How to test the reliability of payment systems in Malaysia?
Testing the reliability of Malaysia's payment systems requires a systematic assessment of multiple dimensions, covering technology, compliance, user experience and security. A specialised step-by-step guide is provided below:
I. Compliance and Certification Verification
-
Regulatory review
- Confirmation that the system holds a payment licence issued by BNM (Bank Negara Malaysia)
- Check that registration with the FPX clearing network is complete (applies to interbank transfers)
- Verify PCI DSS Level 1 authentication status (for card payments)
-
Localisation Compliance
- AML/CFT Policy Compliance with MAS Part 4
- Check that SMS Dual Authentication meets the requirements of BNM's e-Payment Guidelines
II. Technical stress tests
-
peak processing power
- Simulate Raya holiday-level traffic (recommended baseline: ≥500 TPS)
- FPX connection stability testing (focus on monitoring BIMB/Sandwidth thresholds)
-
Multi-Channel Verification
# Sample API Test Script Example (using Postman)
import requests
payment_gateways = [
"https://api.maybank2u.com.my",
"https://gateway.cimb.com.my",
"https://pay.grab.com/my"
]
for gateway in payment_gateways:
response = requests.post(gateway + "/transaction",
headers={"Authorisation": "Bearer [API_KEY]"},
json={"amount":100, "currency": "MYR"})
assert response.status_code == 200, f"{gateway} failed"
III. Security audit points
- penetration test item
- MEPS QR code man-in-the-middle attack simulation
- Boost/GrabPay e-wallet reverse engineering protection detection
- Validation of OTP burst protection mechanism
- Data Encryption Standard
Must comply:
- TLS ≥1.3 (BNM GPI standard)
- AES-256 encryption of locally stored data
IV. Scenario-based acceptance test matrix
| Scenario | Success Criteria | Test Method |
|---|---|---|
| FPX timeout recovery | ≤3s automatic retry mechanism | Network throttling |
| DuitNow QR interline scanning | <800ms response time | Real device farm |
| GrabPay low balance to credit card | Seamless fallback process | UI automation |
V. Special considerations
- Cross-border scenarios: Additional testing of Wise/TNG's FX calculation accuracy for cross-border remittances
2.Religious factors: Separate testing of Sharia compliance module required for Takaful products
A hybrid programme is recommended:
70% Automation (LoadRunner/Jmeter) +
30% manual test (focusing on Malay language interface UX)
Eventually an assessment document containing the SSAE18 SOC2 report should be generated and submitted to the BNM Technical Records Office for archiving. Continuous monitoring suggests deploying Prometheus+Granfana Kanban to track monthly availability metrics for major platforms such as Touch'n Go.
VI. Continuous Monitoring and Performance Benchmarking
1. Real-time monitoring system deployment
-
Monitoring of key indicators (recommended thresholds)
- API success rate ≥99.95% (automatic alarm within 5 minutes)
- FPX clearing delay ≤ 2 seconds (P99 value)
- GrabPay/Touch'n Go e-wallet transaction timeout rate <0.1%
-
Tool Recommendations
# Prometheus + Grafana Dashboard Configuration Example
- alert: HighFPXLatency
expr: rate(fpxtransactions_latency_seconds{quantile="0.99"}[5m]) > 2
for: 10m
labels.
severity: critical
annotations.
summary: "FPX clearing delay exceeds threshold"
description: "Current P99 delay {{ $value }}s"
2. SLA compliance validation
Industry benchmarking of mainstream payment channels in Malaysia:
| Provider | Uptime SLA | Max Refund Time |
|---|---|---|
| Maybank FPX | ≥99.9% | ≤3 working days |
| DuitNow QR | ≥99.8% | Instant |
| Boost Wallet | ≥99.7% | ≤48 hours |
Testing methodology: simulation of user requests in each region using third-party monitoring tools (e.g. Pingdom or New Relic)
VII. Special tests for borderline cases
Designing anomalous scenarios for Malaysia's unique financial environment:
- Simulation of telecommunication network fluctuations
- Celcom/Digi weak network environment (3G/Edge network): Verification of DuitNow QR offline code generation capability
// Android Emulator Network Speed Limit Command (ADB)
adb shell svc data disable && adb shell settings put global captive_portal_mode 0
2.Dual Currency Scenarios
- For MYR/SGD hybrid settlement, check that the exchange rate locking logic complies with Chapter 7 of BNM's Guidelines on Cross-Border Payments
3.Special rules for Islamic finance
- Does the E-Wallet balance generate "riba" interest when not utilised? Sharia audits need to be performed in a sandbox environment
VIII. User behaviour simulation testing
End-to-end process validation using real Malay user profiles:
# Selenium Automation Script Example (with Malay Interface Detection)
from selenium import webdriver
profile = webdriver.FirefoxProfile()
profile.set_preference("intl.accept_languages", "ms-my") # Force Malay language environment
driver = webdriver.Firefox(profile)
def test_duitnow_transfer().
driver.get("https://pay.bankislam.com.my")
assert "Log Masuk" in driver.title # Verify Localisation Keywords
IX. Security compliance revalidation checklist
✅ Key rotation cycle required by Appendix C of the BNMFTPSS standard (≤90 days)
✅ Consistency checking of MyKAD real name authentication interface with NRD database
✅ Whether the GrabPay split feature complies with section 134 of the Financial Services Act 2013
X. Final report output template
# Malaysian Payment System Reliability Report
Executive Summary
[System overview]
Critical Findings
1.[MySQL deadlock at ≥500 TPS for FPX batch transactions]
2. [Some Digi users in Sarawak experiencing QR code scanning timeout]
Compliance Status
✔️ PCI DSS v4.0 Control Objective [8,11] passed
Improvement Plan
Q4 Goal: Achieve 100ms response optimisation for Touch'n Go NFC payment (refer to KLIA measured data)
It is recommended that full regression testing be executed on a quarterly basis, especially before critical junctures such as Hari Raya/GST policy changes. For banking organisations, an additional BNM surprise audit preview needs to be arranged.
English 
Chinese