check if server does validation i.e. if you set amount 10 in DropInRequest and use payment_method_nonce in server with different amount. – Tony Oct 19 '17 at 11:52
  • Hi Tal Humy- totally understand your logic. Payment method nonces are one-time representations of sensitive credit card data and can be used for two main purposes: to create [transactions](https://developers.braintreepayments.com/guides/transactions/) and to create or update [payment methods](https://developers.braintreepayments.com/guides/payment-methods/) in the Vault for repeat use. Including price in the nonce would make sense for the first use case, but not for the second. – hollabaq Oct 26 '17 at 20:12