Payment gateway explained: from definition to integration options
It is a comprehensive guide to payment gateways, offering a detailed explanation of what they are, how they work, the different ways to integrate them into your website or app, and much more. If you want to understand payment gateways better, look no further — all the answers are here.
What is a payment gateway?
A payment gateway is a technology solution for the secure processing of electronic transactions. It authorises online payments and establishes data transfers between a customer, a merchant, and their banks. But the most critical function of a payment gateway is to protect sensitive customer data such as credit card numbers and secret codes through encryption, tokenisation and other security methods.
Payment gateways were explicitly developed for e-commerce and those organisations that deal with online payments. They act as an intermediary, encrypting information that a cardholder enters during checkout, authorising the payment and transferring the details between the rest of the payment processing parties. Thus, if regular store retailers use POS terminals to accept card payments, the gateway fulfils this role in online transactions.
How does a payment gateway work?
A payment gateway provides a way to process online transactions without directly handling sensitive customer data, such as credit card information. It passes the encrypted customer's payment details to the appropriate issuing bank or card processor for authorisation. Encryption protects this sensitive data from being intercepted electronically during the transfer between banks.
To authorise the customer's payment, the gateway must connect to the card issuer through an electronic network (like VisaNet or Mastercard SecureCode). The network sends back a response indicating whether the transaction should be approved or declined based on criteria specified by the card issuer's policy. If the transaction is approved, your customer can complete their purchase. The payment gateway then notifies the merchant of the transaction status.
How payment gateway works step by step
To make the path each transaction passes clearer, let's look at it step-by-step and find out where the payment gateway steps in.
- A customer makes an order on a merchant's website and enters their credit card details on a checkout page.
- Now, an online payment gateway comes into play. It encrypts the received info and securely sends the merchant's acquirer an authorisation request.
- It also sends another request to the card network serving the cardholder (Visa, Mastercard, or other) to check if the card is valid and if there're enough funds to withdraw.
- The card network sends a confirmation to the merchant's acquiring bank via a payment gateway and informs the acquirer of the amount to be debited from the customer's bank account.
- The issuer checks the balance on the customer's card and sends the transaction confirmation to the card network.
- The card network sends the approval to the acquirer and the payment gateway.
- After the transaction is approved, the funds will be debited from the customer's account and credited to the merchant's bank account.
Why is a payment gateway needed?
The main reason why a payment gateway is necessary is to ensure secure electronic payments for both the customer and the merchant.
An online payment gateway uses encryption and other security measures to protect customer payment information from being intercepted by third parties. It enables merchants to offer customers a range of payment options by securely transmitting payment information to the bank or payment processor.
The payment gateway can also perform additional functions, such as fraud screening, risk management, and reporting to help merchants mitigate fraud and avoid losses.
How does a payment gateway make money?
A payment gateway makes money by charging fees for transaction processing. In general, there are two kinds of fees:
- Transaction fees are charged as a percentage of the transaction amount and cover the payment processing costs. The amounts can vary depending on the payment method used, the type of transaction, and the country where the transaction occurs.
- Fixed fees cover the costs of maintaining the payment gateway infrastructure, including servers, security, and compliance.
Payment gateways may also charge additional fees for services such as chargeback management, fraud prevention, recurring billing, analytics, reporting, and integration with other online business systems.
Take a look at the fees that some popular payment gateway service providers charge as of February 2023.
|Payment gateway service provider||Transaction fees|
|Stripe||2.9% + $0.30|
|PayPal||3.49% + $0.49|
|Braintree||2.59% + $0.49|
|Square||2.9% + $0.30|
|Authorize.net||2.9% + $0.30|
Payment gateways charge three main types of credit card processing fees: interchange fees, assessment fees, and processing fees. Let’s learn more about each one.
Interchange fees are also known as issuing bank fees. They consist of financial risk charges and fixed business costs, which apply to every card transaction and account for the largest share of all card processing costs.
Payment networks like Mastercard and Visa set interchange fees and revise them twice per year. They vary depending on numerous factors, including card network, card type (credit or debit), payment flow (online transaction, swiping the physical card at point-of-sale terminals, mobile payment), merchant category code (MCC), and others.
Assessment fees, also called dues and assessments or card association/network fees, are paid by payment processors to the card networks. These fees are calculated based on the total monthly transaction volume and range between 0.09% and 0.15%, with an additional percentage charged on international transactions.
Processing fees are what merchants pay their payment processors for using the software and their services. They’re often referred to as provider markup and typically are charged per transaction or once a month. They can be calculated as a percentage, fixed, or combined.
