Automated testing tools for a payment gateway

Whether it is a Web service or a regular Web application, testing a payment gateway is far easier and more thorough when you know which tools to use. Expert Mike Kelly explains how to find the right testing tools.

Are there any automated test tools that can be used to test a payment gateway?

I think this is a fairly vague question, but I'll give it a try. A payment gateway is an e-commerce service that authorizes payments, encrypts sensitive information, and passes that information securely between the customer and the merchant. Most often, I've seen those services implemented as a Web service. The availability of automated tools depends on what you want to test and how you want to test it.

There are many tools out there that will aid you in the testing of the connection and transport. A couple of tools that come to mind are Mindreef SOAPscope, IBM Rational for SOA Quality, and SoapUI. Each of those will allow you to build test beds of request and response XMLs for testing a Web service. If your payment gateway isn't a Web service (and it very well may not be), you'll need to find or build a tool that allows you to connect to that interface. In most cases, building a lightweight tool to aid with manual testing or to allow for regression testing isn't too difficult.

If you're testing authorization, most likely you're just designing test cases focused on that aspect of system functionality or data. If you have the right amount of test data available, you can automate the generation of the test cases based on a model, but most likely just thinking about the problem and designing and executing the right tests will be less cumbersome than worrying about automation. If you are just looking for regression tests for authorization, use the same tool you use for testing the connection and transport.

If you want to test the encryption, there are a number of tools that can help, but I don't know of any that automate that testing. (Disclaimer: this doesn't mean automated encryption testing tools don't exist.) I would start by looking at Wireshark or WebScarab. I've used both and found them easy to get set up and started with. Keep in mind that the actual encryption of the message is only one aspect of what you'll want to test in terms of encryption. If you're not sure what you're looking for when testing the encryption, you may want to bring in a consultant for that piece of work.

Finally, you may be able to test using the customer application. If that's the case, you may not even care what the implementation is and you can just test using the customer facing screens. If you want automation, you are limited only by the tools that support that platform. Assuming it's a Web interface, you can use just about whatever tool you like.

Software testing resources:
What to look for in a Web application security testing tool

Free load and performance testing tools

Free Web application security testing tools you need to get to know

Just make sure you know what it is you want to test -- no tool will be able to help you with that. And make sure you know what you want to get out of the automation you end up building out. Different goals will mean different tools. Some tools will help with data generation, some with test execution, and some with regression test-bed maintenance.

Here are a couple of additional resources for Web services and automation that you may find helpful:

Dig Deeper on Topics Archive