Here are a couple of security testing services for you .. if the application is not pierced, then the services will be to blame for errors, not you.
And he wants something like, 1 for a link to pay and then by itself .. and the answer can be decided by the answer.

Each payment system has its own interface. You need to contact their customer service of the particular bank where you have an agreement and an account. They also provide for a certain time the opportunity to test the interface with fake data.

You can use ready-made payment systems (for example: Robokassa) or use the payment systems API and do it yourself.
Many payment systems require a personal WebMoney passport.
Payments are accepted by sending a GET / POST request to the system server with certain data. The server gives you the result of the signature (most likely, you will have to generate it again), which is generated from the characteristics you provided to the payment system server. (For example: password + unique key + amount + product number + user ID, all in md5 format)
After the response from the payment system server is received, you encrypt your data according to the same principle that encrypts the payment system server. By comparing these data, you make a conclusion about the correctness of the payment.

This issue is usually solved by any aggregator of payment systems, they usually screen the process of payment and return of the result perfectly, and it is difficult to hack it, choose for yourself purely on the basis of% of the system and type of activity.
There is a comparison here www.seomagia.ru/article/money/payment-aggregators.html though I can’t vouch for the accuracy of the data
+ it’s very easy to embed into the site