Vietnam Payment Test Environment and Sandbox Setting Methods in Detail

I. Overview of the Vietnamese payments market and the importance of the testing environment

Vietnam, one of the fastest-growing digital economies in Southeast Asia, has seen explosive growth in its e-payment market in recent years. According to the State Bank of Vietnam (SBV), the volume of non-cash transactions grew by 85% year-on-year in 2022, with more than 40 million mobile payment users. Against the backdrop of this rapid development, the establishment of a sound payment testing environment and sandbox mechanism is crucial for financial institutions and tech companies.

Compliance requirementsis a primary consideration: the Central Bank of Vietnam requires all payment solutions to pass rigorous technical and security tests before going live. At the same time, theUser Experience OptimisationA large number of simulated transactions are required to validate the smoothness of the process. In addition, the complexity of theCross-border settlement system(e.g., connecting to local clearing networks such as NAPAS, VNPay, etc.) also need to be fully validated in an isolated environment.

Going live with a payment system that has not been adequately tested can have serious consequences: including the risk of losing funds from failed transactions, facing penalties for violating local financial regulations, and damaging the brand's reputation.

II. Preparation for setting up a localised test environment in Vietnam

1. Hardware infrastructure configuration

It is recommended to set up a local server cluster in Ho Chi Minh City or Hanoi to reduce latency:

• Minimum Configuration Requirements: 4-core CPU/16GB RAM/500GB SSD storage
• Network Bandwidth Guarantee: At least 100 Mbps dedicated line access
• Redundancy design criteria: Dual power supply + RAID10 disk array

2. Installation of software dependencies

The necessary components that need to be pre-installed include:

Java JDK11+

Node.js LTS version

Docker CE20.10+

MySQL8.0 or PostgreSQL13

Redis 6.2 Caching Services

3. VPN and secure channel establishment

As some interfaces are restricted to in-country IP access:

• Recommended VPN Service Providers:: Viettel IDC or FPT Telecom enterprise programmes
• IP Whitelisting Reporting Process:
  1) Submit business registration documents to VNPAY
  2) Fill in the External System Access Application Form
  3) Wait for 3-5 working days for audit

III. Docking guide for mainstream sandbox platforms

NAPAS Developer Portal Operation Procedure (Bank Card Scenario)

1. Account Registration
   Visit developer.napas.com.vn click on "Đăng ký mới"

2. Merchant parameter acquisition

   {
   
     "merchant_id": "TESTMERCH123".
   
     "terminal_id": "WEB001",
   
     "secure_hash": "a1b2c3d4e5f6..."
   
   }
   
   

3. Example of API call (QR generation).

$napasClient = new NapasClient(

    $config['merchant_id'], the

    $config['secure_hash']

);

$qrData = [

    'amount' => 100000,

    'currency' => 'VND',

    'txnRef' => uniqid('TEST_')

];

$response = $napasClient->generateQR($qrData);

VNPAY Sandbox Features (Gateway Class Transactions)

Exception Handling Suggested Code Snippet.

try.

    vnp_response = call_vnpay_api(order)

except VNPayTimeoutError as e.

    logger.error(f "Timeout order {order.id}: {str(e)}")

    initiate_refund_workflow(order)

IV. Typical business process validation checklist

1.Closed loop recharge and withdrawal

① Mock Bank returns "Success" status code 97000.
②Check that balance changes are updated in real time
③ Accuracy of checking fee calculations (accurate to VND)

Frequently Asked Questions.
Reconciliation differences due to incorrect conversion of GMT+7 time zones for inter-day batch processing

2.Special Considerations for Cross-Border Acquiring

Additional validation required:
✓ SWIFT code validation logic (e.g. VCBVVNVX...)
✓ FX rate update timestamp (updated daily at 9:00 SBV website)

V. Debugging tools and log analysis techniques

Postman is recommended for managing collections:Download the NAPAS template

Key Log Field Description:

2023-08-20T15:23:45+07:00 | TXNID=VN20230820152345 | STATUS=PENDING | AMOUNT=1500000

Exhaustion Sequence Recommendations:

grep ERROR /var/log/payment_gateway.log | awk -F'|' '{print $4}' | sort | uniq -c 

VI. Memorandum of Regulatory Compliance Points

In accordance with No. 22/2019/TT-NHNN:

√ Daily test transfer limit not exceeding 50,000,000VND
√ Maintain a complete 6-month operating log for review
√ At least one PCI DSS penetration test per year

Latest Revision Alert: AML Screening Module Integration Required for New AML Rules from 2023 (Ref Circular No. 05/2022/TT-NHNN)

