The OWASP Payment Security Testing Guide (PSTG) aims to establish a standardized framework for assessing the security of digital payment systems, gateways, wallets, and UPI-based platforms.
With the rapid growth of fintech and payment integrations, organizations and developers face unique challenges around transaction integrity, PCI DSS compliance, fraud prevention, and data protection.
PSTG serves as a practitioner-focused guide to help testers, developers, and security teams identify vulnerabilities, design secure payment flows, and validate compliance using structured methodologies.
Most application security testing frameworks (like OWASP ASVS or MASVS) do not deeply cover payment-specific threats such as transaction replay, refund abuse, payment gateway misconfiguration, or merchant key leakage.
The PSTG fills this gap by offering step-by-step testing techniques and security best practices tailored specifically for the fintech ecosystem — spanning cards, UPI, wallets, netbanking, and payment APIs.
To create an open, vendor-neutral, and community-driven guide that helps organizations:
- Secure payment integrations and flows.
- Test digital payment platforms systematically.
- Understand and mitigate payment-specific threats.
- Encourage adoption of security by design in financial applications.
-
A detailed guide covering:
- Payment security fundamentals
- Threat modeling for payment flows
- Common vulnerabilities and test cases
- Secure integration practices (UPI, Cards, Netbanking, Wallets, etc.)
- Automation and continuous validation approaches
-
Reference implementations and examples for testers and developers.
-
Periodic releases (PDF/HTML format) available on the OWASP website.
-
CTF-style challenges (optional) for hands-on learning.
| Quarter | Milestone | Expected Output |
|---|---|---|
| Q1 | Project setup, GitHub initialization, and team onboarding | Repo live, documentation skeleton ready |
| Q2 | Draft “Threat Modeling” and “Testing Methodology” sections | First preview release (v0.1) |
| Q3 | Add real-world case studies and secure flow diagrams | v0.2 release |
| Q4 | Peer review, refinement, and OWASP publication | v1.0 public release |
We welcome contributors from all backgrounds — whether you’re a developer, tester, researcher, or fintech enthusiast.
You can help by:
- Writing or reviewing guide sections
- Submitting examples or test scripts
- Suggesting enhancements via GitHub issues
See CONTRIBUTING.md for detailed instructions.
This project operates under the OWASP Foundation and aligns with its mission to improve the security of software globally.
Special thanks to the OWASP Project Committee for their continued guidance and support.
