Best Practicesanchor

Autocompleteanchor

When building a web form that has an input for a credit card number, turn off autocomplete so that your customer's browser won't save their credit card number.

  1. HTML
<form method="POST" action="..." autocomplete="off">

Code vs textanchor

Most responses from Braintree will include both a code and text. The text is the human-readable description and the code is meant to be consumed programmatically. For example, the processor response on transactions has both a code and text.

  1. CS
string code = transaction.ProcessorResponseCode;
// e.g. "2001"

string text = transaction.ProcessorResponseText; // e.g. "Insufficient Funds"

If you wanted to build some behavior around transactions that were declined due to insufficient funds (for example, asking the users if they would like to only purchase a subset of items in their cart) you would want to check the code rather than the text. The text may vary as we refine it to provide more clarity or additional details, but the codes will remain consistent.

Internet Explorer Quirks Modeanchor

By writing invalid HTML syntax, you can cause versions of IE to enter Quirks Mode - a parsing mode that is designed to help render very old and/or invalid pages. Quirks Mode is unreliable and not supported by the JavaScript SDK, so the Drop-in UI may not appear in such cases. To avoid this, include DOCTYPE declarations that meet W3C standards and review your HTML syntax.

Server SDK versionsanchor

Minimum required server SDK versionsanchor

It goes without saying, but we'll say it anyway: we always recommend using the latest versions of our SDKs. While older versions may still be supported, in order to communicate securely with the Braintree gateway, you must use at least the version indicated below.

  • Java 3.36.0
  • .NET 5.14.0
  • Node 2.0.0
  • PHP 6.20.0
  • Python 4.30.0
  • Ruby 4.22.0

Check your current server SDK versionanchor

To verify which version of the Braintree .NET SDK you're currently using, see the instructions for NuGet or .NET Core below.

Using NuGetanchor

In the NuGet Package Manager Console, list your dependencies:

  1. Console
Get-Package

Using .NET Coreanchor

For .NET Core-based projects, check your <Project>.csproj file for the PackageReference for the Braintree library.

Upgrade your server SDK versionanchor

note

See the Braintree .NET version changelog.

If you're ready to update to a newer version of the .NET SDK, see our recommended approach below.

Using NuGetanchor

If you have a Braintree dependency in your packages.config, update it to reflect the desired version:

  1. xml
<package id="Braintree" version="" allowedVersions="[4,5]" />

Then, update the required Braintree package:

  1. Console
Update-Package Braintree

See the NuGet documentation for more details on reinstalling and updating packages.

Using .NET Coreanchor

Update the required Braintree package with the desired version. To get the latest version, run the following in the .NET Core CLI:

  1. CLI
dotnet add package Braintree -v

See the .NET Core documentation for more details on adding packages.

Timeoutsanchor

When using the server SDKs, keep in mind that some requests (like creating transactions) can take longer than expected since they rely on communicating with a payment processor. The Braintree gateway has a timeout of 60 seconds to accommodate for this. If you do not want to wait this long, you can set a custom timeout in the server SDKs. However, if this timeout is less than 60 seconds, the request may trigger a timeout exception and you may not see the result of the request.

For example, let's say you set the server SDK timeout to 10 seconds, and you create a transaction sale request. If the request has not completed successfully at 10 seconds, you'll receive a timeout exception. However, if the transaction then completes successfully at 19 seconds, the customer will be charged, but you will not receive any notification of this. You will need to check the state of the transaction in the gateway to verify whether the transaction was successful or not.

  1. CS
var gateway = new BraintreeGateway
              {
                  Environment = Braintree.Environment.SANDBOX,
                  MerchantId = "the_merchant_id",
                  PublicKey = "a_public_key",
                  PrivateKey = "a_private_key"
              };

gateway.Configuration.Timeout = 10000;

Token and ID lengths and formatsanchor

In order to avoid interruptions in processing, it's best to make minimal assumptions about what our gateway-generated tokens and identifiers will look like in the future. The length and format of these identifiers – including payment method tokens and transaction IDs – can change at any time, with or without advance notice. However, it is safe to assume that they will remain 1 to 64 characters (alphanumeric, dashes, and underscores).

Transport Layer Securityanchor

Following the PCI Data Security Standard (PCI DSS) 3.1 requirements, it's critical that you secure your connection to the Braintree gateway using Transport Layer Security (TLS) 1.2 and serve any form that collects payment data in production over HTTPS.

Older TLS versionsanchor

On June 26, 2018, Braintree ended support for server-side API requests via TLS 1.0 and 1.1 in production. The sandbox no longer accepts connections using these older TLS versions as of December 13, 2016.

If you are using older TLS or SSL versions, you may need to upgrade your Braintree SDK versions in addition to upgrading to TLS 1.2. See our full list of TLS 1.2-compatible SDKs on GitHub.

TLS certificatesanchor

We don't have a specific preferred vendor for TLS/SSL certificates, but we recommend that you stick with a well-known provider (e.g. Network Solutions, GoDaddy). Generally speaking, most certificates will be similar, so it's up to you to determine what fits your needs best.

Testinganchor

While you can successfully test our Drop-in UI, Hosted Fields, and client-side PayPal flow over HTTP in all supported desktop and mobile browsers, you must use HTTPS if you wish to test our PayPal button in mobile webviews. Ultimately, we strongly encourage you to test all your flows over HTTPS to create a more realistic test environment.

SSL Certificatesanchor

We make periodic updates to our root SSL provider for API traffic to align with security standards. For some integrations, this requires updating certificates that are pinned to Braintree-owned domains or updating certificate authorities (CA) and intermediaries associated with Braintree-owned domains.

important

We do not recommend you follow this practice as we are unable to proactively contact you of upcoming changes that can impact your processing.

If you still feel it is necessary for your integration, you should know that these certificates are subject to change, and the best way to be apprised of upcoming changes is to regularly check this page.

EnvironmentURLDate ImplementedCertificates
Sandboxapi.sandbox.braintreegateway.comFebruary 2022Click here to download certificate files
Productionapi.braintreegateway.comSeptember 2022Click here to download certificate files

Further readinganchor