Avonelle's Tech Blog

Go Back

The conflicting priorities of security and testability

How hard is it to test interfaces with payment gateways? In my experience, it isn’t a trivial enterprise. Last week I was working on getting AbleCommerce working properly with First Data. I had everything set up in test mode, and I got authorization for credit cards working fine, but when I tried to actually capture the funds, it was generating an error.

As it turns out, I wasn’t able to actually test capturing the funds. Apparently once you get the authorization working properly, you just assume everything else will be fine. It also occurred to me that even if it did work, there wasn’t a place (that I knew of) on the First Data site that would let me see my test transactions so that I would know that they were processed successfully. I had to run real transactions through, where I discovered that it was important for me to mark the order as “shipped” in AbleCommerce before I tried to capture the dough.

Of course, there are lots of payment gateway choices out there, and perhaps they don’t all work the same way, but my guess is that this is a common issue.

I have another customer with a custom application that does payment capture also. I can change his application so that it runs in “test mode” – in fact it is in a config setting so it is no big deal. But I’m pretty confident that I can’t test the payment integration from my development machine, as typically one of the security rules is that you have to identify in the payment gateway settings the URL your application will be accessing the gateway from. Since a development machine typically doesn’t have a public URL, you have to actually copy your app to production and test that way. Geez. That doesn’t seem like an optimum approach. Also, this is fine for a new app that isn’t available, but what about an existing application? There certainly isn’t a good way to turn off the app (except for your tests).

Again, I might be wrong and First Data might be the exception. And I think security, especially for something like credit card processing, is important. But I wish that there was more emphasis on helping developers with a true test environment.

Posted by Avonelle on Monday, February 02, 2009.

Facebook Twitter