What is a payment gateway? (and how does It work?)

Payment gateways are a vital cog in the payment processing machine.

Without them, businesses would not be able to accept payments.

Payment gateways add a level of convenience and trust into the payments process that enables businesses to focus on growth and customer experience.

This article provides an introduction to payment gateways and their indispensable role in accepting payments in modern commerce.

What is a payment gateway?

A payment gateway is a system that collects then transmits transaction information between cardholders and merchants.

They work with every electronic payment processing system. This includes online payments, payments made at the point of sale (POS), and payments made on a mobile device or over the phone, etc.

It does this securely by encrypting the information such as customer data and payment details, that it works with. And it also notifies customers and merchants once a payment has been approved or denied.

Why do businesses need a payment gateway?

Businesses need payment gateways in order to accept payments securely and efficiently.

Theoretically, a merchant could accept credit card payments without a payment gateway. However, customers' data would be at risk of being compromised.

How does a payment gateway work?

Payment gateways act as conduits of payment information between merchants and customers.

Physical transactions often involve point-of-sale (POS) systems or credit card readers. Online transactions rely on digital forms or API integrations.

However, the payment gateway process is similar for each type of transaction.

1. Transaction is initiated

To customers, payment processing appears to happen in an instant. In fact, the initial step is actually the initiation of a transaction.

This applies whether they use a card reader device at point of sale (POS), a digital wallet like Apple Pay, or press 'pay' at an eCommerce platform's online checkout page.

2. Payment gateway's verification

The payment gateway verifies the card details after receiving customers' payment information. To do this, it checks customer card information with the relevant credit card network (e.g., Visa, Mastercard, American Express).

3. Encryption and transmission

The payment gateway encrypts and then sends transaction information to the customer’s bank via a payment processor and card network.

4. Issuing bank's authentication

The customer’s bank (known as the issuing bank) will check whether the card is legitimate and whether there are enough funds in the account to complete the transaction.

For a credit card payment, the credit card network will communicate with the issuing bank to determine whether the credit limit supports the transaction.

5. Authorization

The customer’s bank informs the payment gateway whether or not the transaction has been authorized or declined. The information is again transmitted via the card network and the payment processor.

6. Confirmation

The payment gateway informs the merchant and the customer of the outcome. To the customer and the merchant, it appears that a transaction flow has now completed. However, there is still one final stage.

7. Settlement

Settlement refers to the actual transfer of money between accounts. In this case, it is when funds are deposited from the customer's bank account into the merchant's account.

The merchant is required to have a separate merchant account

Payment gateways don't directly play a role in the final payment settlement process. However, it is their earlier authorization which leads to the final settlement stage taking place.

Payment gateway security features

Payment gateways add an extra layer of security to transactions using several methods.

These methods vary slightly for different payment gateway providers. There are different infrastructures, markets and regulatory environments to consider.

Most debit and credit card fraud attempts are card is not present (CNP) ones, such as online payments. However, there are other types, such as mail order telephone order (MOTO). To combat these, and others, a range of protection measures are needed.

1. Encryption

In payments, encryption is the conversion of transaction details (including cardholder information) into a coded format. Only authorized parties with the correct decryption key can view the information.

This protects customers and merchants from potential security breaches and fraud/theft attempts.

Transport layer security (TLS) and secure sockets layer (SSL) certificates

TLS and SSL are types of public key cryptographic protocols. They are used in many systems that require the storing and sharing of sensitive data. Payment gateways use them for encrypting payments data.

2. Strict compliance protocols

Payment gateways follow a range of compliance protocols. These vary according to region and sometimes industry.

Many of these protocols contribute to the protection of buyer’s sensitive account information before sending it through the card network.

PCI DSS

One well-known global payments security standard is PCI-DSS (‘Payment Card Industry Data Security Standards’). It is multi-faceted and needs to be periodically updated (it is currently on version 4.0).

Payment gateways offering card payment options should maintain PCI compliance.

3. Address Verification Service (AVS)

AVS is a fraud prevention tool used by payment gateways and credit card processors. It checks buyers' provided billing addresses with credit card company's records - and then verifies (or declines) the transaction accordingly.

4. Card Verification Value (CVV)

A card verification value (CVV) is a 3 or 4-digit number assigned to credit/debit cards. It is different to the card number itself.

CVV checks are designed to detect suspicious transactions. They are particularly useful for combating card not present (CNP) fraud attempts.

Types of payment gateways (& integration)  

Merchants can choose from a variety of different payment gateways. The one they choose needs to be compatible with their merchant account and its payment processor. Merchant account providers usually offer integrated payment gateways as part of their services.

Merchants should consider different factors for each payment gateway. These include associated fees, their current business needs, and website development capacities.

