Braintree flaw with nonces?

Question

I am wondering if this is a flaw of braintree or if I am not understanding. In the diagram below and in the documentation: https://developers.braintreepayments.com/start/overview the steps are

1. Customer requests token from my server
2. I give them a token
3. They do the payment by sending all the info and bank details to braintree
4. Braintree gives them a nonce.
5. Customer gives me that nonce
6. I verify that nonce with Braintree's server

However, in step 4, why is braintree giving the token to the customer instead of sending a token or something directly to my server? What if the customer makes the payment and then closes the tab. This means step 5 and 6 cannot occur and this payment is left in limbo. How do you fix this? I don't want customers making a payment, closing their tab then I have to manually assign their order.

Answer 1

This flow looks pretty standard. I don't think there's a flaw here.

why is braintree giving the token to the customer instead of sending a token or something directly to my server?

The customer's browser connects directly to Braintree to prevent exposing your server to any credit card information. This greatly reduces your PCI scope - which is favorable to you. Your server isn't involved during this interaction, so Braintree wouldn't know where to send that nonce to.

Implementing some type of system where Braintree reaches out to your server to asynchronously provide the nonce would greatly complicate the flow for everyone involved.

What if the customer makes the payment and then closes the tab. This means step 5 and 6 cannot occur and this payment is left in limbo.

Step 3 is purely tokenization. It doesn't actually charge the customer. The customer's payment information sits at rest on Braintree's side until you create a transaction in step 6 (the graphic depicts this as step 5). If the customer closes their browser between the time they store their payment information with Braintree and the time you create a transaction with the nonce, then the customer hasn't been charged. Presumably, Braintree would expire the payment details after some amount of time.