Braintree

Braintree

Online payment processing platform used by marketplaces and platforms to handle complex payment flows. The Braintree SDK (owned by PayPal) tokenizes card and PayPal credentials and handles 3D Secure authentication. Injects an iframe-based payment form to keep card data off the merchant's servers.

Back to Vendor Library

Overview

Braintree, a PayPal company, is an online payment processing platform that handles credit card processing, PayPal integration, Venmo payments, ACH bank transfers, and 3D Secure authentication. It is widely used by marketplaces, subscription platforms, and e-commerce businesses that need a flexible payment gateway with support for complex payment flows, split payments, and recurring billing. Braintree's key differentiator is its iframe-based secure payment form (Drop-in UI) that keeps sensitive card data entirely off the merchant's servers.

What This Script Does

The Braintree JavaScript SDK (js.braintreegateway.com/web/*/js/braintree.min.js) and its Drop-in UI component manage the payment collection and processing lifecycle:

Secure payment form (Drop-in UI)

  • Injects a cross-origin iframe into the checkout page that renders the card input fields (number, expiry, CVV) inside a Braintree-controlled iframe
  • Card data entered by the customer is transmitted directly from the iframe to Braintree's servers — it never touches the merchant's server or JavaScript context, achieving PCI DSS SAQ A compliance
  • The iframe renders from assets.braintreegateway.com, keeping card data fully isolated from the merchant's domain

Payment tokenization

  • After the customer enters card details, the SDK calls Braintree's tokenization API and returns a one-time-use payment method nonce to the merchant's JavaScript
  • The merchant's server submits the nonce (not raw card data) to Braintree's API to complete the transaction
  • PayPal and Venmo flows redirect to PayPal's OAuth dialog, then return with a payment method nonce

3D Secure authentication

  • When 3D Secure is enabled, the SDK triggers a liability shift flow: an authentication challenge is presented to the cardholder by their issuing bank
  • The challenge renders in an iframe or popup; the authentication result is embedded in the payment nonce

Session management

  • Sets cookies to maintain the payment session and prevent duplicate charge submissions on form resubmission
  • Session cookies are scoped to the Braintree gateway domain and are short-lived (session duration only)

Consent & Compliance

  • Category: Essential — payment processing is necessary for completing a purchase transaction
  • GDPR: Braintree processes payment data under Article 6(1)(b) (performance of a contract) — the customer has entered into a transaction and payment processing is necessary to complete it. Consent is not the correct legal basis for essential payment infrastructure. Braintree is PCI DSS Level 1 certified.
  • Data transfers: Braintree is operated by PayPal, a US company. Payment data is processed in the US and, for EU merchants, optionally through EU data centers. Standard Contractual Clauses and EU-US Data Privacy Framework apply.
  • PCI compliance: Braintree's Drop-in UI achieves PCI SAQ A compliance for the merchant by isolating card data in cross-origin iframes. Raw card data never enters the merchant's environment.
  • Cookies set: Short-lived session cookies scoped to braintreegateway.com (HTTPOnly, Secure, session duration). No persistent tracking cookies are set on the merchant's domain.

Should You Block This Without Consent?

No consent required. Braintree is essential payment infrastructure. Its scripts are necessary to process customer payments — a core function of any e-commerce or subscription product. The data processed is strictly transactional, not behavioral or advertising in nature. Braintree should be categorized as essential and always loaded regardless of consent state. Disclose Braintree (and PayPal) as payment processors in your privacy policy.

Visit website

Consent Categories

Essential
Functional

Also Known As

BraintreePayPal Braintreepayment processing SDKBraintree iframe3D Secureonline payment cookies

Industries

Finance

Tracked Domains (3)

js.braintreegateway.comFunctional
assets.braintreegateway.comFunctional
client-analytics.braintreegateway.comFunctional

Frequently Asked Questions

Does Braintree need consent before loading?

No. Braintree processes payments for customer-initiated transactions under performance of a contract, making consent the incorrect legal basis. Its Drop-in UI iframes are essential checkout infrastructure that must load regardless of visitor consent state.

How does Braintree keep card data off the merchant's servers?

Braintree injects a cross-origin iframe from assets.braintreegateway.com into the checkout page. Card data entered by the customer travels directly to Braintree's servers and never enters the merchant's JavaScript context, achieving PCI DSS SAQ A compliance.

How does ConsentStack handle Braintree?

ConsentStack marks Braintree as essential and loads it unconditionally. Because Braintree is required to process customer-initiated purchases and is PCI DSS Level 1 certified, ConsentStack does not gate it behind any consent prompt for any jurisdiction.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Braintree

ConsentStack automatically detects and manages Braintree trackers so your site stays compliant with global privacy regulations.

Get started