# Acceptance Criteria: Drop — Fintech Payment App # Acceptance Criteria: Drop — Fintech Payment App > **Project:** Drop — Remittance + QR Payments > **Version:** 1.0 > **Date:** 2026-02-23 > **Author:** John (AI Director) > **Status:** Approved > **Reviewers:** Alem Bašić (CEO) ## Document History | Version | Date | Author | Changes | |---------|------|--------|---------| | 0.1 | 2026-02-23 | John | Initial AC based on integration tests and E2E test suite | --- ## 1. Purpose & Methodology ### 1.1 What Are Acceptance Criteria? Acceptance criteria define the conditions under which Drop features are considered done and accepted by the business. They answer: **"How will we know when this feature is done?"** ### 1.2 Format: Given / When / Then ``` Given [initial context / precondition] When [action or event occurs] Then [expected outcome observed] And [additional chained outcomes] ``` ### 1.3 Categories | Category | Description | |----------|-------------| | **Positive (Happy Path)** | System works with valid inputs | | **Negative (Sad Path)** | System handles invalid inputs gracefully | | **Edge Case** | Boundary conditions | | **Security** | Injection, auth, abuse prevention | | **Compliance** | Regulatory requirements | --- ## 2. Feature Acceptance Criteria --- ### Module: Authentication & Onboarding --- #### Feature: User Registration — 3-step Onboarding (FR-001) **Feature Description:** New residents register via email + DOB validation → OTP → PIN. BankID replaces DOB in Phase 2. **Business Requirement:** BR-001, BR-002 **Linked User Stories:** US-001 **Positive Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-001 | Successful registration | Valid email, password ≥8 chars, Norwegian phone (+47), DOB ≥18 years | User submits registration form | 201 created; user proceeds to OTP step; no password hash in response | | AC-002 | OTP verification passes | Account created; OTP sent to phone | User enters correct 6-digit OTP | User proceeds to PIN setup | | AC-003 | PIN setup completes | OTP verified | User enters and confirms 4-digit PIN | Account activated; JWT cookie set; redirect to dashboard | **Negative Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-004 | Under-18 rejected | DOB indicating age < 18 | User submits registration | 422 with message "Du må være minst 18 år" | | AC-005 | Duplicate email | Existing account for email | User submits same email | 409 "Email already in use" | | AC-006 | Missing required field | Registration form | User submits without first_name | 422 validation error with field details array | | AC-007 | Short password | Password < 8 characters | User submits | 422 "Password must be at least 8 characters" | | AC-008 | Invalid phone format | Non-+47 phone number | User submits | 422 validation error | **Edge Cases:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-009 | Boundary age (exactly 18) | DOB = today minus 18 years exactly | Registration submitted | Account created successfully | | AC-010 | Invalid JSON body | Malformed JSON in request | POST /api/auth/register | 400 "Invalid JSON body" | **Security Acceptance Criteria:** | # | Category | Criterion | |---|----------|-----------| | AC-011 | Auth | Password hash not returned in any API response | | AC-012 | Auth | bcrypt used (hash starts with $2); SHA-256 rejected | | AC-013 | Rate limiting | 10+ registrations from same IP in 1 min → 429 | --- #### Feature: User Login (FR-002) **Business Requirement:** BR-001 **Linked User Stories:** US-002 **Positive Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-020 | Successful login | Registered user with valid credentials | POST /api/auth/login | 200; JWT in httpOnly cookie; user object returned | | AC-021 | Authenticated route access | Valid JWT cookie | GET /api/auth/me | 200; current user object returned | **Negative Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-022 | Wrong password | Registered user | Submits incorrect password | 401 "Invalid email or password" (no enumeration) | | AC-023 | Non-existent email | No account with that email | Login submitted | 401 "Invalid email or password" (same error — no enumeration) | | AC-024 | Rate limiting | 10+ login attempts from same IP in 1 minute | Next attempt | 429 rate limit response | | AC-025 | Missing credentials | Empty email or password | Login submitted | 400 "Email and password required" | **Edge Cases:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-026 | Invalid JSON | Malformed body | POST /api/auth/login | 400 "Invalid JSON body" | --- ### Module: Remittance (Send Money) --- #### Feature: Remittance Transaction (FR-020) **Business Requirement:** BR-003, BR-005 **Linked User Stories:** US-010 **Positive Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-030 | Successful remittance | Authenticated + KYC-approved user; valid recipient; sufficient balance | POST /api/transactions/remittance with amount=1000, currency=RSD | 201; transaction created; fee = 5 NOK (0.5%); transaction in history | | AC-031 | Fee calculation correct | Amount = 2000 NOK | Remittance submitted | fee = 10 NOK; recipient_amount = 2000 NOK (gross) | | AC-032 | Transaction in history | Successful remittance | GET /api/transactions | Transaction appears with status=completed | **Negative Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-033 | Unauthenticated user | No JWT cookie | POST /api/transactions/remittance | 401 Unauthorized | | AC-034 | KYC not approved | kyc_status=pending | Remittance submitted | 403 "KYC verification required" | | AC-035 | Recipient not found | Invalid recipientId | Remittance submitted | 404 "Recipient not found" | | AC-036 | Insufficient balance | Balance < (amount + fee) | Remittance submitted | 402 "Insufficient balance" | | AC-037 | Amount below minimum | amount = 99 NOK | Submitted | 400 "Amount must be between 100 and 50000 NOK" | | AC-038 | Amount above maximum | amount = 50001 NOK | Submitted | 400 validation error | | AC-039 | Invalid amount (NaN) | amount = "abc" | Submitted | 400 "Invalid amount" | **Compliance Criteria:** | # | Category | Criterion | |---|----------|-----------| | AC-040 | AML | Transaction > 50,000 NOK rejected; daily limits enforced | | AC-041 | Pass-through | No `balance` column in users table; DB test verifies absence | --- #### Feature: Exchange Rates API (FR-021) **Positive Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-050 | All rates returned | GET /api/rates | Called | 6 NOK exchange rates returned (RSD, BAM, PKR, TRY, PLN, EUR) | | AC-051 | Single rate returned | GET /api/rates/RSD | Called | NOK→RSD rate returned | | AC-052 | Case insensitive | GET /api/rates/rsd (lowercase) | Called | Same result as /api/rates/RSD | **Negative Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-053 | Unsupported currency | GET /api/rates/XXX | Called | 404 Not Found | --- ### Module: QR Payments --- #### Feature: QR Payment — Consumer (FR-030) **Business Requirement:** BR-004, BR-005 **Linked User Stories:** US-020 **Positive Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-060 | Successful QR payment | Authenticated + KYC-approved user; valid merchantId; sufficient balance | POST /api/transactions/qr-payment with amount=129, merchantId=valid | 201; merchant_fee = 1.29 NOK (1%); transaction created | | AC-061 | Fee calculation | amount = 200 NOK | QR payment submitted | merchant_fee = 2 NOK (1%) | **Negative Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-062 | Invalid merchant | Non-existent merchantId | Payment submitted | 404 "Merchant not found" | | AC-063 | Amount < 1 NOK | amount = 0 | Submitted | 400 validation error | | AC-064 | Missing merchantId | No merchantId in body | Submitted | 400 "Merchant ID is required" | | AC-065 | Unauthenticated | No JWT | Submitted | 401 Unauthorized | --- #### Feature: Merchant Registration + QR Generation (FR-031) **Positive Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-070 | Merchant registered | Authenticated user | POST /api/merchants with business_name, bank_account | Merchant created with unique QR code value | | AC-071 | QR code retrievable | Registered merchant | GET /api/merchants/me | Merchant details + QR code returned | --- ### Module: Security (Cross-cutting) --- #### Feature: Input Validation (FR-001 through FR-080, all) | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-080 | XSS in name field | `` as firstName | Registration submitted | 422 validation error; no script executed | | AC-081 | SQL injection in email | `'; DROP TABLE users;--` as email | Registration submitted | 422 validation error; no DB mutation | | AC-082 | 10KB password | 10,000 character password | Registration submitted | 422 "Password too long" or validation error | | AC-083 | Unicode in name | Bosnian chars (š, đ, ć, č, ž) in name | Registration submitted | 201 created; name stored correctly | | AC-084 | Underage DOB | DOB indicating 17 years old | Registration