Payment gateways may have various charges, from setup and monthly fees to chargeback and PCI compliance fees.
The role of payment gateway in payment processing
The term ‘payment gateway’ has become somewhat of a buzzword in recent years. But frequently, people misuse the term, confusing it with other payment industry concepts.
We’ve created this table to clarify the picture and help you navigate the complex world of payment solutions and market actors.
|Payment service provider (PSP)||A financial institution that may provide businesses with a payment gateway, payment processing, and merchant account|
|Payment gateway||Software that collects, verifies and transmits customers’ payment details|
|Merchant account||A business account at an acquiring bank or a PSP where merchant’s funds are deposited for completed transactions|
|Payment processor||A solution that powers connection between a merchant, credit card networks and banks to ensure that the merchant gets the funds from sales|
|Payment aggregator||A payment service provider that signs up merchants under its own MID|
|Payment facilitator (PayFac)||A payment service provider that provides merchants with their own MID under a master account|
Read on as we dive deeper into the differences between a payment gateway and a merchant account, payment service provider, payment processor, payment aggregator, and payment facilitator.
Payment gateway vs merchant account
An online payment gateway and merchant account are the backbones of any e-commerce business. You'll need both if you want to accept and process online payments. While many merchants mistakenly believe they can choose one of the two for processing transactions, this isn't true.
A gateway is responsible for authorising, encrypting and transferring online payments, while a merchant account is where your funds will be deposited after the transaction is completed. After some time, after the payment is approved and fees are charged, the money will be redirected to your primary bank account.
To open a merchant account, you usually need to enter into an agreement with an acquirer. But most e-commerce merchants choose a more convenient option — contracting with companies offering all-in-one payment processing solutions.
Payment gateway vs payment service provider
These terms are often used interchangeably because the payment gateway and payment service provider are frequently the same company. However, these terms have different meanings.
A payment service provider (PSP) is a financial institution that links merchants with card networks and processors for payment card processing. A PSP provides a merchant account and payment gateway for collecting and managing payments.
Payment gateway vs payment processor
Similarly, a payment gateway is often confused with a payment processor since the same company can provide these two functionalities.
To draw the line, a payment gateway is a tool that collects, verifies and transmits a customer's credit card information to the payment processor.
In turn, the payment processor is responsible for communicating between merchants, credit card networks and banks to ensure merchants receive money from their sales.
Payment gateway vs payment aggregator
As with PSP, the key difference between a payment aggregator and a payment gateway is that the first is an institution, while the second is software.
A payment aggregator is a payment service provider allowing merchants to process payments without opening their own merchant account (MID). It works using one 'umbrella' MID that enables merchants to open sub-accounts underneath it to receive and make payments.
Payment gateway vs payment facilitator
The term 'payment facilitator' is more similar to the term 'payment aggregator' we've just looked at. As we already know how an aggregator differs from a payment gateway, let's focus on the critical difference between an aggregator and a facilitator.
The facilitator is also a payment service provider that enables payment processing for merchants not having a separate merchant account. But unlike an aggregator that signs up merchants directly under its own MID, a facilitator provides merchants with their own MID under a master account.
How to get a payment gateway?
When it comes to setting up a payment gateway for your business, you have a few options to choose from. These are third-party providers, in-house development, and white label payment gateways. Let’s learn more about each option.
One of the most common ways to set up a payment gateway is to partner with a third-party solution provider. It is a popular option among businesses of all sizes because it is easy to set up and requires minimal technical knowledge while giving access to various payment processing capabilities and additional features.
However, businesses that work with third-party payment gateway providers have little control over the payment process, which can result in a lack of branding opportunities and lower revenue due to high transaction fees. Additionally, third-party providers may have specific restrictions on the types of businesses they work with and limitations for turnover sizes, chargeback rates, transaction quantity or amounts, etc.
For businesses with the technical expertise and resources, developing an in-house payment gateway can offer greater control over the payment process, more branding opportunities, and potentially lower transaction fees. Developing an in-house payment gateway involves creating a custom solution with the business's specific needs in mind.
To create a payment gateway from scratch, businesses must understand programming languages, security protocols, and regulations. They also must obtain a merchant account and comply with Payment Card Industry Data Security Standards (PCI DSS) requirements.
Despite the benefits of in-house development, it can be costly and time-consuming. Developing a minimum viable product (MVP) payment gateway can cost anywhere from $200k or more, and the time required can range from several months to a couple of years, depending on the complexity of the project, the size of the development team, and the features required.
