Payment Gateway Testing

What we learn:-
Payment Gateway Terminology
Difference between payment gateway and payment processors
Transaction Flow
Why do we need to test Payment Gateways?
Kinds of Testing required
Helpful Tips
Payment Gateway Testing Checklist and Test Cases
Setting up Sandbox: Braintree Payments Example
Conclusion

Payment Gateway Terminology

Let us discuss some terms that we will be using in this article:

1) Merchant A merchant is a person or company that sells products or services. Flipkart,

Amazon, eBay are some examples of Merchants.

2) Credit Card A plastic card that can be used to buy products or services through a credit
account. It has a 16 digit card number, an expiration date, hologram, magnetic strip, signature
panel and a Card verification value (CVV) number.
Front of Credit Card:

Back of credit card:

(Source: about.com)
3) Acquiring bank Acquiring Bank is a financial institution that maintains the merchants
bank account and enables a merchant to accept and process debit and/or credit card
transactions on their store.

4) Issuing Bank Issuing Bank is the financial institution that issues the customers debit or
credit card. Whenever a customer uses a credit or debit card to make a purchase, the Issuing
bank either approves or declines the transaction based on the cardholder account standing and
passes that information to the Acquiring Bank.
For example, the transaction will be rejected if the cards expiry date is incorrect, or if the
purchase amount is more than the card credit limit, etc.

5) Transaction The end to end process through which the merchant receives funds for a
transaction with a customer.

6) Authorization Authorization is requested when a customer makes a purchase. This

authorization is provided by the customers issuing bank and confirms the card holders
validity, the ability to pay, and the presence of sufficient funds etc. Once this is completed,
funds are hold and the balance is deducted from the customers credit limit but is not yet
transferred to the merchant account.

7) Capture In this action, the merchant collects the relevant customer payment information
and sends a settlement/capture request to the processor. The processor uses this information
to initiate funds transfer between the customers card account and the merchant bank account.
Difference between payment gateway and payment
processors
There is a lot of literature available online about it and whether payment gateway and
payment processor are distinct modules with distinct functionalities.

During the course of my projects, I have observed that Payment Processor and Payment
gateways are used interchangeably without any actual distinction. The merchants usually
refer the Payment Gateways as payment processors as these process all the payments.

The Payment Processors consider themselves as Payment Gateways as they act as a means
to process and complete the secure payment transaction.

Transaction Flow
The following flow diagram summarizes the complete flow from the moment a customer
places an order to the order being successful or declined.
If a customer wishes to cancel the order, the following is the flow:

The difference between a void and return depends on whether a transaction is captured or not.

An unsettled payment can be voided, that means the held funds are credited back to the card
holders account. If a transaction is already settled or captured, then a refund is initiated which
means the funds are taken from the merchant account and credited back to the card holders
account.

Why do we need to test Payment Gateways?

If we were to shop in an actual brick and mortar store, we would pay cash or swipe our card
(credit or debit) through the machine during checkout to complete the transaction.

If using credit or debit cards, the POS (Point of Sale testing) machine will indicate if the
payment processing would be approved or declined.

Similarly, during online transactions, we need to have a comparable system in place, which
approves or disapproves a transaction instantly.

From a customer perspective, the online payment processing on the e-Commerce website
should be seamless. Customer clicks Pay now button and should see payment successful or
declined message in next few seconds.

From the e-Commerce store perspective, the merchant needs to ensure that the complete
payment cycle (getting transactions from online store, capture and authorize, refund, voiding)
are working fine. If any of these subcomponents do not work as expected, then it can be a
problem for the merchant.
From the merchant perspective, the testing phase allows them to get used to the chosen
payment processor flow and evaluate if the chosen option is actually the best fit for their
application and business.

Kinds of Testing required

Depending on the choice of the Payment processor and the product /application requirement,
you may be required to perform the following kinds of testing

Functional Testing Functional testing is required for newer, less established

payment gateways to ensure that the application behaves as it should i.e. it handles
orders, calculations, taxes, etc. exactly how it is supposed to. For more established
payment processors, this kind of testing may not be required.

Integration Testing Integration testing is critical while integrating with a payment

gateway. As a tester, you would need to verify that the integration of your
website/online store/application is working fine with the chosen payment gateways.
As a tester you need to verify the entire transaction flow:
Place order
Check if funds are received in merchant account
Verify if transaction can be refunded or void successfully

Performance Testing It is essential to test the website/online store/application for

performance. The payment processor should not fail if multiple users are trying to
complete transactions at the same time.

