Readies Pre-Flight Test Harness · Card PSP (P001…) + Open Banking (OB001…)
R

Readies

PSP Certification Platform

Pre-Flight Test Harness

Two separate certification tracks — Card PSP and Open Banking. Upload docs, paste keys, FETCH, then START TEST.

How PSP certification works

Every partner (card PSP + Open Banking) follows the same path: upload docs → paste keys → FETCH → START TEST → all green → GO LIVE. Certified partners stay visible here so your team can demo the process to colleagues.

Certification workflow

Follow these steps for Clisapay — same process for all future partners.

  1. 1

    Upload API docs

    PDF / TXT from PSP

  2. Paste API keys

    Keys stored on test board

  3. FETCH

    Saved Jul 10, 08:42

  4. 4

    START TEST

    Runs full certification suite

  5. 5

    All tests green

    Export adapter + go-live package

  6. 6

    GO LIVE

    Deploy to Hostinger production

Live checkout (after go-live): POST /api/v1/payments with psp_code=P001 · Return URL: https://checkout.finexeble.com/return?psp_id=P001&order_id={order_id}

Went live (archived from test board)

1

Card PSP Test

P001 Clisapay — card payments, 2D/3DS routing

Setup — Clisapay (P001)

① Upload API documentation

PDF, TXT, or JSON from the PSP

Notes (control room)

Saved on this test app — API doc links, webhook samples, messages

② Paste API keys & settings

Copy from email or .env — one line per key, e.g. CLISAPAY_MERCHANT_KEY=...

✓ Stored on this test board

API keys saved: Jul 10, 2026 08:42

  • API URL (sandbox for certification): https://api.clisapay.com
  • Production API URL: https://api.clisapay.com
  • Payment webhook callback URL template: https://checkout.finexeble.com/webhooks/clisapay/{order_id}/PaymentWebHooks
  • Refund notify URL template: https://checkout.finexeble.com/webhooks/clisapay/{order_id}/RefundWebHooks
  • Merchant number: 301037001
  • Merchant key (default): FI••••OV
  • Visa merchant number: 301037001
  • Visa merchant key: NC••••qp
  • Mastercard merchant number: 301038001
  • Mastercard merchant key: eO••••ct
  • Default currency: USD
  • Referer URL: https://www.finexeble.com
  • Webhook sign secret: FI••••OV

Clisapay

pending

● No tests run yet

P001

0 passed · 0 failed · 82 remaining 0%

All 82 tests must be green first

PSP Certification Checklist

Automated validation — must pass before go-live

  • PCI DSS Compliance

    No PAN/CVV storage; BIN+last4 only in webhooks.

    Not run yet

    Not run
  • Webhook HMAC-SHA256

    Shared secret configured; signature verified on every webhook.

    Not run yet

    Not run
  • BIN + Last 4 in Webhook

    Webhook payload exposes BIN and last4 for routing.

    Not run yet

    Not run
  • 3DS 2.0 Support

    3DS status mapped for Europe/Asia transactions.

    Not run yet

    Not run
  • Geo Auth Strategy

    US routes 2D; Europe/Asia routes 3DS.

    Not run yet

    Not run
  • Return URL PSP ID

    Return URL always includes assigned PSP code.

    Not run yet

    Not run
  • Restricted Countries

    PSP blocked-country list enforced (when applicable).

    Not run yet

    Not run
  • Customer Name Validation

    Latin letters only, min 2 chars, no email in name fields.

    Not run yet

    Not run
01 API Authentication Pending

API key/secret accepted by PSP sandbox.

Not run yet — click Run to check

02 Sandbox Endpoint Reachable Pending

Sandbox API responds within 10s timeout.

Not run yet — click Run to check

03 Production Endpoint Configured Pending

Production URL configured separately from sandbox.

Not run yet — click Run to check

04 TLS / SSL Certificate Valid Pending

HTTPS endpoint uses valid TLS certificate.

Not run yet — click Run to check

05 API Timeout Handling Pending

Requests timeout gracefully after 30s, return Readies error.

Not run yet — click Run to check

06 Rate Limit Handling (429) Pending

HTTP 429 responses retried with exponential backoff.

Not run yet — click Run to check

07 Retry on Transient Errors Pending

5xx errors retried up to 3 times before failing.

Not run yet — click Run to check

08 Health Check Endpoint Pending

PSP status/health endpoint reachable for monitoring.

Not run yet — click Run to check

09 Payment Request → Readies Pending

All inbound payment request fields map to Readies canonical format.