How to create a payment gateway step-by-step
- Obtain a merchant account with a payment processor to process payments. It involves a review of your business model, business plan, payment card processing history, etc.
- Determine what features you need in your payment gateway, the types of payment methods you want to accept, etc. In other words, define the requirements. You will need to understand various payment protocols, such as 3D Secure and EMV, ensure card storage security as required by PCI DSS, error handling, and much more.
- Develop the architecture of your future software based on your requirements and choose the relevant approach. Then, select a programming language and framework well-suited to payment processing, such as Java, .NET, or PHP. The main criteria for the optimal choice are suitability for implementing your architecture, reliability, and development and maintenance costs.
- Develop software that meets the requirements. Implement the needed security measures such as encryption, tokenisation, and two-factor authentication. Ensure the software is scalable and can handle large volumes of payment transactions while maintaining performance and security. It should be able to integrate with your website or mobile app and communicate with your payment processor.
- Design and develop a payment page, a customer-facing element of the payment process. It must have an intuitive and user-friendly interface that makes it easy for customers to make payments. Additionally, provide support for multiple languages and currencies.
- Thoroughly test your payment gateway and payment page to ensure they meet your requirements and function as expected. Once satisfied, you can deploy your solution and start working with it. Then, you need to handle maintenance, monitoring, and necessary updates.
- To accept credit card payments, you'll deal with sensitive customer information, so it is essential to comply with PCI DSS. You should undergo regular security audits and testing to maintain compliance and ensure the safety of customer data.
White label payment gateway
A white label payment gateway is a compromise between using a third-party provider and developing the payment gateway in-house.
A white label payment gateway is also a third-party solution, but it is highly customisable to fit your brand, website design, and business model. This option offers businesses greater control over the payment process, more branding opportunities, and potentially lower costs. But unlike in-house-development, it doesn’t require the technical expertise and resources from your side.
Consider Corefy’s white label payment gateway
Corefy's white label payment gateway gets you online with a scalable technical infrastructure that we enhance and maintain for you.
Here are the most common reasons why clients choose us:
- A dedicated payment team sharing the payment expertise to help clients achieve their business goals faster. With us, you can concentrate on your key competence and grow your business, leaving all technical matters to our professionals.
- New integrations with payment providers go live on our platform every day. Aside from 300+ ready-made integrations, we have a network of 650+ payment partners and can connect you with any of them.
- The ability to make all day-to-day operations, settings, routing and payment flow configurations across different providers from a single, convenient Dashboard.
- Full compliance with PCI DSS.
- The solution's price is equivalent to one coder's salary. You wouldn't face any additional infrastructure costs.
How to choose the best payment gateway?
Now that we know about the three ways to get a payment gateway, let's explore the key characteristics a payment gateway should obtain to serve your business better. It will help you craft requirements for in-house development or can serve as a checklist to choose the third-party or white label solution. Of course, some of the points can be less relevant to your business model, but the information below is a good starting point to understand what to look at when choosing a universal payment gateway.
Support for multiple payment methods
When customers reach checkout on your website, they want to see the online payment options they're used to. If they don't see one of those options, it may result in lost sales for you. That's why your success largely depends on the availability of payment methods on your website that your gateway should support. Besides supporting the top global card brands, look for popular mobile wallets like Apple Pay and Google Pay, as well as cryptocurrency options like Bitcoin or Ethereum.
Checkout, or payment page, is the most critical customer-facing element of the payment process, affecting clients' satisfaction and conversion rates. The most advanced solutions support personalisation features, allowing clients to see payment methods they will likely use or used last time on top of the list and pay instantly in one click.
The payment page should also be integrated into your website correctly to avoid basic UX errors like shutting down due to misclick. UX writing matters, too. The error messages should be clear enough for a customer to fix the issue, if possible.
Security and compliance
When choosing a payment provider and gateway, selecting one compliant with security standards like PCI DSS, GDPR, and other regulations is vital. The service provider should also have all necessary hardware and software for fraud prevention, tokenisation, encryption, masking, data protection, etc. The company's status page can also be a good indicator of its reliability.
We'll take a closer look at payment gateway security measures in a dedicated section of this article.
Unfortunately, no technical system is 100% immune to failures and malfunctions. However, if your payment service provider ensures timely and competent support, such issues are resolved promptly and will not affect your customers' overall payment experience.
Besides, even if everything works properly, you may need help configuring something or getting particular data. That's why the availability of customer support through various channels is a must.
