What is a Payment Gateway?
Payment gateway is a web-based service that collects payment information provided by the customer at the check-out on an e-commerce website’s shopping cart. The gateway then encrypts the data and transmits it to the card issuing bank for authorization. The authorization response is then sent to the merchant and is displayed to the cardholder.
These are players who integrate with eCommerce companies and connect them with banks. They receive payments on behalf of these companies and transfer the money to their accounts.
A payment gateway is what keeps the payments ecosystem rolling smoothly, as it enables online payments for consumers and businesses. If you’re an online merchant, you don’t need to be a payment gateway expert, but it’s worth understanding the basics of how an online payment flows from your customer to your bank account.
This article explains what is a payment gateway, how it works, why an online merchant needs one and how to choose which payment gateway service is right for your business
What is a payment gateway / processor?
The definition of a payment gateway is the technology that captures and transfers payment data from the customer to the acquirer and then transfers the payment acceptance or decline back to the customer. A payment gateway validates the customer’s card details securely, ensures the funds are available and eventually enables merchants to get paid. It acts as an interface between a merchant’s website and its acquirer. It encrypts sensitive credit card details, ensuring that information is passed securely from the customer to the acquiring bank, via the merchant.
In other words, the payment gateway works as the middleman between your customer and the merchant, ensuring the transaction is carried out securely and promptly. An online payment gateway can simplify how merchants integrate the necessary software. As the middleman during the payment processing, the gateway manages the customer’s sensitive card details between the acquirer and the merchant
Why do we need a payment gateway?
You may be thinking, why do you need a payment gateway if it’s only a middleman? Before we answer this question, we’ll take a step back and highlight that online payment is processed as a card-not-present transaction. The customer’s card cannot be physically swiped on a POS terminal, as you would normally do if you processed the payment in a brick-and-mortar shop. Therefore, you can only rely on the card information that the customer is entering on the payment page. But, how can you be sure that the card the customer is using is their card? In card-not-present transactions, the fraud risk is significantly higher, and this is where a payment gateway does its magic.
What would happen if you take the payment gateway out of the online payment flow? Fraudsters would have easier access to card data you process, exposing your business to fraud and chargebacks. On top of that, fraudsters would also find additional ways to initiate illegitimate transactions, leaving you even more exposed to fraud and damaging your brand reputation.
A payment gateway is the gatekeeper of your customer’s payment data. For online merchants, a payment gateway relays the information from you, the merchant, to the acquirer and the issuing bank using data encryption to keep unwanted threats away from the sensitive card data. Aside from fraud management, a payment gateway also protects merchants from expired cards, insufficient funds, closed accounts or exceeding credit limits.
What is the Role of a Payment Gateway
- The main role of an online Payment Gateway is to approve the transaction process between merchant and customer.
- It plays a vital role in the online transaction process and authorizes transactions between merchants and customers.
- It helps the e-commerce platform aggravate its existence with ease of payments to offer to its customers. Besides, it also leads to the e-commerce platform gaining rapport for leading to not only quick and secure payments but also convenience and success with the same every time.
A payment gateway service can be provided by banks directly or a payment service provider authorized by a bank.
How Does A Payment Gateway Process Work?
The payment gateway process kicks off when a customer orders a product from a payment gateway-enabled merchant. The payment gateway performs a variety of tasks to process the transaction.
1. A Customer Places An Order
Either by clicking ‘Buy’ or an equivalent option or by entering the card details on the merchant website or application.
2. Encryption of Information and Forwarding to Merchant’s Site
If the order is via a website, the customer’s web browser encrypts the information to be sent to the merchant’s web server. And in other cases, this is done via the Secure Socket Layer (SSL).
3. Forwarding Information from Merchant’s Site to the Payment Gateway
This is an SSL encrypted connection from the merchant’s server site to the payment server hosted by the payment gateway.
4. Payment Gateway sends transaction information to the Payment Processor used by the Merchant’s Acquiring Bank
5. Payment Processor forwards transaction Information to the Card Association
The card association also acts like the issuing bank and directly provides a response of approval or declination to the payment gateway.
6. The Card Association receives the authorization request, verifies the request and sends a response back to the processor. It conveys the success or failure of the request as well as the reason.
7. Payment Processor forwards this information to the Payment Gateway.
8. Payment Gateway forwards it to the Merchant Website.
This process is known as Authorization and it takes about 2-3 seconds, altogether. The merchant then fulfills the order and the above process can be repeated.
9. At the end of the day, the payment gateway performs a process known as Settling.
During which it groups all your transactions together and sends them off to the Merchant’s Acquiring Bank in a single batch via the Processor for Settlement.
10. Payment gateways also record your transactions and allow you to view them using the payment gateway report facilities. This completes a single payment gateway process.
Step by step Process flow:
The payment gateway integrates with the website’s shopping cart and goes through the following stages:
- A customer places an order on an e-commerce website and provides his or her card information for payment.
- The payment gateway gathers the submitted data and, after another SSL encryption, transmits it to the processing bank’s server.
- The processing bank then sends the payment details to Visa or MasterCard.
