I think this is a fairly vague question, but I'll give it a try. A payment gateway is an e-commerce service that authorizes payments, encrypts sensitive information, and passes that information securely between the customer and the merchant. Most often, I've seen those services implemented as a Web service. The availability of automated tools depends on what you want to test and how you want to test it.
There are many tools out there that will aid you in the testing of the connection and transport. A couple of tools that come to mind are Mindreef SOAPscope, IBM Rational for SOA Quality, and SoapUI. Each of those will allow you to build test beds of request and response XMLs for testing a Web service. If your payment gateway isn't a Web service (and it very well may not be), you'll need to find or build a tool that allows you to connect to that interface. In most cases, building a lightweight tool to aid with manual testing or to allow for regression testing isn't too difficult.
If you're testing authorization, most likely you're just designing test cases focused on that aspect of system functionality or data. If you have the right amount of test data available, you can automate the generation of the test cases based on a model, but most likely just thinking about the problem and designing and executing the right tests will be less cumbersome than worrying about automation. If you are just looking for regression tests for authorization, use the same tool you use for testing the connection and transport.
If you want to test the encryption, there are a number of tools that can help, but I don't know of any that automate that testing. (Disclaimer: this doesn't mean automated encryption testing tools don't exist.) I would start by looking at Wireshark or WebScarab. I've used both and found them easy to get set up and started with. Keep in mind that the actual encryption of the message is only one aspect of what you'll want to test in terms of encryption. If you're not sure what you're looking for when testing the encryption, you may want to bring in a consultant for that piece of work.
Finally, you may be able to test using the customer application. If that's the case, you may not even care what the implementation is and you can just test using the customer facing screens. If you want automation, you are limited only by the tools that support that platform. Assuming it's a Web interface, you can use just about whatever tool you like.
Just make sure you know what it is you want to test -- no tool will be able to help you with that. And make sure you know what you want to get out of the automation you end up building out. Different goals will mean different tools. Some tools will help with data generation, some with test execution, and some with regression test-bed maintenance.
Here are a couple of additional resources for Web services and automation that you may find helpful:
- "Testing Web Services" by Chris McMahon
- "How to test Web services" by Michael Kelly
- "Open-Source Scripting Tool Aids In Testing Web Services" by Michael Kelly
- "Everyday Scripting with Ruby: for Teams, Testers, and You" by Brian Marick
Dig Deeper on Software Security Testing Tools
Related Q&A from Mike Kelly
There are multiple ways performance testing can be handled on an Agile team. An expert describes the benefits of various approaches. Continue Reading
Every software tool is individually designed to meet various needs and requirements of projects, teams and project managers. Learn what tools experts... Continue Reading
Creating user acceptance tests out of basic software requirements documents can be a daunting task. Expert Mike Kelly points out logical approaches ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.