Not run yet — click Run to check

10 Payment Response → Readies Pending

All outbound payment responses use Readies canonical format only.

Not run yet — click Run to check

11 Merchant Reference Mapping Pending

merchant_reference preserved end-to-end, never lost or truncated.

Not run yet — click Run to check

12 Amount in Minor Units Pending

Amount always integer minor units (cents) in Readies format.

Not run yet — click Run to check

13 Currency ISO 4217 Pending

Currency always 3-letter ISO 4217 code (USD, EUR, GBP).

Not run yet — click Run to check

14 Card BIN + Last4 Pending

card_bin (6 digits) and card_last4 present in every payment response.

Not run yet — click Run to check

15 Card Brand Mapping Pending

Card brand (visa/mastercard/amex) mapped to Readies standard values.

Not run yet — click Run to check

16 Payment Status Mapping Pending

PSP statuses map to Readies: pending/authorized/captured/failed/cancelled.

Not run yet — click Run to check

17 Billing Address Mapping Pending

Billing address fields (street, city, zip, country) normalized.

Not run yet — click Run to check

18 Customer Metadata Passthrough Pending

Customer email and custom metadata preserved through normalization.

Not run yet — click Run to check

19 Transaction ID Persistence Pending

PSP transaction_id stored and retrievable for refunds/webhooks.

Not run yet — click Run to check

20 Response Timestamp (ISO 8601) Pending

Every response includes ISO 8601 timestamp.

Not run yet — click Run to check

21 USA → 2D Routing Pending

US-issued cards (country=US) route as 2D — no 3DS challenge.

Not run yet — click Run to check

22 Rest of World → 3DS Pending

All non-US cards route as 3DS with challenge.

Not run yet — click Run to check

23 3DS Challenge Flow Pending

3DS challenge redirect/iframe URL returned correctly.

Not run yet — click Run to check

24 3DS Frictionless Flow Pending

Frictionless 3DS (no challenge) maps to three_ds_status=authenticated.

Not run yet — click Run to check

25 3DS Failed / Abandoned Pending

Failed or abandoned 3DS maps to three_ds_status=failed with clear error.

Not run yet — click Run to check

26 3DS Status Field Mapping Pending

three_ds_status: not_required/challenge/authenticated/failed.

Not run yet — click Run to check

27 EU SCA Compliance Pending

EU cards always trigger SCA/3DS per PSD2 requirements.

Not run yet — click Run to check

28 Auth Mode Switch Per Country Pending

auth_mode correctly set per card country in every response.

Not run yet — click Run to check

29 Direct Sale (Auth + Capture) Pending

Single-step sale transaction completes and normalizes correctly.

Not run yet — click Run to check

30 Auth Only (Pre-Auth) Pending

Authorization without capture — status=authorized.

Not run yet — click Run to check

31 Capture After Auth Pending

Capture on previously authorized transaction — status=captured.

Not run yet — click Run to check

32 Partial Capture Pending

Capture less than authorized amount.

Not run yet — click Run to check

33 Void Before Capture Pending

Void/release authorized funds before capture.

Not run yet — click Run to check

34 Declined Payment Handling Pending

Declined card returns status=failed with mapped error code.

Not run yet — click Run to check

35 Insufficient Funds Pending

Insufficient funds maps to Readies error code payment_insufficient_funds.

Not run yet — click Run to check

36 Expired Card Rejection Pending

Expired card maps to Readies error code card_expired.

Not run yet — click Run to check

37 Invalid Card Number Pending

Invalid card number maps to Readies error code card_invalid.

Not run yet — click Run to check

38 Fraud Block Handling Pending

Fraud-blocked transaction maps to Readies error code fraud_suspected.

Not run yet — click Run to check

39 Webhook Inbound Mapping Pending

PSP webhook payload maps fully to Readies canonical webhook format.

Not run yet — click Run to check

40 Webhook HMAC-SHA256 Signature Pending

Every webhook verified with HMAC-SHA256 before processing.

Not run yet — click Run to check

41 Webhook: payment.success Pending

payment.success event received and normalized correctly.

Not run yet — click Run to check

42 Webhook: payment.failed Pending

payment.failed event received and normalized correctly.

Not run yet — click Run to check

43 Webhook: refund.completed Pending

refund.completed event received and normalized correctly.

Not run yet — click Run to check

44 Webhook: chargeback.opened Pending

chargeback.opened event received and normalized correctly.

Not run yet — click Run to check

45 Webhook Duplicate Idempotency Pending

Duplicate webhook delivery processed only once (idempotent).