submitted | 422 age validation error | --- ### Module: Compliance --- #### Feature: PCI-DSS Card Data Protection (FR-080, Cards feature) | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-090 | No CVV in DB | Cards table | DB schema check | cards table has NO `card_number` or `cvv` columns | | AC-091 | No balance in users | Users table | DB schema check | users table has NO `balance` column (pass-through model) | | AC-092 | Only last_four returned | Authenticated user | GET /api/cards/[id] | Response contains `last_four` only; no full card number | --- ## 3. Integration Scenarios | # | Integration | Scenario | Expected Behavior | Test Environment | |---|------------|---------|------------------|-----------------| | INT-001 | Sumsub KYC | KYC webhook callback (approved) | User kyc_status updated to 'approved' | Mock webhook in integration tests | | INT-002 | BaaS PISP | Payment initiation | Transaction recorded; confirmation returned | Mock PISP in NEXT_PUBLIC_SERVICE_MODE=mock | | INT-003 | BaaS AISP | Balance read from bank | User account balance returned from BaaS | Mock AISP service | | INT-004 | Exchange rates | Rate data missing | Error handled gracefully; GET /api/rates/XXX → 404 | Integration test | | INT-005 | BaaS unavailable | BaaS API down | System shows user-friendly error; transaction not created | Mocked timeout in tests | --- ## 4. Non-Functional Acceptance Criteria ### 4.1 Performance | # | Criterion | Target | Test Method | |---|-----------|--------|-------------| | NF-AC-001 | bcrypt hashing time | < 1,000ms | api-benchmarks.test.ts | | NF-AC-002 | Rate limit check time | < 50ms | api-benchmarks.test.ts | | NF-AC-003 | DB SELECT query | < 10ms | api-benchmarks.test.ts | | NF-AC-004 | DB INSERT query | < 20ms | api-benchmarks.test.ts | | NF-AC-005 | 50 concurrent rate limit calls | < 2,000ms total | api-benchmarks.test.ts | ### 4.2 Security | # | Criterion | Target | Test Method | |---|-----------|--------|-------------| | NF-AC-010 | SHA-256 passwords rejected | verifyPassword returns false for SHA-256 hashes | auth.test.ts | | NF-AC-011 | JWT tampered tokens rejected | Invalid signature → exception | auth.test.ts | | NF-AC-012 | Rate limiting blocks after limit | 11th request from same IP → 429 | middleware.test.ts | | NF-AC-013 | Input validation completeness | 10+ validation test cases pass | validation.test.ts | | NF-AC-014 | Foreign key constraints enabled | Sessions cannot be created for non-existent users | db.test.ts | ### 4.3 Compliance | # | Criterion | Target | Test Method | |---|-----------|--------|-------------| | NF-AC-020 | No balance column in users table | users table schema has no 'balance' | db.test.ts | | NF-AC-021 | No card_number/cvv in cards table | cards table has no 'card_number' or 'cvv' | db.test.ts | | NF-AC-022 | Transaction types limited | Only 'remittance' and 'qr_payment' accepted | db.test.ts | --- ## 5. UAT Scenario Mapping | AC ID | AC Description | UAT Scenario ID | Priority | |-------|---------------|-----------------|---------| | AC-001 | Successful registration | UAT-001 | Critical | | AC-004 | Under-18 rejected | UAT-002 | Critical | | AC-020 | Successful login | UAT-003 | Critical | | AC-030 | Successful remittance | UAT-010 | Critical | | AC-060 | Successful QR payment | UAT-020 | Critical | | AC-090 | No CVV in DB | UAT-SEC-001 | Critical | --- ## 6. Traceability to Requirements | AC ID | Acceptance Criterion | FR Reference | BR Reference | US Reference | |-------|---------------------|-------------|-------------|-------------| | AC-001 | Successful registration | FR-001 | BR-001 | US-001 | | AC-004 | Under-18 rejected | FR-001 | BR-002 | US-001 | | AC-020 | Successful login | FR-002 | BR-001 | US-002 | | AC-030 | Successful remittance | FR-020 | BR-003, BR-005 | US-010 | | AC-060 | Successful QR payment | FR-030 | BR-004, BR-005 | US-020 | | AC-090 | No CVV in DB | FR-080 | BR-005, RUL-010 | — | | NF-AC-020 | No balance column | FR-001 | BR-005, RUL-003 | US-001 | > Full traceability matrix: `[requirements-traceability-matrix.md](requirements-traceability-matrix.md)` --- ## Approval | Role | Name | Date | Signature | |------|------|------|-----------| | Author | John (AI Director) | 2026-02-23 | Approved (AI) | | QA Engineer | Validator agent | 2026-02-23 | Approved (AI) | | Product Owner | John | 2026-02-23 | Approved | | AI Director (John) | John | 2026-02-23 | Approved | | CEO (Alem) | Alem Bašić | TBD | |