Through the systematic implementation of the above steps, enterprises can build a professional-grade payment testing system that meets Vietnam's regulatory requirements. The actual deployment is recommended to advance in three stages: basic connectivity verification → full coverage of business scenarios → pressure performance tuning. Keep watching www.sbv.gov.vn获取政策更新信息. (Total 1287 words in the full text)

VII. Advanced Configuration and Optimisation of Payment Test Environment in Vietnam

1. Multi-gateway redundancy deployment programme
The following architectural design is recommended for the complex network environment in Vietnam:

Steps to implement the master-standby switchover mechanism:
1. Deployment of access nodes in Ho Chi Minh City and Hanoi, respectively
2. Configure the health check script (executed every minute):
"`bash
#!/bin/bash
PING_LOSS=$ (ping -c4 gateway1.napas.com.vn | grep 'packet loss' | awk '{print $6}')
if [ "${PING_LOSS%\%}" -gt 30 ]; then
switch_route_to_backup.sh
fi
“`
3. DNS load balancing set TTL no more than 300 seconds

2. Construction of a rule base for localised data simulation

Typical test data set structure:
|Field Types|Generation Rules|Example|
|—|—|—|
|Vietnam mobile phone number|84+9 random digits (first digit is 3/5/7/8)|84987123456|
|Identity Card Number|12 digits (conforms to checksum algorithm)|001203000123|
|Bank Account Number|<银行代码>+10 digits |9704231234567890|

Important: Special account number format requirements (e.g. branch code embedding is required) of state-owned banks such as BIDV need to be handled specifically

VIII. Performance Pressure Measurement Standards and Implementation Methods

NAPAS Interface Baseline Metrics Requirements:
- Single transaction response time ≤800ms (95th percentile)
- Concurrent processing capacity ≥200TPS for 5 minutes
- Error rate threshold <0.1% JMeter测试计划关键配置： ```xml
200
60
true
300

“`

Monitoring recommendation: use Grafana to build a real-time Kanban board to focus on monitoring:
- VNPOST interface success rate fluctuation
- TCP retransmission rate for Vietcombank channels
- MySQL Query Latency Percentile

Nine, special scenarios automation testing framework

MoMo Wallet Simulator Development Essentials:

1. Example of an event-triggered logic tree:
“`
When the amount received is ≥ 500,000 VND.
IF user has not completed KYC → return error code MP101
ELSEIF payee is an offshore merchant → AML check triggered
ELSE→Process normally and send SMS notification
“`

2. Callback address validation specification:
Two modes must be supported:
"`nginx
location /vn/callback {
# HTTPS mandatory mode
if ($scheme ! = "https") { return 403; }

# IP whitelist verification (MoMo official IP segment only)
allow xxx.yyyy.momo.vn.
}
“`

X. In-depth practice of security compliance

PCI DSS Level 3 Certification Preparation Checklist:

1. Encrypted storage implementation programme:
"`java
// VN National Cryptography Authority approved algorithm combinations
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
SecretKeySpec key = new SecretKeySpec(
decryptMasterKey(keyId), "AES"); //HSM escrow root key
“`

2. Audit log desensitisation rule regular expression example.
"`regexp/(? :card[_-]?number)=([0-9]{6})[0-9]+([0-9]{4})/$16789$2/g"`
Special attention needs to be paid to the filtering of the Vietnamese character set (e.g. description of currency units such as đồng)

—

XI. Common Troubleshooting Manual

Case 1: "Invalid checksum" error solution

① Check the signature algorithm differences between sandbox and production environments (SHA256 vs SHA512)
② Verify that the `X-VNP-Version` in the request header is the new version of protocol 2023
③ Verify the hash generation process using the officially provided debugging tool

*Tests have found that some old SDKs have a compatibility issue where the time zone parameter is not involved in the signature*.

—

With the above extensions, we have completely built a full-process technical solution from basic setup to advanced optimisation. Finally, we emphasise three core principles:

The first is the principle of regulatory adaptability - all test data must follow the provisions of SBV Circular No. 19 on data localisation; the second is the principle of ecological compatibility - to ensure that it supports both the QR Ph common standard and the private protocols of various e-wallets; the third is the principle of observability - to establish a three-dimensional monitoring system covering the API call chain. The third is the principle of observability - establishing a three-dimensional monitoring system covering the API call chain.

It is recommended that businesses perform a full regression test cycle on a quarterly basis, especially before peak traffic times such as Lunar New Year (Tết Nguyên Đán). You can refer to the Annual Payment System Stress Report issued by VNPAY to adjust the preplanning. (862 new words have been added to this paragraph, the full text accumulates 2,149 words)