‘ How To’ and ‘ How Not Too’ Test Payment Systems
Divya MurthyAnoop Nair
Infosys Limited (NASDAQ: INFY)
Abstract
2
Payment systems are perhaps the most important, yet volatile components in a financial institution's framework. An efficient payment system is crucial to the functioning of the financial markets and the entities involved.In the past few years there have been several changes in the services offered in the payments landscape due to external circumstances. These changes are usually time bound and thus arises the need to develop quality systems within these stringent timelines. There is immense pressure on the IT departments within banks to provide payment systems which meet the recent regulatory requirements and also incorporate the latest technology trends within the existing legacy systems.Also, the changes in the payments industry in the form of new entrants, regulations, and technologies have resulted in financial institutions adopting new strategies and increasing their technology spend on these applications. The options available for the banks to embrace these new technologies have their own set of challenges to address.• Legacy systems- Though generally stable and a comfortable option for the banks to continue with, they have the drawback of being dated and not being able to integrate with systems built on latest technology.• Vendor applications - Albeit this is an “easy-to-procure-and-use” option for banks, the ability of these applications to cater to the client specific needs of the banks is minimal.Correspondingly, testing a plethora of such systems can assume paramount importance as these systems grapple not just with changes within the organization but also with regulatory and technological changes. This paper highlights some of the best practices that are prevalent in the industry while pointing out a few generic fallacies pertaining to testing payment systems to ensure the applications are stable, reliable and resilient
Keywords: Testing of payment systems, best practices, fallacies
Payments Landscape
3
Custome
r makes a
payment
Custo
mer's bank trans
mits
payment
data
Clearing
Settlement
Payee's bank makes note of payment
Funds
available to PayeeFig 1. Payment Life Cycle
• Payment systems constitute the backbone of the banking and financial industry
• Post the financial crisis, the need for an efficient payment system was recognized
• New Banking Regulations, Payment Channels, New Products – pose a challenge
• Testing involves multiple flows, systems, file formats
4
Payment Trends and Associated Challenges
Regulatory
Requirements
Multiple Paymen
t Channel
s
Transaction
Volumes
New Product
s
Overworked
Systems
Fraud Detecti
onGlobalization
Why this Paper?
5
• An attempt to highlight some of the desirable and quite a few of the undesirable practices/ methods that testers adopt while testing payment systems
• Create awareness on mitigating poor practices in payment systems testing, thereby reducing the risks that banks are prone to in the event of any casualty that can be attributed to undesirable testing practices.
Scenario 1: Dealing with Data complexity
6
Bank A in the Belgium receives an MT202 SWIFT message from Bank X also in the Belgium to be passed on to Bank Y in London to fulfill an MT103 payment instruction.
How will the QA testers validating payments with several possible data combinations ensure through test coverage with optimal utilization of time and effort?
Scenario 1: Dealing with Data complexity ( Contd.. )Banks use resident banking software applications or an OTS vendor software
applications/ products, customized to suit its needs.Testers maintain a homogeneous focus on elements like data, value and field.Functional testing of payment systems involves the field by field validation of
all the data coming in from the source/ upstream system, transformations and then finally, transmission to the downstream system.
DDT is a functional testing technique which emphasizes greatly on the reuse of data.
7
Data Driven Testing
approach
• Emphasis on reuse of data• Field to value mapping including
negative scenarios• Doubles up as a traceability
matrix• Found to reduce scripting efforts
by 70% Microsoft Office Excel Worksheet
Scenario 2: Prioritization of effort in a time bound scenario
8
There is a major change in a regulatory requirement involving cross currency payments. This would require a significant amount of rework in all the stages of the lifecycle which would result in considerable delay. However, the delivery schedule does not get changed as the regulatory body has made it mandatory for all FIs to adhere to the new norm within a specified period of time.
9
Scenario 2: Prioritization of effort in a time bound scenario (Contd..)
Delays in previous stages/ frequent regulatory changes affect testing.
