Indonesia Payment System Sandbox Environment and Test Configuration Methods

Indonesia Payment System Sandbox Environment and Test Configuration Methodology Guide

I. Overview of the Indonesian Payment System Sandbox

Indonesia, one of the largest digital economies in Southeast Asia, has a rapidly evolving payment system. To promote fintech innovation, the Indonesian Financial Services Authority (OJK) and the Central Bank (BI) have launched a payment system sandbox environment that allows companies to test innovative payment solutions under controlled conditions.

Sandbox Core ValuesThis is reflected in three areas: reducing compliance risk, accelerating the product iteration cycle and optimising the user experience. By simulating the real trading environment but isolating the actual flow of funds, companies are able to safely verify the feasibility of the technology.

II. Conditions and Procedures for Applying for Access to the Indonesian Payment System

2.1 Basic qualification requirements

Applicant organisations are required to meet the following conditions:

  • Legally registered financial institutions or licensed fintech companies in Indonesia
  • Have a minimum registered capital of Rp 1 billion (approximately US$70,000)
  • Have well-established anti-money laundering (AML) and customer identification (KYC) process
  • IT infrastructure compliant with PCI DSS Level 3+ security standards

2.2 API Interface Documentation Access

Developers can access the latest API documentation through the following channels:

  1. BI-SPSS (Sistem Pembayaran Ritel Nasional) Official Website Download Area
  2. OJK Fintech Office Offline Application
  3. Partner Sandbox Provider Portal (e.g. Doku, Midtrans, etc.)

It is recommended that you give preference to official channels for obtaining materials to ensure that the interface version is consistent with the production environment.

Steps to build a localisation test environment

3.1 Java/Python Development Sample Code Structure Analysis

// Java example: basic transaction request class structure 

public class IndoPaymentRequest {

    private String merchantCode; //Merchant ID (MID)

    private String transactionId; //follow BI format TRX2023MMDDHHmmssSSS 

    private BigDecimal amount.

    private Currency currency = Currency.getInstance("IDR");

    

    @NotNull 

    @Size(min=16,max=19)

    private String customerPAN; //card number needs to comply with BIN rules

    

    // Getter & Setter methods omitted...

}

Python developers should pay special attention to dealing with floating point precision:

# Python Amount Processing Best Practices Example  

from decimal import Decimal  



def format_idr_amount(value).

     return Decimal(str(value)).quantize(Decimal('0.00'))

XML Message Special Requirements Analysis (Forms)

field name mandatory field formatting Remarks
<merchant_id> be AN20 characters Unique identifier assigned by OJK
<trx_time> be yyyy-MM-ddTHH:mm:ssZ+07:00 Time zone must be explicitly declared
Algorithm supports SHA256-RSA2048 signature length fixed 512 bytes

Note: All XML node names must be in lowercase letters

SSL certificate two-way authentication configuration points (emphasis)

1) Adopt TLSv1_2 and above protocol version

openssl s_client -connect sandbox.bi.go.id:443 -tls1_2

2) The certificate chain must contain the following CAs:

  • DigiCert Global Root CA
  • Entrust Root Certification Authority

3) CRL check frequency set to no more than 4 hours

common errorSSLHandshakeExceptionExhaustion Steps:
①Confirm that the keystore (JKS/p12) contains the complete certificate chain; ②Check the server SNI configuration; ③Verify the local time synchronisation status

QRIS Standard Test Case Design Template (Form)

Use Case Number Q001-TC003
Scenario Description Consumer scans a static QR code to make payment
Pre-requisite merchants have opened QRIS service and the terminal is online.

Procedure.

[Consumer] opens the code scanning function of the partner bank's APP → [System] parses the QR code and displays the amount → [User] confirms the payment and enters the PIN → [Acquirer] sends an authorisation request to the BI Clearing Centre → [Issuer] returns the approval response code "00".

Expected results.

Time for acquirer to receive clearing notification ≤ 5 seconds; Transaction status synchronisation to merchant management back office ≤ 30 seconds; Settlement file generation in line with ISO20022 standard.

Abnormal Flow Handling.
When the response code "51" (insufficient balance) is encountered, intelligent routing should be triggered to switch to other associated accounts or prompt the user to top up.

Recommended values for pressure test parameters.

Concurrent Users ≥ 500 TPS for 15 minutes;
Network latency simulation ≤ 800ms;
Database Connection Pool ≥ 50 active connections;

Performance Achievement Indicator Average Response Time <1200ms Success Rate ≥99%.

IV. Tips for Automated Regulatory Report Generation Key Field Mapping Relationships.

Raw Log Fields → Regulatory Report Column Name Cross Reference:

transaction_date→TGL_TRANSAKSI (Dd/MM/yyyyy format); customer_id→NIK_KT_PEMBELI (encrypted storage); settlement_amount→NILAI_SETEL_IDR thousands separator).

V. Marking important items on the pre-launch compliance checklist:

□ Completed all BI-MDR rate calculation validations □ Passed PCI ASV scanning and received proof of compliance □ Received OJK pre-qualification return for storage class sensitive information encryption solution □ Performed at least three full rounds of UAT round robin testing.

VI. Indonesian Payment Sandbox Test Data Management Specification

6.1 Test account classification system

Standard Test AccountThere are three categories:

  • Basic Verification Account: for basic transaction flow validation

    • Fixed balance account (balance always shows Rp 5 million)
    • Zero-balance accounts (mandatory trigger failure scenario)

  • Dedicated account for risk control

    • High-frequency trading flagged account (limit of 20 transactions per day)
    • AML monitoring account (preset suspicious transaction patterns)

  • Special operating account
    Wallet for combined QR code payment
    Cross-border remittance demo account (supports USD/IDR dual currency)

API Response Code Cross Reference Essential reference for development:

coding Description in English Localised processing recommendations
0000 Success Show "Transaksi berhasil".
1003 Invalid merchant ID cCheck MID registration status → retry → turn to manual
Bank not responding within timeout period

Java/Python Exception Handling Best Practices Examples:

// Intelligent Error Handling Framework for Java 

try {

    IndoPaymentResponse resp = gateway.execute(req);

} catch (BIStandardException e) {

    switch(e.getErrorCode()) {

        case "9101": //System maintenance in progress

            logger.warn("Entering degraded mode");;

            fallbackService.process(req);

            break;

        default.

            throw new PaymentRetryableException(e); 

    }

}

Python developers should pay special attention to signature verification for asynchronous callbacks:

# Python Callback Sign Check Implementation Example 

def verify_bi_callback(data, signature).

    public_key = load_official_public_key()

    digest = hashlib.sha256(

        f"{data['txn_id']}{data['amount']}".encode()

    ).digest()

Golden Rules for Mock Server Configuration

  1. Delay simulation rules must match actual network conditions
// WireMock simulates Jakarta area latency configuration 

{

    "request": {"method": "POST", "urlPath":"/api/vqr"},

    

}