Security testing and PCI DSS compliance validation of online billing system


The client, a large European holding with a diversified portfolio of financial, investment, and internet businesses, including self-service cash kiosk network, electronic money system, online casino, and lottery, was working to develop a payment mechanism for internal needs and corporate services.

The initial idea transformed into a proprietary online payment platform for Central and Eastern Europe, the region where the market was rapidly developing.

The client hired a software development company to build the platform and decided to invite an independent testing provider in order to ensure the product's quality.


The major goal was to guarantee top security of all payments and transactions and smooth, protected integration with multiple local banks.

a1qa demonstrated impressive security testing expertise and a successful track record of preparing different applications, e-commerce, and online payment systems for international financial security standardization, and was invited to deliver the project.

To make the online payment service a marketable commercial product, it was necessary to ensure its compliance with the international Payment Card Industry Data Security Standard (PCI DSS).

The goal for a1qa was to provide full-cycle testing for the newly developed online payment web platform and prove that it complied with PCI DSS requirements.

A joint team of experienced QA engineers, security testers, Java developers, and business analysts was engaged in the project.

The a1qa team performed comprehensive functionality testing activities to make sure the billing mechanism worked properly and was easy to use. Alongside with that, the experts had to validate the application's security according to the following criteria:

  • Probability of SQL injections, code injections, ORM injections, buffer overflow XSS, OS commanding
  • Analysis of error codes
  • Application's entry points, application discovery and access verification
  • Credentials transport over an encrypted channel
  • User enumeration, bypassing authentication schema
  • Race conditions
  • Logout behavior and browser cache management
  • Session management schema, cookie attributes
  • AJAX malfunction
  • SSL testing, PCI DSS password management.

a1qa ran all testing scenarios in time and provided a detailed report on each security requirement.

The company launched the most critical tests more than 20 times each to prove the stability of the system's security and investigate all possible and potential data loss risks.

The PCI DSS auditors had no remarks about the system or any of its components.

  • Functional testing
  • Security testing
  • PCI DSS compliance validation
  • Java
  • OWASP WebScarab
  • Acunetix Web Vulnerability Scanner
  • BackTrack 4
  • IBM Rational AppScan
  • The system was certified as PCI DSS compliant and integrated with 3-D Secure confirming high fraud protection and increasing perceived credibility.
  • The new online payment system was smoothly integrated with APIs of multiple local banks. This allows integration with endless e-commerce websites.
  • The product was launched as a stable, safe, and easy means for making payments while shopping online.
  • The software product supports over 1 million transactions per day with only two production servers – an application and a database – and has a capacity to support tens of millions of transactions daily.
  • 5
    weeks of the project duration
  • 3
    QA engineers engaged
  • 100%
    major and critical defects detected
QA news and tips delivered right to your inbox
We’ll send you one newsletter a month, jam-packed with amazing QA offers, hottest industry news, and all kinds of Software Testing goodness.