Auditing Payment Gateway

In this article we will discuss the security concerns over payment gateway at different functional levels and how to perform a security audit on payment gateway to identify security risks at application level.

A payment gateway is an online payment solution which empowers merchants to accept payment online including credit card, debit card, direct debit, bank transfer and real-time bank transfers. Payment gateway protects sensitive customer data like credit card number & CVV, netbanking credentials etc. by encrypting the traffic to ensure that the information is passed securely between customer & merchant.

How Payment Gateway Works

Here are the steps of how payment gateway works in online shopping environment:

  1. A buyer purchases an item and enters a credit card number, buyer’s name & CVV number in the checkout page.
  2. Details about the purchase are sent from checkout page to the payment gateway for processing.
  3. The payment gateway forwards transaction information to merchant’s bank.
  4. The whole channel between merchant’s website to payment gateway and payment gateway to merchant’s bank is encrypted.
  5. The merchant’s bank forwards transaction information to the bank that issued the buyer’s credit card to authorize the transaction.
  6. The bank that issued the buyer’s credit card either approves or denies the transaction and sends that information back to the merchant’s bank.
  7. If the transaction is approved, the bank will deposit funds on a merchant’s account at a scheduled time.
  8. The payment gateway sends transaction details and response back to the merchant website.
  9. The merchant website lets the buyer know if the transaction was approved or denied.

Security Concerns over Payment Gateway

The functionality of payment gateway is segregated across multiple levels of operations. Hence threats to its security can also be segregated based each level:

  1. Network level: Any security risk present in underlying network infrastructure may lead to the compromise of payment gateway. Therefore ensure that the devices & servers are configured properly and network perimeter is also defended against unauthorized access.
  2. Transaction level: The security concerns at transaction level include accepting an invalid transaction, for example – ‘0’ amount transaction, negative amount transaction and transaction with invalid details etc. Hence before accepting any transaction for processing, its validity should be checked properly.
  3. Application level: This level is about the coding standard of payment gateway and subject to application security risks like – SQL injection, XSS, Direct URL Access, CSRF etc. Refer list of OWASP top 10 vulnerabilities for more details.

Identifying Security Risks at Application Level

The payment gateway is integrated with merchant’s website; therefore merchant’s website should also be tested against various application security risks.

Below is a list of test scenarios for an initial understanding. Do not consider it as an exhaustive list as sometimes test scenarios varies based upon the implementation:

  1. All the issues present in OWASP list (SQL injection, Cross site scripting etc) are applicable on payment gateway also. 
  2. Try to perform a transaction with ‘0’ amount.
  3. Try to perform a negative value transaction.
  4. Try to perform a transaction with low account balance.
  5. Check whether a latest version of SSL is implemented across all payment gateway pages. Verify if strong encryption and hashing algorithms with a fair length key are implemented.
  6. Check whether cache control is implemented properly. To verify this perform a transaction till completion, then disable the JavaScript of the browser. Now right click on the back button of the browser to view browser cache and click on any of the link to an internal application page. If the page is accessible, cache control is not implemented.
  7. Another method to test it is enter the credit card details and capture HTTP response in an HTTP interceptor like – burp suite or zap proxy etc. The response will contain a ‘cache-control’ header, ensure that ‘no-cache’ & ‘no-store’ is set in that header.
  8. Test if idle session timeout is implemented in the application.
  9. Try to perform HTTP request replay attacks. A sample test can be – complete a transaction and capture the request when payment gateway redirects buyer back to merchant’s website. This request contains the confirmation of the successful payment. Now replay this request before making a payment and try to generate a payment confirmation slip without making any payment.
  10. Check if any user specific data (example – id, username etc.) is getting transmitted in HTTP requests. If yes, try to perform cross account access by replacing the values of such parameters with other valid user to make payment on other’s behalf.
  11. Test CSRF issue to identify if it is possible for an attacker to make a transaction on behalf of a legitimate user.
  12. Verify if audit trail is implemented either at database level or application level.
  13. Check if a proper password policy implemented in the application.
  14. Verify if session is destroyed after a successful payment.      

Please go through following link to get more detailed approach on payment gateway audit:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s