Security testing and PCI DSS compliance validation of online billing system

A large European financial player aimed to obtain PCI DSS certification for the proprietary Internet payment platform picked a1qa to address the challenge.
Cybersecurity testing
Financial services
Functional testing


The client, a large European holding with a diversified portfolio of financial, investment, and internet businesses, including self-service cash kiosk network, electronic money system, online casino, and lottery, was working to develop a payment mechanism for internal needs and corporate services.

The initial idea transformed into a proprietary online payment platform for Central and Eastern Europe, the region where the market was rapidly developing.

The client hired a software development company to build the platform and decided to invite an independent testing provider in order to ensure the product’s quality.

Services offered

Functional testing
Cybersecurity testing
PCI DSS compliance validation

Project scope

The major goal was to guarantee top security of all payments and transactions and smooth, protected integration with multiple local banks.

a1qa demonstrated impressive security testing expertise and a successful track record of preparing different applications, e-commerce, and online payment systems for international financial security standardization, and was invited to deliver the project.

To make the online payment service a marketable commercial product, it was necessary to ensure its compliance with the international Payment Card Industry Data Security Standard (PCI DSS).

The goal for a1qa was to provide full-cycle testing for the newly developed online payment web platform and prove that it complied with PCI DSS requirements.

A joint team of experienced QA engineers, security testers, Java developers, and business analysts was engaged in the project.

The a1qa team performed comprehensive functionality testing activities to make sure the billing mechanism worked properly and was easy to use. Alongside with that, the experts had to validate the application’s security according to the following criteria:

  • Probability of SQL injections, code injections, ORM injections, buffer overflow XSS, OS commanding
  • Analysis of error codes
  • Application’s entry points, application discovery and access verification
  • Credentials transport over an encrypted channel
  • User enumeration, bypassing authentication schema
  • Race conditions
  • Logout behavior and browser cache management
  • Session management schema, cookie attributes
  • AJAX malfunction
  • SSL testing, PCI DSS password management.

a1qa ran all testing scenarios in time and provided a detailed report on each security requirement.

The company launched the most critical tests more than 20 times each to prove the stability of the system’s security and investigate all possible and potential data loss risks.

The PCI DSS auditors had no remarks about the system or any of its components.

Technologies & tools

  • Java
  • Acunetix Web Vulnerability Scanner
  • OWASP WebScarab
  • BackTrack 4
  • IBM Rational AppScan


  • The system was certified as PCI DSS compliant and integrated with 3-D Secure confirming high fraud protection and increasing perceived credibility.
  • The new online payment system was smoothly integrated with APIs of multiple local banks. This allows integration with endless e-commerce websites.
  • The product was launched as a stable, safe, and easy means for making payments while shopping online.
  • The software product supports over 1 million transactions per day with only two production servers – an application and a database – and has a capacity to support tens of millions of transactions daily.

In numbers

weeks of the project duration
QA engineers engaged
major and critical defects detected

Get in touch

Please fill in the required field.
Email address seems invalid.
Please fill in the required field.
We use cookies on our website to improve its functionality and to enhance your user experience. We also use cookies for analytics. If you continue to browse this website, we will assume you agree that we can place cookies on your device. For more details, please read our Privacy and Cookies Policy.