Security Testing During a transaction, a customer will be providing sensitive

information like their credit card number, CVV number etc. It is very important to
ensure that all the sensitive information is transmitted after encryption and that the
channel is secure.

Helpful Tips
Based on my personal experience, the following are some helpful tips for testers:

#1) Research if a free sandbox environment (for trial and exploratory purposes) is available
for the Payment gateway that needs to be tested or implemented. Having a sandbox available
is definitely helpful and gives the team that extra flexibility to customize the tool and test as
in depth as required.

#2) Make sure the transaction is tested end to end. In our projects, we tested and reported
numerous bugs related to data capture and data flow from application to the Payment
gateway. Some of the specific bugs were:

Customer (buyer) name information was not getting captured correctly

 The customer Credit card expiry date was getting captured incorrectly due to an
incorrect function which was causing the transactions to be declined by the issuing
bank on account of incorrect credit card information.
Duplicate transaction showing in Payment Processor

#3) Research the limitations of the payment gateway sandboxes.

For example, Authorize.net sandbox supports one currency per sandbox, so if you need to
test multiple currencies, you will need to configure different sandboxes. Also with that, you
would never be able to truly test how the system will behave when the Live Authorize.net
account will process Multi-currency transactions.

#4) If payment fails during a transaction for any reason, a suitable message should be shown
to the customer. Any error message that is too technical like Object not set to instance or
404 error can confuse the customer and impact user experience.
It is also a good idea to display a generic message like There seems to be some issue in
processing the transaction, please contact us at 1-800-800-8000.

#5) For the purpose of post production release verification, the client (application business
owner) would need to create a live payment processor account, set up their Merchant ID etc.
Depending on the payment processor chosen, it may take anywhere from 2 days to few weeks
to set up the account. This should be communicated by the project manager to the client in
advance with sufficient time to set up the live account before the application and payment
processor integration are go live.

Payment Gateway Testing Checklist and Test Cases

Like any other application, testing payment processors involves proper test planning.

The following checklist can be helpful for testers and could be used as a reference:

1) Set up payment processor sandbox.

2) Gather test credit card numbers that would be used for testing different credit cards. As an
example, such information for Braintree payment processor can be found at Braintree
payments.

3) Verify the behavior of the application when a transaction is successful.

4) After successful transaction verify if the payment gateway returns to your application to
show some kind of successful transaction/confirmation message.

5) Verify that the customer gets some kind of transaction confirmation notification like Order
confirmation email, etc. if the transaction is successful.

6) Check what happens if a payment fails or payment processor stops responding- is there
any error message?

7) Verify the application behavior with browser popup blocker on and off. This may be
helpful if any confirmation messages are being displayed in the popup.
8) Verify different fraud prevention/security settings.
For example, if customer billing information does not match with the address provided to
issuing bank- any mismatch will result in transaction decline.

9) Verify the transaction entries in the database if the tester has access to the Application
database.
10) Check what happens when a customer session expires.

11) Check the console during entire transaction and report any console errors that are
observed.

12) Verify that that transaction is done on a secure channel.

For example, the checkout pages may be HTTPS versus rest of website that are HTTP pages.

13) Verify that the payment processor currency is setup correctly.

For example, if the application/website is a Canadian company/retailer, the payment
processor should be set up to accept CAD currency.

14) If the applications have multiple payment options like Credit card and PayPal together,
both payment options need to individually tested from end to end.

15) Verify that refund or void amount (from payment processor admin portal) is same as the
transaction amount. In no case, the refund/void amount should exceed the transaction
amount.

Setting up Sandbox: Braintree Payments Example

1) Navigate to Braintree website.

2) Click on Try the sandbox button.
(Note: Click on any image for an enlarged view)
3) You will be redirected to the Braintree sandbox website. Fill all the required information
and sign up for the sandbox

4) You will receive an email notification at the email address provided during sign up
regarding confirmation of account creation
5) You need to fill in the user information form to process further where you would be
required to choose a password. Click on Agree and Create your account button

6) You will be logged in and redirected to the Braintree Admin portal

7) Note the Sandbox keys and use them in your application to integrate with this Braintree
sandbox.

