in the system I'm working on we allow the user to store more than a payment card and then select one to use during checkout.
The card token is a natural identifier for the card so it may seem a good key to use (we store nothing in our app).
Is it safe to render in HTML to card token so we can identify which card to use or are there security concerns?
Please note that I pass the customer id to the gateway to make sure that the card belongs to the customer:
var request = new Braintree.TransactionRequest
{
Amount = order.Total,
CustomerId = braintreeCustomerId,
PaymentMethodNonce = nonce,
PaymentMethodToken = cardToken,
OrderId = order.OrderId,
Options = new Braintree.TransactionOptionsRequest {
StoreInVault = saveCard,
SubmitForSettlement = false
}
};
Including the payment token in the form could be insecure if you submit it to Braintree without validating it against a customer id. That is, if an attacker manipulates the token to one that corresponds to another of your customer's payment method token, the other customer will be charged. If you include the customer id in the transaction request (as you have done), then we will validate that the token matches the customer, so as long as the user can’t manipulate both the customer id and the token, this method is secure.