Not run yet — click Run to check

46 Webhook Out-of-Order Delivery Pending

Late webhooks (e.g. success after failed) handled correctly.

Not run yet — click Run to check

47 Webhook Retry Tolerance Pending

PSP webhook retries (same payload) handled without duplicate processing.

Not run yet — click Run to check

48 Webhook IP Allowlist Pending

Only accept webhooks from known PSP IP addresses.

Not run yet — click Run to check

49 Full Refund Pending

Full refund request/response normalizes to Readies format.

Not run yet — click Run to check

50 Partial Refund Pending

Partial refund with specific amount normalizes correctly.

Not run yet — click Run to check

51 Refund Declined Handling Pending

Declined refund returns mapped error — not silent failure.

Not run yet — click Run to check

52 Over-Refund Prevention Pending

Cannot refund more than original captured amount.

Not run yet — click Run to check

53 Refund Idempotency Pending

Duplicate refund request returns same result, not double refund.

Not run yet — click Run to check

54 Error Code Mapping Pending

All PSP error codes mapped to Readies standard error codes.

Not run yet — click Run to check

55 Decline Reason Mapping Pending

Human-readable decline reasons mapped to Readies error_message.

Not run yet — click Run to check

56 Network Timeout Error Pending

Network timeout returns Readies error code gateway_timeout.

Not run yet — click Run to check

57 Malformed PSP Response Pending

Invalid JSON/unexpected PSP response handled gracefully.

Not run yet — click Run to check

58 PSP Maintenance / Downtime Pending

PSP downtime returns Readies error code psp_unavailable.

Not run yet — click Run to check

59 Payment Idempotency Pending

Duplicate payment with same idempotency_key returns original result.

Not run yet — click Run to check

60 No PAN Storage (PCI) Pending

Full card number never stored or logged — only BIN+Last4.

Not run yet — click Run to check

61 No CVV Storage (PCI) Pending

CVV/CVC never stored, logged, or included in webhooks.

Not run yet — click Run to check

62 Sensitive Data Masking in Logs Pending

API keys, card data masked in all log output.

Not run yet — click Run to check

63 API Key Scoped Permissions Pending

API key has minimum required permissions only (least privilege).

Not run yet — click Run to check

64 Webhook Secret Rotation Pending

Webhook signing secret can be rotated without downtime.

Not run yet — click Run to check

65 Zero-Decimal Currency (JPY) Pending

JPY and other zero-decimal currencies handled correctly (no ×100).

Not run yet — click Run to check

66 Multi-Currency Support Pending

PSP supports all required currencies (USD, EUR, GBP, CAD, AUD).

Not run yet — click Run to check

67 Minimum Amount Validation Pending

Payments below PSP minimum amount rejected with clear error.

Not run yet — click Run to check

68 Maximum Amount Validation Pending

Payments above PSP maximum amount rejected with clear error.

Not run yet — click Run to check

69 Settlement Report Format Pending

PSP settlement/report data maps to Readies reconciliation format.

Not run yet — click Run to check

70 Transaction ID Matching Pending

PSP settlement txn IDs match stored Readies transaction_ids.

Not run yet — click Run to check

71 Fee Amount Mapping Pending

PSP processing fees mapped to Readies fee_amount field.

Not run yet — click Run to check

72 Daily Reconciliation Export Pending

Daily transaction export available in Readies reconciliation format.

Not run yet — click Run to check

73 Singleton Output Format Pending

Every outbound response uses identical Readies canonical structure.

Not run yet — click Run to check

74 No PSP-Specific Fields Leak Pending

No raw PSP field names exposed to merchant API.

Not run yet — click Run to check

75 Consistent Error Format Pending

All errors use same Readies error structure regardless of PSP.

Not run yet — click Run to check

76 Consistent Success Format Pending

All success responses use same Readies structure regardless of PSP.

Not run yet — click Run to check

77 All 78 Tests Passed Pending

Every single test above has passed — zero failures allowed.

Not run yet — click Run to check

78 Production Credentials Set Pending

Production API keys configured and verified (not sandbox keys).

Not run yet — click Run to check

79 Production Endpoint Live Pending

Production endpoint reachable and responding.

Not run yet — click Run to check

80 End-to-End Test Transaction Pending

Full payment → webhook → refund cycle completed in sandbox.

Not run yet — click Run to check

81 ✅ Live Transfer Gate Pending

ALL gates passed — PSP certified for live transfer.