8) After integration is done, the sandbox is ready for use. If you need to update the sandbox
settings you can do so using the settings menu.
Commonly used settings menu option:

Conclusion

The payment processor is a very important component for any e-Commerce application that
is designed to accept payments from its customers. Therefore it is essential to test this
component thoroughly. Any missed scenario can impact the sales /transactions of the seller
and negatively impact the user experience for the customer or buyer.

Testers need to prepare or set up the test environment (sandboxes, gather dummy credit card
information, response codes etc.) and formulate a testing strategy- both for the Test
environment and live/post production release testing.
GURU 99 Notes
Payment Gateway Testing Tutorial with Sample Test Cases
A payment gate-way system is an e-commerce application service that approves credit card
payment for online purchases. Payment gateways safeguard the credit card details by
encrypting sensitive information like credit card numbers, account holder details and so on.
This information is passed safely between the customer and the merchant and vice versa.

Modern payment gateways also securely approve payments via debit cards, electronic bank
transfers, cash cards, reward points etc.

In this tutorial we will learn

Types of Payment Gateway System

Testing Types for Payment Gateway System
Test Preparation for Testing Payment Gateway
Sample Test Cases for Payment Gateway Testing
Things to consider before Buying Gateway Package

Types of Payment Gateway System

Hosted Payment Gateway:

Hosted payment gateway system direct customer away from e-commerce site to
gateway link during payment process. Once the payment is done, it will bring
customer back to e-commerce site. For such type of payment you don't need merchant
id, example of hosted payment gateway are PayPal, Noche and WorldPay.

Shared Payment Gateway:

 In shared payment gateway, while processing payment customer is directed to
payment page and stays on the e-commerce site. Once the payment detail is filled, the
payment process proceeds. Since it does not leave the e-commerce site while
processing payment, this mode is easy and more preferable, example of shared
payment gateway is eWay, Stripe.

Testing Types for Payment Gateway System

Testing for Payment Gateway should include

Functional Testing: It is the act of testing base functionality of the payment gateway. It is to
verify whether the application behaves in same way as it is supposed to be like handling
orders, calculation, addition of VAT as per the country etc.

Integration: Test integration with your credit card service.

Performance: Identify various performance metrics like highest possible number of users
coming through gateways during specific day and converting them to concurrent users

Security: You need to perform a deep security pass for Payment Gateway.

Test Preparation for Testing Payment Gateway

Before you begin testing -

Collect proper test data for the dummy credit card number for maestro, visa,
master etc.
Collect payment gateway information like Google wallet, Paypal or else
Collect payment gateway document with error codes
Understand the session and parameters passed through application and payment
gateway
Understand and test the amount related information passed through query string or
variable or session
Along with payment gateway language check the language of the application
Under the various settings of payment gateway like currency format, subscriber
data collected.

Sample Test Cases for Payment Gateway Testing

Sr# Test Cases

1 During the payment process try to change the payment gateway language

2 After successful payment, test all the necessary components, whether it is

retrieved or not

3 Check what happens if payment gateway stops responding during payment

4 During the payment process check what happens if session ends

5 During the payment process check what happens in back end

6 Check what happens if payment process fails

7 Check the Data-base entries whether they store credit card details or not

8 During payment process check error pages and security pages

9 Check settings of pop-up blocker, and see what happens if pop up blocker is on
and off

10 Between payment gateway and application check buffer pages

11 Check on successful payment, a success code is send to the application and a

confirmation page is show to the user

12 Verify whether the transaction processes immediately or processing is hand to

your bank

13 After successful transaction check if the payment gateway returns to your

application
 14 Check all format and messages when successful payment process

15 Unless you don't have an authorization receipt from payment gateway, good
should not be shipped

16 Inform the owner for any transaction processed through e-mail. Encrypt the
content of the mail

17 Check the amount format with currency format

18 Check if each of the payment options are selectable

19 Check if each listed payment option opens the respective payment option
according to specification

20 Verify whether the payment gateway defaults to the desired debit/credit card
option

21 Verify the default option for debit card shows card selection drop down menu

Things to consider before Buying Gateway Package

If you have bought a shopping cart package, find out about its compatibility
If shopping gateway package is due, ask the payment gateway provider for a list of
supported applications
The gateway must offer Address Verification System Protection
Find out the types of transaction protection being offered
Check what types of debit or credit cards are accepted by your chosen payment
gateway
Check the transaction fees levied by payment gateway
Check whether the gateways collect the payment right on the form or direct to another
page to complete the purchase

Use the comments section below to contribute more test cases on Payment Gateway Testing