In a real commercial application like **ChronoScenic**, the actual payment and fulfillment must be handled by a secure, PCI-compliant **Backend Server or Cloud Function**.
**This app is simulating a successful payment.** A real transaction would invoke a Stripe/PayPal API and only update Firestore upon **secure webhook confirmation**, preventing hacking of paid features.