Not run yet — click Run to check

485 Restricted Countries Enforced Pending

PSP restricted-country list loaded and enforced before payment.

Not run yet — click Run to check

486 Return URL Includes PSP ID Pending

Customer return URL always carries psp_id (P001, P002…) for tracking.

Not run yet — click Run to check

555 Customer Name Validation Pending

Customer first/last names are Latin letters, minimum 2 characters, and never emails.

Not run yet — click Run to check

2

Open Banking Test

OB001 FENA (GB/IE) · OB002 GWP (15 EU countries) — orchestration picks best per country

Setup — FENA (OB001)

Paste FENA toolkit credentials — one line per key.

Click orange FETCH first to unlock START TEST

FENA OB001

0 passed · 0 failed · 45 remaining (0%)

API Authentication

Client ID / secret or API key accepted by OB sandbox.

Sandbox Endpoint Reachable

Sandbox API responds within 10s timeout.

Production Endpoint Configured

Production URL configured separately from sandbox.

TLS / SSL Certificate Valid

HTTPS endpoint uses valid TLS certificate.

API Timeout Handling

Requests timeout gracefully after 30s, return Readies error.

Rate Limit Handling (429)

HTTP 429 responses retried with exponential backoff.

Retry on Transient Errors

5xx errors retried up to 3 times before failing.

Health Check Endpoint

OB provider status/health endpoint reachable for monitoring.

Initiation Request → Readies

OB payment initiation fields map to Readies canonical format.

Initiation Response → Readies

OB initiation response uses Readies canonical format only.

Merchant Reference Mapping

merchant_reference preserved end-to-end, never lost or truncated.

Amount in Minor Units

Amount always integer minor units (cents) in Readies format.

Currency ISO 4217

Currency always 3-letter ISO 4217 code.

Bank Consent Redirect URL

OB consent/bank selection redirect URL returned for customer.

Webhook Inbound Mapping

OB webhook payload maps fully to Readies canonical webhook format.

Webhook Signature Verification

Every webhook verified with HMAC or equivalent before processing.

Webhook: payment.success

Final payment.success webhook received and normalized correctly.

Webhook: payment.failed

payment.failed webhook with clear decline reason — not vague.

Webhook Decline Reason Quality

Failed webhooks include clear human-readable decline reason and category.

Final Status Only (No False Success)

Intermediate/pending OB states must NOT map to success.

Webhook Reference Fields

Webhook contains transaction_id and merchant_reference consistently.

Webhook Duplicate Idempotency

Duplicate webhook delivery processed only once (idempotent).

Webhook Out-of-Order Delivery

Late webhooks (e.g. success after failed) handled correctly.

Webhook Retry Tolerance

OB webhook retries handled without duplicate processing.

Webhook IP Allowlist

Only accept webhooks from known OB provider IP addresses.

Return URL Includes Provider ID

Customer return URL carries provider code (OB001) for tracking.

Payment Status Mapping

OB statuses map to Readies: pending/authorized/settled/failed/cancelled.

Transaction ID Persistence

OB transaction_id stored and retrievable for queries/webhooks.

Payment Status Query

Query OB payment status by merchant_reference or transaction_id.

Initiation Idempotency

Duplicate initiation requests with same idempotency key handled safely.

Response Timestamp (ISO 8601)

Every response includes ISO 8601 timestamp.

Consent Return Handling

Customer return from bank consent flow normalized correctly.

Abandoned Consent Flow

Abandoned or timed-out consent maps to failed with clear error.

Error Code Mapping

FENA error codes map to Readies standard error codes.

Declined Payment Handling

Declined OB payment returns status=failed with mapped error code.

Network Timeout Error

Connection timeout returns gateway_timeout error — not silent failure.

Malformed Response Handling

Non-JSON or invalid OB response handled gracefully.

Sensitive Data Masking

IBAN, account numbers, and secrets never logged in plain text.

Webhook Secret Rotation

Webhook secret can be rotated without breaking verification.

Bank Selection Per Country

OB bank list filtered by customer country when applicable.

Restricted Countries Enforced

OB restricted-country list loaded and enforced before initiation.

Singleton Output Format

Every OB response is a single Readies object — no nested PSP structures.

No Raw PSP Fields Leak

Raw FENA field names never exposed to merchants.

Consistent Success Format

All success responses use identical Readies field structure.

Consistent Error Format

All error responses use identical Readies error field structure.

All Tests Passed (100%)

Every OB test category passed — no exceptions.

Live Transfer Ready

OB provider approved and ready for Hostinger live deployment.