oh man - it was a fun one.
It was a large e-commerce site (African airline) and a small, not well documented payment api from a local African bank. Everything appeared to be working according to the documentation, we had it tested and even had the bank show they’re getting things properly on their end so we push to prod and relax to watch the cash start rolling in.
The issue was - no cash was rolling in. Within about 12 hours we realized that things were wrong and asked the bank to which they replied “You’re ok, it’s a glitch on our end. We’ll ensure every transaction is paid in full once we fix it on our end. Keep the payment gateway live and don’t worry.” About 72 hours later we get a message of “The charges were all authorized but not captured. Some we can no longer capture since it’s been longer than 24 hours. Sorry.” They then refused to pay for the mistake even though we were assured everything was ok on our end. Some lucky folks got to fly for free that week.
So long story short, ALWAYS authorize AND capture payments. And if you’re integrating with a small bank that doesn’t have well documented APIs, try a few transactions and wait for it to hit the bank account.
That was a fun one, the even MORE fun one was when the dev (before my team was involved) implemented the original external payment gateway and didn’t do a check on the 200(ok) call back from the payment provider for how much the user actually paid. The payment gateway allowed for payment at ATM machines and allowed layaway. That wasn’t communicated to the dev. So he assumed 200(ok) meant everything was paid, not that a payment was made. Someone found this out by going to the atm and not entering in the last 2 zeros so instead of paying something like $560.00 they paid $5.60 and a few seconds later their ticket was in their inbox. They then proceeded to stand outside the airport and sell tickets to people all week at a “discount” before we could catch them and find out what they were doing.
So lessons are: Auth & Capture and always validate how much was paid to how much is owed!
eCommerce sites aren’t without their share of fun!