Payment gateways usually fall within four main categories:

1. Hosted payment gateway

Hosted payment gateways direct customers away from eCommerce checkout pages to the page of third-party payment service provider (PSP). Customers then fill out their payment information on this separate page before being sent back to the merchant’s website to complete the purchase.

This type of payment gateway is usually simple to set up and comes with a high level of security. It does not require merchants to handle or store sensitive payment information on their own servers.

Website development and integration are not necessary. And merchants can partially customise the gateway to fit their brand style (as well as introduce their logo).

However, merchants can't fully control the checkout experience and monitor the customer journey. This may result in high levels of cart abandonment because some customers to not trust external payment pages.

2. Self-hosted payment gateway

A self-hosted gateway allows customers to stay on an eCommerce website throughout the entire payment process. Companies can tailor the payment page according to their brand and have a fully white-labeled payment gateway.

Card and payment information are collected directly on merchants' websites. These details are then encrypted and submitted to a third-party payment gateway for authorisation.

A self-hosted gateway gives businesses a high level of control over the user experience on their platforms. There is no redirection to a separate site to complete a transaction. This can reduce cart abandonment rates.

However, it will not usually have the same technical support as a hosted service. Merchants will also not have complete visibility of their customers’ payments data.

3. Application Programming Interference (API) hosted payment gateway

An API payment gateway enables direct integration of payment processing onto websites or apps without a redirect. In this sense, it is similar to a self-hosted one.

It gives merchants complete control of their checkout and full access to their customers’ payments data. This helps them to create a fully customised user experience.

Merchants using an API gateway are responsible for the security of their customers' data. For this, they have to obtain the relevant security certifications.

4. Local bank integration

Payment gateways can connect to the services of local banks.

The gateway redirects customers from the merchant site to their online banking portal or interface. Here, they log in and authorise transactions. Once this is done, the gateway redirects customers back to the merchant's website and sends them a payment notification.

This is an entry-level solution that is easy and quick to implement. However, unlike many other types of payment gateway, it doesn't help with international payments.

How much does a payment gateway cost?

There is no one-size-fits-all fee for payment gateways. This is because there are multiple payment providers offering this service each charging different fees.

There is a combination of:

• Initial setup fees
• A flat monthly fee
• A small fee for each transaction

And some may also charge a fraction of each purchase.

Is a payment processor the same as a payment gateway?

A payment processor is not the same as a payment gateway. While a payment processor facilitates the movement of money, a payment gateway ensures the flow of information between the customer and the merchant.

Is PayPal a payment gateway?

PayPal is a payment processor which allows merchants to accept and redeem payments back to their accounts. Overall, it is not known primarily as a payment gateway, but it does offer a payment getaway service called PayFlow.

Is Apple Wallet a payment gateway?

Digital wallets, such as Apple Wallet or Google Wallet are not payment gateways. But they do facilitate customer interactions with payment gateways.

Instead of carrying a card around, a customer can store encrypted card data on their phones. This allows them to pay safely without having their card present.

Nuvei’s payment gateway

At Nuvei, we provide a global payment gateway that connects with a worldwide network of banks. This helps our customers rapidly and efficiently scale and grow their businesses.

If your current tech infrastructure is already highly optimized, there's no need to compromise it to enhance payment functionalities. Choose only the Nuvei features that suit your business’ needs, all while maintaining compatibility with your favored vendors.

Sophisticated merchants need more than basic assistance. We provide accessible and specialized human expertise round the clock. This isn't just support via automated chatbots - it's a partnership.

Conclusion

Payment gateways serve as the essential interface for allowing merchants to accept electronic payments in a secure way. They are essential for businesses to securely process payments, whether in physical stores or online.

They facilitate payment processing by collecting and sending information between merchants and their customers. They use encryption tools and safety protocols to do this.

The process involves several steps, from transaction initiation to final settlement. Security features include encryption through TLS or SSL certificates, compliance protocols like PCI-DSS, and fraud prevention tools such as Address Verification Service (AVS) and Card Verification Value (CVV).

Self-hosted and API gateways offer more control over user experience but require robust security measures. Local bank integrations are quick to implement but might be limited in handling international payments.

Integration can take place with various types of gateways, such as hosted, self-hosted, API, or local bank integration. This offers businesses flexibility in tailoring user experience for their customers.

Merchants should work with a payment gateway provider to choose a secure payment gateway that serves their business needs. Costs vary among providers, with fees comprising setup, monthly charges, and transaction percentages.

Payment gateways not only enable secure transactions but also play a pivotal role in the customer experience, affecting things like cart abandonment rates. They are integral to modern commerce, safeguarding both businesses and consumers from fraud and other risks.