Thanks! Though as a malicious vendor, can I not 'push' the transaction of my 'customer', by just copying the transaction and broadcast it to the network?
No because txs are unique (they cannot be copied in the way that you are thinking). A tx is not as simple as "pay X address Y amount".
If you make two payments of 10 BTC to one vendor they are not identical at all and only the owner of the wallet that has funds can release those funds (by creating the tx that does so).