Money, money, money...

So I'm working for this company that needs an interface written to a credit card clearing facility. The company had already sold the functionality to several customers, but the code that had previously been written was a complete mess and would never have worked, so I set about making it functional. This was a long and tedious process, but I had got to the point of testing it when the company sold the software to another customer and they were pressing to have it deployed.

It struck me that although this was a stupid thing for the company to do it presented me with a testing opportunity because before a system like this goes live you can test the interface using a system at the clearing house so I decided to go for it.

The facility not only allows you to debit a card, but also to credit it. No checks are built in to the system to stop you from crediting a card that hasn't previously been debited. So I start my testing using a credit card number that is past its expiry date and whose number had been recently changed, and I was communicating with a test server at the clearing house. I figure I'm pretty safe: even if the data gets onto a live system the card has expired they'll surely check for that, won't they?

The testing involves going through the various processes and checking the debit and credit work without problem. I'm in the final programmer's test phase before I hand it off to someone else to test to see if I've missed anything and I'm getting bored with the process. So to liven up the testing I decide to start using different amounts. Up to that point I'd been using £5 amounts, but it's no harder to type 50 or 500 or 5000. I decided that just to be on the safe side I'll always credit the card more than I debit it, so if I debit it £50, I'll credit it with £500, I take £500 off and put on £5000, the testing is now marginally less boring.

At this time we ask the clearing house to check the link, they do and give it the all clear. I continue with my testing and everything looks OK. The software produces a report of all transactions processed whenever the clearing house pull the data of the server, the next day I check the system and find that all my transactions have been pulled off for processing. I laugh to myself that it would be funny if the transactions get processed in error and ask the project manager to check to make sure that we are still talking to the test server. He checks and the clearing house tell him that the transactions have all been processed through the live system.

I check the report, I've debited £5000 from the card, but I credited it with £20000, this has gone into my card's account. I've suddenly got a credit of £15000 on my card. Oops.

Now I have to go through some heat, I've got the customers money in effect. The clearing house pays the customer back almost immediately, but they can't get the money back from the credit card company because the card was out of date and the number had changed. The checks I thought would keep me from causing any problems were now preventing the clearing house from getting their money back.

It took several weeks to sort out, I eventually had to write to the credit card company authorising that the money be transferred from the account. It was the only sane part of the whole process. So what went wrong? After the clearing house check the link they assume the system is live. It didn't matter that I had obtained authorisations from the test server, that I was using a card that had expired and had had it's number changed. It didn't matter that there were 30 or 40 transactions against the same card. I found the whole situation laughable. I then wrote an extension to my frontend that checked to see if a debit had been made before a credit was allowed.

After people I knew found out what had happened they all offered me their credit cards for testing, I wonder why?