Payment Gateway Audit

A payment gateway is an online payment solution which empowers merchants to accept payment online including credit card, debit card, direct debit, bank transfer and real-time bank transfers. Payment gateway protects sensitive customer data like credit card number & CVV, netbanking credentials etc. by encrypting the traffic to ensure that the information is passed securely between customer & merchant.

Security Concerns over Payment Gateway

The functionality of payment gateway is segregated across multiple levels of operations. Hence threats to its security can also be segregated based each level:

  • Network level: Any security risk present in underlying network infrastructure may lead to the compromise of payment gateway. Therefore ensure that the devices & servers are configured properly and network perimeter is also defended against unauthorized access.
  • Transaction level: The security concerns at transaction level include accepting an invalid transaction, for example – ‘0’ amount transaction, negative amount transaction and transaction with invalid details etc. Hence before accepting any transaction for processing, its validity should be checked properly.
  • Application level: This level is about the coding standard of payment gateway and subject to application security risks like – SQL injection, XSS, Direct URL Access, CSRF etc. Refer list of OWASP top 10 vulnerabilities for more details.


How Payment Gateway Works

Here are the steps of how payment gateway works in online shopping environment:

  • A buyer purchases an item and enters a credit card number, buyer’s name & CVV number in the checkout page.
  • Details about the purchase are sent from the checkout page to the payment gateway for processing.
  • The payment gateway forwards transaction information to the merchant's bank.
  • The whole channel between the merchant's website to payment gateway and payment gateway to merchant’s bank is encrypted.
  • The merchant’s bank forwards transaction information to the bank that issued the buyer’s credit card to authorize the transaction.
  • The bank that issued the buyer’s credit card either approves or denies the transaction and sends that information back to the merchant’s bank.
  • If the transaction is approved, the bank will deposit funds on a merchant’s account at a scheduled time.
  • The payment gateway sends transaction details and responses back to the merchant website.
  • The merchant website lets the buyer know if the transaction was approved or denied.

Why Xiarch ?

Xiarch has been a CERT-In empanelled IT Security Auditor since 2012.It is an acknowledgement of Xiarch’s technical expertise in conducting Information Security like VAPT Services, Penetration Testing Services, Vulnerability Assessment Services, Among our consumers we proudly work for Government Organizations, Fortune one thousand Companies and countless start-up companies. We are additionally Value Added Partners, Authorized Resellers & Distributor of Leading Web Application Security Testing Tools.

We are headquartered in Delhi and have branch presence in Gurugram, Mumbai and Chennai - India

Contact our sales team @ +91 11-45510033 for further clarifications on above stated service, you can also reach us by an email at [email protected] We’ll be grateful to serve you. Happy Security.

Interested in our Payment Gateway Audit ?


New Delhi - Head Office

Xiarch Solutions Private Limited

Mumbai - Branch Office

Xiarch Solutions Private Limited