Security and readiness
/
Validation and go-live

Validation and go-live

Validation progresses through three stages:

  • sandbox validation
  • controlled production confirmation testing
  • final go-live readiness review

Use Getting started for the overall implementation sequence. Use this guide for the execution details of the validation and go-live stages.

Sandbox validation

Sandbox testing uses a dedicated FINCI test product for card issuance and card management validation.

Authorization simulation is performed in a live remote session with the FINCI onboarding engineer so both sides can verify webhook handling and authorization response behavior.

Sandbox validation steps

Run sandbox validation in the following order:

  1. prepare the sandbox environment, credentials, webhook endpoint, and test data needed for the agreed setup
  2. create the required account record and the related person, corporate, or employee records for the agreed structure, and issue the test card
  3. execute the agreed authorization and transaction scenarios with FINCI onboarding support
  4. capture the resulting API responses, webhook events, and transaction identifiers as evidence
  5. review the results with the FINCI onboarding engineer before treating sandbox validation as complete

Baseline integration validation

Sandbox validation must first confirm the baseline integration path for the agreed setup:

  • create the required account record and the related person, corporate, or employee records for the target structure
  • issue a card in the agreed issuance flow
  • update card status and confirm downstream behavior
  • validate retry handling for repeated webhook delivery

Authorization and transaction lifecycle validation

Sandbox validation must also cover the transaction lifecycle, including:

  • receive an authorization webhook
  • if integrator-managed decisioning is in scope, approve a transaction
  • if integrator-managed decisioning is in scope, decline a transaction
  • receive the follow-up authorization advice with the final decision outcome
  • if integrator-managed decisioning is in scope, observe timeout-safe decline behavior
  • receive clearing for an approved transaction
  • process a reversal
  • process a refund (Return)

Validation evidence and review

Sandbox validation requires the test results to be reviewed and accepted by the FINCI onboarding engineer.

The onboarding review must be supported by test evidence such as:

  • API request and response traces
  • webhook payloads and response logs
  • transaction identifiers and timestamps that allow the tested flow to be traced end to end

This review confirms that the tested flow behaved as expected and that the integration is ready to move to the next stage.

Production confirmation testing

After production access has been granted, confirm production readiness through controlled end-to-end validation in the live environment.

That validation includes low-value production verification transactions (penny tests) to confirm that the production setup works as expected end to end.

These are controlled live-environment verification transactions that use low amounts to confirm that authorization, webhook delivery, and downstream transaction handling work correctly in production.

Production confirmation steps

Run production confirmation testing in the following order:

  1. confirm that production credentials, IP whitelisting, and the live webhook endpoint are in place
  2. execute the agreed low-value live verification transactions
  3. confirm that webhook delivery, authorization behavior, and downstream transaction handling behave as expected
  4. capture the production evidence needed for support and go-live sign-off
  5. review the outcome internally before moving into the final go-live readiness decision

At a minimum, production confirmation must prove:

  • production credentials and IP whitelisting are in place
  • the live webhook endpoint is reachable and responds correctly
  • authorization webhooks reach the integrator environment and return valid responses when integrator-managed decisioning is in scope
  • live transaction processing can be observed and traced correctly

Operational readiness

Confirm operational readiness separately from the transaction proof itself.

Confirm that:

  • if integrator-managed decisioning is in scope, monitoring and alerting can detect timeout risk and decisioning degradation quickly
  • duplicate events do not create duplicate postings or state changes
  • production security controls are in place, including correct handling of environment-specific credentials and secrets
  • operational logging is sufficient for troubleshooting
  • response ownership and escalation paths are defined for decisioning failures and transaction-processing gaps

Final go-live readiness

Before go-live, confirm:

  • sandbox validation has been completed successfully and the test evidence has been reviewed with the FINCI onboarding engineer
  • production confirmation testing has been completed successfully
  • operational readiness checks have been completed
  • support teams know how to trace a transaction end to end
Built with