Collecting Payment
Gathering payment method information using Braintree
Overview
Root uses Braintree, a payment processor owned by PayPal, to securely gather and store customer payment method details while supporting PCI compliance.
We require all partners to perform and report their own PCI SAQ A ("Self-Assessment Questionnaire A") on a yearly basis in order to process payments externally.
API integration
Collecting payment requires consuming the PaymentMethod input field type, which contains a client_authorization_token field. This attribute is a signed JWT that includes configuration and authorization information required by the Braintree client SDK for initialization (client token documentation). Although this token might not change for every request, it rotates at least every 24 hours should be re-fetched on a per-page-render basis.
Braintree Client integration
Displaying payment fields requires using the client_authorization_token to initialize the Braintree client for your platform of choice. Note that the official documentation refers to a client_token which is the provided client_authorization_token.
Please refer to the official documentation for client setup, as well as well as UI presentation:
- Braintree Client configuration:
- Web/JS
- iOS (Swift)
- Custom UI documentation
- Client-side validation can be overridden by setting
shouldValidateon an initializedBTCardinstance
- Client-side validation can be overridden by setting
- Custom UI documentation
- Android (Kotlin/Java)
- Custom UI documentation
- Client-side validation can be overridden by setting
shouldValidateon an initializedCardinstance
- Client-side validation can be overridden by setting
- Custom UI documentation
- Payment UI presentation:
- Drop-in "batteries-included" UI (universal support)
- Hosted fields UI (web/JS only)
Handling collected payment methods
When a configured Braintree Client collects a payment method, it accesses Braintree's API directly to create a payment method "nonce".
A payment method nonce is a secure, one-time-use reference to payment information. It's the key element that allows your server & Root to communicate sensitive payment information to Braintree without ever touching the raw data.
When a nonce has been received back from Braintree using either hosted fields or the drop-in UI, it should be sent back to the respective Step endpoint as a submitted input, with its name matching the provided information on the original PaymentMethod field.
Flow diagram - UPDATE FLOW WITH V3 INFORMATION
Updated over 1 year ago