Naturally, integrating and configuring a payment gateway will come with a cost. Apart from this, the provider will also charge various fees for their services, such as transaction processing fees, chargeback fees, recurring monthly fees, currency conversion fees, etc. Check and estimate these expenses before signing a contract.
Key requirements to payment gateways by industry
We now know the main things to consider when choosing the best payment gateway. Still, the essential requirements vary from industry to industry, so in this section, we highlighted the most critical payment gateway functionality for different sectors.
A payment gateway used by crypto businesses should be able to accept a variety of cryptocurrencies to enable customers to pay using their preferred digital currency. It should also be able to process transactions quickly to avoid delays in completing transactions.
A payment gateway for forex businesses should support a variety of currencies and methods to enable customers to make deposits and withdrawals the preferred way. Besides, it should be able to integrate with popular trading platforms.
The most important thing in a payment gateway for payment institutions is compliance with relevant regulatory requirements, KYC and AML regulations, and a high level of security. Such gateways should also be able to integrate with banking systems.
A payment gateway should offer customisable payment solutions to enable ISO/MSPs to tailor their services to meet the unique needs of their clients. Similarly to payment institutions, ISO/MSPs require their payment partners to be fully secure and compliant.
For e-commerce, the payment page and process should be intuitive and user-friendly. A payment gateway must offer e-commerce merchants a variety of payment options. The price gateway charges are also very important, as e-commerce merchants strive to optimise costs.
Gambling & betting
It is vital for gambling and betting to comply with the regulation in their jurisdictions, so the payment partner should facilitate it. Another major payment challenge for gambling and betting businesses is fraud. That’s why a payment gateway for these industries should have antifraud solutions in place.
High-risk businesses face chargebacks more frequently than low-risk ones, so their payment gateway needs to have chargeback management tools and policies in place. Many high-risks also operate using multiple merchant accounts at different vendors, so connecting all accounts to a single gateway would be convenient.
The SaaS business model usually implies subscriptions, so a payment gateway for this industry should be able to process recurring payments using tokenised payment details. It’s also beneficial for SaaS if the payment solution integrates with popular subscription management software.
Events and tickets
Such businesses need integrations with popular ticketing platforms to enable customers to purchase tickets easily. Besides, for some events, hundreds of tickets can be sold out within hours, so the payment gateway should ensure continuity of operations during peak times.
Games & e-sports
Many e-sports businesses and gamers accept donations, so the payment gateway needs to support the functionality required and be able to process online payments of arbitrary amounts. For in-app purchases in games, checkout personalisations and ‘Remember me’ functionality are invaluable, as well as the support of one-click payments.
Is the payment gateway safe?
The payment gateways deal with sensitive customer information, such as credit card requisites and other payment details. That's why they are regulated and implement various security measures to protect customers and merchants from fraud, data theft, and losses. Below you'll find information about these measures.
Data encryption is a method of protecting sensitive data by transforming it into an unreadable code or ciphertext. Cardholder data is secured by using a combination of symmetric and asymmetric cryptographic algorithms. All data is managed using multiple encryption keys with split knowledge and dual control. Thus, thieves won't be able to make use of information stolen from the base without a unique key.
The Transport Layer Security (TLS) protocol ensures the safety of payment data during transfer, guaranteeing a secure connection between the server and the client's browser. TLS uses HTTPS, which eliminates data interception and protects against redirection to fraudulent resources.
Tokenisation replaces sensitive data with a token, a unique digital identifier used in different types of transactions. The token can later be used to retrieve the original data. Tokenisation enables merchants to securely pass customers' data to payment service providers without exposing it to hackers or cybercriminals.
3DS is a security protocol designed to ensure that the shopper using a card to pay for goods on the merchant's website is the actual cardholder. It is achieved by prompting the cardholder to pass 3D Secure authentication.
The 3D Secure technology minimises card fraud risks for merchants since the issuing bank is responsible for the transactions performed with this type of verification. All the authentication data provided by the customers is stored on the payment server of the issuing bank.
PCI DSS compliance
The largest card networks have developed a PCI DSS standard that contains 12 clauses covering all aspects of payment data protection, including procedures for handling data breaches, encryption protocols, and logging access attempts. Compliance with the PCI DSS is not a one-time event but an ongoing process of tracking operations, testing security systems, maintaining information security policy, and passing annual audits.
