AUDITING PAYMENT GATEWAY

In this article we will discuss the security concerns over payment gateway at different functional levels
and how to perform a security audit on payment gateway to identify security risks at application level.

A payment gateway is an online payment solution which empowers merchants to accept payment online
including credit card, debit card, direct debit, bank transfer and real-time bank transfers. Payment
gateway protects sensitive customer data like credit card number & CVV, netbanking credentials etc. by
encrypting the traffic to ensure that the information is passed securely between customer & merchant.

How Payment Gateway Works

Here are the steps of how payment gateway works:

1. A buyer purchases an item and enters a credit card number, buyer’s name & CVV number
in the checkout page.

2. Details about the purchase are sent from checkout page to the payment gateway for
processing.

3. The payment gateway forwards transaction information to merchant’s bank.

4. The whole channel between merchant’s website to payment gateway and payment
gateway to merchant’s bank is encrypted.

5. The merchant’s bank forwards transaction information to the bank that issued the buyer’s
credit card to authorize the transaction.

6. The bank that issued the buyer’s credit card either approves or denies the transaction and
sends that information back to the merchant’s bank.

7. If the transaction is approved, the bank will deposit funds on a merchant’s account at a
scheduled time.

8. The payment gateway sends transaction details and response back to the merchant
website.

9. The merchant website lets the buyer know if the transaction was approved or denied.

Security Concerns over Payment Gateway

The functionality of payment gateway is segregated across multiple levels of operations. Hence threats
to its security can also be segregated based each level:

1. Network level: Any security risk present in underlying network infrastructure may lead to
the compromise of payment gateway. Therefore ensure that the devices & servers are
configured properly and network perimeter is also defended against unauthorized access.
2. Transaction level: The security concerns at transaction level include accepting an invalid
transaction, for example – ‘0’ amount transaction, negative amount transaction and
transaction with invalid details etc. Hence before accepting any transaction for processing,
its validity should be checked properly.
 3. Application level: This level is about the coding standard of payment gateway and subject
to application security risks like – SQL injection, XSS, Direct URL Access, CSRF etc. Refer list
of OWASP top 10 vulnerabilities for more details.

Identifying Security Risks at Application Level

The payment gateway is integrated with merchant’s website; therefore merchant’s website should also
be tested against various application security risks.

Below is a list of test scenarios for an initial understanding. Do not consider it as an exhaustive list as
sometimes test scenarios varies based upon the implementation:

1. All the issues present in OWASP list (SQL injection, Cross site scripting etc) are applicable
on payment gateway also.

2. Try to perform a transaction with ‘0’ amount.

3. Try to perform a negative value transaction.

4. Try to perform a transaction with low account balance.

5. Check whether a latest version of SSL is implemented across all payment gateway pages.
Verify if strong encryption and hashing algorithms with a fair length key are implemented.

6. Check whether cache control is implemented properly. To verify this perform a transaction
till completion, then disable the JavaScript of the browser. Now right click on the back
button of the browser to view browser cache and click on any of the link to an internal
application page. If the page is accessible, cache control is not implemented.

7. Another method to test it is enter the credit card details and capture HTTP response in an
HTTP interceptor like – burp suite or zap proxy etc. The response will contain a ‘cache-
control’ header, ensure that ‘no-cache’ & ‘no-store’ is set in that header.

8. Test if idle session timeout is implemented in the application.

9. Try to perform HTTP request replay attacks. A sample test can be – complete a transaction
and capture the request when payment gateway redirects buyer back to merchant’s
website. This request contains the confirmation of the successful payment. Now replay this
request before making a payment and try to generate a payment confirmation slip without
making any payment.

10. Check if any user specific data (example – id, username etc.) is getting transmitted in HTTP
requests. If yes, try to perform cross account access by replacing the values of such
parameters with other valid user to make payment on other’s behalf.

11. Test CSRF issue to identify if it is possible for an attacker to make a transaction on behalf of
a legitimate user.

12. Verify if audit trail is implemented either at database level or application level.

13. Check if a proper password policy implemented in the application.

14. Verify if session is destroyed after a successful payment.