Testers are somehow expected to accommodate such exigencies and adapt quickly.
Onus is on the testers to come up with the ideal test bed which:
Prioritizes the scripts Ensures coverage of all
the high priority functional test conditions
Prioritizes the E2E scenarios too
RISK
Scenario 2: Prioritization of effort in a time bound scenario (Contd..)RBT prioritization criteria Likelihood of failure Impact of failure
Risk Matrix Quantify risks versus impact Ensures coverage of all high
priority scenarios Higher the priority, earlier its
coverage in the test cycle High severity defects detected
early Contributes to optimal
resourcing Adds to client value
Scenario 3: Integrating multiple systems and channels A customer, who holds a Current account in Bank A in US, initiates a money transfer to fund his account in India with Bank B to fulfill an EMI obligation. His account in the US is debited with $ 1000 and the bank promises to credit his account in India in 2-3 working days.
However, even after a week the payment has not reached Bank B. Bank A is unable to figure where the payment is held up while the customer is being penalized by Bank B for delaying his EMI payment. Sounds familiar
ATMInternet
MobileKiosk Smartphone
POS
Gateways
Back Office Integration Server
Authentication Manager
Integration Layer & Channel Manager
Bank’s Back Office SystemsRetail Trading Treasury Corporate
Lending Card Systems Trade Finance
Scenario 3: Integrating multiple systems and channels ( Contd..)
Multitude of channels involved in the payments domainE2E Testing provides an insight into the functioning of each
payment application system and validate services, messages, interfaces and business processes.
Payment flow involves myriad systems giving rise to various challenges while doing E2E testing:
Multiple points of convergence of payments channelsApplications developed and tested by different vendors in
different regions/environmentsAvailability of multiple test environments and E2E test
environmentsE2E schedule tracking & monitoring
Scenario 3: Integrating multiple systems and channels ( Contd..)
Testing Scope
Define Test Strategy
Timelines
Environment Booking
Stakeholder involvement
Defect Management
Metrics
E2E Regression
E2E Test Methodology
Scenario 4 : Effective system performance
A bank has tens of thousands of payments coming in one particular day, as opposed to the few thousands which are usually the norm. The sudden spurt of traffic has resulted in a server crash. How can a bank foresee such situations and react efficiently when such exigencies arise?
Scenario 4 : Effective system performance ( Contd..)
Performance/ Stress
Testing
Migration&
Regulatory
Require-ments
Transact-ion
VolumesFraud
Disaster Recover
y
Performance Tests – Ensure systems can take the anticipated volumes within a reasonable time frame
Stress Tests – Identify the break point to help define the switch over/ recovery plan
Need to Performance/ Stress Test driven by
Regulatory Requirements Transaction Volumes Migration New Products Fraud Disaster Recovery
Scenario 5 : Securing Payments
Mr. John notices an advertisement from Bank XY while browsing the net which promises some interesting benefits on his account. He follows the link which requires him to login with his ID and password. He browses through the content and gets back to doing what he was doing. The next day, he sees a debit of $ 5000 from his Current account not initiated by him. Who could have initiated this payment?
Scenario 5 : Securing Payments ( Contd..)
Increase in fraudulent activities due to introduction of new technologies and new payment avenues
Tools used by existing QA teams to be analyzed and then the security testing processes, tools to be fit into the current process
Types of testing to be done on Payment systems
Network SecurityDatabase SecurityWeb Application Security
Security Testing
Web Applica
tion Security
Network
Security
Database
Security
Conclusion
Payment systems expected to absorb and align themselves to the advances in technology, regulatory changes and latest developments in business process reengineering
Processes which are mutually beneficial to FIs and their customersInnovations in payments landscapeTesting these improved systems would prove cumbersome unless
radical improvements and advancements are made in testing practices, tools and processes
Prudence to be exercised in identifying the shortcomings of the existing practices/ systems
References Infosys project experience Infosys resources (www.infosys.com)