Introduction to Payment Gateway Testing

“Pay using a credit card and verify that the order has been successfully created,” is a scenario that we never miss when testing an E-commerce site or a Point of Sale application.

All testers understand the significance of payment gateway testing and successful order creation. We put a lot of effort into the design and planning of tests for these two elements because they are regarded as the most critical from the customer perspective.

A successful order creation allows the customer to pay for an available product by using any payment mode supported by the retailer. This is just the front behavior, but in the background, a lot takes place, and at times, we skip over testing these backend services that contribute to making successful payments. When a customer pays using a credit card, the payment gateway activates, which in turn looks for authorization and then sends back an appropriate status which the customer sees after using their cards. Therefore, to test for payments in an environment similar to production, which includes different testing scenarios for payment gateways, can prove helpful.

What is a Payment Gateway?

A Payment Gateway is a service that extracts payment transaction details from the front end interface (i.e., an e-commerce website or a retail point of sale), transfers these details to the payment processor and within a fraction of second, should receive the authorization status which displays to the customer. A payment gateway setup is a must if a site or store accepts credit card payments. Some of the more common payment gateways used these days are Authorize.net, PayPal, Braintree, Amazon Pay, Stripe.

The importance of Payment Gateway Testing

As a tester or lead tester, being notified of issues reported by the customer while the process is live can bring nightmares. Reported payment problems are always critical, and although we cannot perpetually recreate all of the issues upfront due to environment limitations and other factors, we must try to include as many real-time combinations as possible.

Some points to be aware of before testing Payment Gateways

Each payment gateway works differently and will require a different setup. It is advisable for QA testers to know in advance which type of payment gateway is being used for the site/app in the test. It will help in determining the types of scenarios required for testing payment gateways.

1. One of the primary areas that QA needs to be aware of is whether the payment gateway is hosted or non-hosted. A hosted payment gateway will redirect the user away from the site’s checkout page to the hosted payment page where users are required to fill in the payment details, but in a non-hosted solution, the users can enter their payment details on the checkout page itself, without being taken to a separate URL.
2. Another feature that the tester need to be aware of are the different credit/debit cards, currencies, and countries supported by the gateway, that have been configured for the site under test.
3. Make yourself aware of the sandbox setup. The QA tester must have the sandbox credentials and information on different test cards available before starting the test. The payment gateway websites provide information about different test cards, status, etc. which is supported by their gateway.

4 Recommended Scenarios for Payment Gateway Testing

1. Subscription-Based Payment/ Recurring Billing

If the system supports a subscription model, a facility will have been provided for the user to set up a recurring payment. Testing must include checking that the payment method can be saved, payment is automatically made on a scheduled date, and also that the user can edit the amount and date, with payment still successful via the payment gateway.

There may be other requirements that allow a user to cancel any subscription that they have created, or from the payment gateway, Visa or Mastercard that require a security procedure to be performed. There may be other more specific requirements such as if subscriptions are taken annually, the user may need to be informed a certain number of days ahead of their next payment being processed. All these processes will need to be tested.

2. PCI – DSS Compliance Check

Customer payment card details must be handled and stored with the utmost security because of the potential for security violations. Hence, the payment gateway must be PCI-DSS (Payment Card Industry – Data Security Standard) compliant. The testing must include checks to ensure the card details are encrypted and the full card details are never added to any systems that are unsuitable for storing details. The testers must also check that the Order Confirmation Email received by the customer does not display any sensitive information. There are different levels of PCI compliance and the level you need to abide by may depend on a few different factors. To help with PCI compliance testing, you may want to make use of a 3rd party tool that specializes in this area such as SecurityMetrics.

3. Currency and International Payment Review

A site that operates in multiple countries supporting numerous currencies and different payment cards must include a test using different currencies to verify the behavior of the payment gateway. It must also work with local cards that are accepted in just one country. So while designing your test, be sure to include cards specific to a particular region, since it would be the primary payment option for the local population. The tests must be designed in accordance with the end user’s locality, not the tester’s location.

4. Transaction Status Checks

These are a must-have for any payment gateway testing, even though it requires quite a bit of effort from QAs to generate each of the transaction statuses.  While we place importance on getting success messages, it is also vital to include failure scenarios and checks for error codes and behavior in instances like session end, authorization failure, session canceled by the user, network failure, and edits to the cart after making payment.

Conclusion

The recommendations made above may not be applicable in all cases, but it summarizes the essential areas to be included in a payment gateway test plan. With mobile app payments challenging the prevalence of credit cards these days, testing for mobile payments and payment gateway integration will increasingly drive a revision of our thoughts and approach for payment testing.