Masking is a simple security method that replaces the original data with other values, such as null, constant or synonymical to actual structured data. There are two types of masking: static data masking (SDM) and dynamic data masking (DDM). SDM is permanent and unretrievable, meaning that authorised users can access the original data while unauthorised users will see it masked. DDM is reversible, meaning that authorised users can access both masked and unmasked versions of the data. It is particularly useful for testing or quality assurance because it prevents sensitive data disclosure while preserving its analytical value. It also helps with secure data display, e.g. showing only the last four digits of a credit card number on screen rather than all 16 digits.
How to integrate a payment gateway?
A payment gateway integration is the process of connecting a website or application to payment software for transaction processing. Common integration options include using plugins, APIs, and SDKs.
Plugins are pre-built software components that can be added to a website or an e-commerce platform like WordPress, Wix, or Shopify. Plugins make integrating a payment gateway with your website much easier, as you only need to install the plugin and configure the necessary settings.
The steps to integrate a payment gateway using plugins are generally the following:
- Research and choose a payment gateway offering a plugin for your e-commerce platform. Go to the provider's website and download the plugin.
- Log in to your e-commerce platform's admin dashboard, navigate to the plugin installation page and upload the plugin file. Activate it.
- Go to the plugin settings page. Enter the API key, secret key, and other required details provided by the payment gateway. Set up the payment options you want to offer and configure any additional settings the plugin supports.
- Test the integration to ensure it's working correctly.
Things worth knowing about payment gateway plugins:
- Plugins can be developed not only by the payment gateway provider but also by a third-party developer. However, it’s risky to use such options.
- Plugins often provide a user-friendly interface for setting up the integration and managing payment settings.
An API (Application Programming Interface) is a set of protocols used for communication between software. Payment gateway integration via API requires a developer to write code that interacts with the payment gateway's API.
Here are the steps for integrating a payment gateway using API:
- Research and choose a payment gateway offering a well-documented API. Create an account with the payment provider and obtain an API key or authentication token.
- Test the payment gateway API using Postman or another API client tool to ensure it works appropriately and covers all your use cases.
- Write code to make API requests for payment processing. Handle error responses and provide appropriate error messages to the user.
- Test your code to ensure your integration works properly. You can use dummy credentials to test the transaction flow from start to finish.
Things worth knowing about payment gateway APIs:
- Payment gateway APIs typically use REST (Representational State Transfer) or SOAP (Simple Object Access Protocol) protocols for communication.
- Developers must use an API key or authentication token to access the payment gateway's API.
- Some payment gateway will assign you an account manager or support specialist to guide you through the onboarding process, help with documentation, and the API integration itself.
An SDK (Software Development Kit) is a set of development tools that enable developers to create applications for a specific software or platform. The integration using SDK involves incorporating the SDK provided by the payment gateway into the website or application. The SDK offers pre-built code libraries, making the payment gateway integration much more effortless than via API. The main pros are development and maintenance simplicity.
Here are the steps for integrating a payment gateway using SDK:
- Select a payment gateway with a well-documented SDK compatible with your website or app and create an account. The payment provider will give you an API key or authentication token.
- Download and install the SDK library and initialise the SDK with the API key or authentication token provided by the payment gateway. Use the pre-built functions and modules provided by the SDK for payment processing. Handle exceptions and provide appropriate error messages to the user.
- Place a test order using the payment gateway SDK to ensure everything works properly.
Things worth knowing about payment gateway SDKs:
- SDKs provide pre-built functions and modules that simplify payment gateway integration.
- The SDK must be integrated into the website or application code, typically by adding the SDK library to the codebase and initialising it with the API key or token.
- A payment gateway is software that collects, verifies and transmits customers' payment details. It passes the encrypted customer's payment details to the appropriate issuing bank or card processor for authorisation. Encryption protects this sensitive data from being intercepted electronically during the transfer between banks.
- The main reason why it is necessary is to ensure secure electronic payments for both the customer and the merchant.
- A payment gateway makes money by charging fees for transaction processing. There are two basic kinds of charges: transaction fees and fixed fees.
- There are three ways to get a payment solution for your business: choose a third-party provider, opt for in-house development, or select a white label solution.
- When choosing a payment gateway, it's worth paying attention to the payment page, supported payment methods and currencies, security measures, and the price.
- Most payment gateways are thoroughly safe thanks to implementing various security measures, from masking, encryption, and TLS (SSL) to tokenisation, 3DS, and PCI DSS compliance.
- Integrating a payment gateway involves registering for an account and connecting it to your website using plugins, APIs, or SDKs. After integration, thorough testing is necessary to ensure the integration is secure and works correctly.