- If the cardholder used a Discover or an American Express card, the processing bank serves as an acquiring bank and makes a decision on whether or not to authorize the transaction; then forwards the response to the merchant.
- Visa or MasterCard forward the transaction to the card issuer.
- The card issuer either authorizes or declines the transaction and sends a response (approval or decline) back to the processing bank.
- The processing bank then sends the response to the payment gateway.
- The payment gateway sends the response on to the merchant’s website and it is presented to the cardholder.
The whole process, from submitting the payment information to receiving the response, takes seconds.
The key players in online payments
Before we delve deeper into the definition of a payment gateway, we need to identify the key players in online payments. When a customer clicks on the “Pay” button on your website, a traditional payment gateway works with these entities as shown below –
|Participants in a transaction||Role|
|Issuer – Financial Institution that issues cards (Visa/MasterCard) to customers — account holders or cardholders.||Manages cardholder participation and activation in Verified by Visa, or SecureCode by MasterCard; validates cardholder at the time of each online purchase; provides digitally signed response to the merchant for each authenticated transaction. Issuers also have responsibility for the authentication experience of their cardholders.|
|Cardholder – The account holder of the debit or credit card.||Uses the card to pay for purchases over the internet or other PoS. The cardholder activates the card once for 2-factor authentication like 3-D secure, Verified by Visa or SecureCode by MasterCard.|
|Acquirer – The Financial institution (banking accounts, payfacs) that contracts with merchants for acceptance of debit and credit payment cards.||Registers merchants for card networks (Visa and MasterCard) and ensures that merchants originating online transactions are operating under a merchant agreement with the acquirer in accordance with the rules and technical requirements for the card network program.|
|Merchant – Offers merchandise, software or service at a website, mobile app or so, and accepts payments from a cardholder who makes purchases over the internet.||Operates software to support a 3-D secure program like Verified by Visa and SecureCode by MasterCard. This software is referred to as Merchant Plug-In (MPI). The Merchant might develop their own solution or obtain a system from 3rd party payment facilitators like Razorpay, Cashfree to accept payments from its customers.|
|Card Networks – Card infrastructure providers like Visa and MasterCard||Verifies issuer’s authentication results. Routes authorization requests to issuers and sends responses to acquirers for return to merchants.|
Payment Gateway Architecture–The Different Software Components:
The payment gateway works under the 3D secure authentication protocol, which has 3 components.
3D secure is an XML-based protocol designed by Visa, that adds an additional security layer for online card transactions. This protocol has been adopted by other leading global card networks like MasterCard, American Express, and more.
The ‘D’ in 3D-Secure stands for ‘domain’, and there are 3 of them — the acquiring domain, the issuing domain and the interoperability domain that links the former two, together.
Here are their function in a 3D-Secure payment gateway —
- Issuer Domain – Access Control Server (ACS) — The issuing domain is where the issuing bank operates. They issue cards to cardholders, who then use the cards to make a purchase via online services. The issuing bank deploys a server known as the access control server (ACS). It’s used to receive 3D secure messages, process the messages and authenticate the card user and the transaction.
- Interoperability Domain – Directory Server (DS) — The interoperability domain consists of the Directory Server that’s deployed by the card network. It can be considered the foundation holding the entire 3D-secure mechanism together. The directory server is used as a ‘directory’ for the acquiring bank and issuing bank to transact money between each other. As the name suggests the directory serves as a mapping server where acquiring banks sends a message to the card network’s DS. It holds the “directory” of all the BIN ranges of the corresponding issuing banks. The Directory Server will receive the message from the MPI and check the card number against the BIN range directory. After which, it forwards that message onto the correct issuing bank. The issuing bank would then proceed with authenticating the card user.
- The Acquiring Domain – Merchant Plug-In (MPI) — The acquiring domain is where the payment gateway and acquiring banks sit. They initiate the transaction, which they wish to be authenticated. In order to do so, entities in acquiring space need to deploy a “merchant plug-in”, also known as “MPI”.
- Payment Switch – Payment Switch could be thought of as an independent entity that facilitates communication between various entities in a payment process, the ones mentioned above. The payment gateway uses a switch exclusively to communicate with various stakeholders during a payment procedure. It is expected to be highly reliant, have great performance, and versatile, as it has to process a variety of payments gazillion times a day. It facilitates the processing of real payments between providers and accepts the request for payment. Payment switch also understands which providers it needs to process with, formats the message for that provider and sends it to them, gets a response, changes the response to a generic format and sends the response back to the caller.
Simply said, Switch is a tool that facilitates communication between different payment service providers. Switch typically provides a merchant-driven rules-based authorization and switching solution. It dynamically routes payment transactions between multiple acquirers and Payment Service Providers. It sits at the center of the payment processing and dynamically acquires, routes, switches, authenticates and authorizes transactions across multiple payment channels. The payment switch enables an extension of payment network by adding new payment methods and providers easily, without enormous integration costs.
Payment switch – How it works :
After the payment request is initiated, the payment switch authorizes the merchant and transaction. Based on the status of the transaction (either failure or success), it is further processed.
Switch then dynamically routes authorized payment transactions based on the rules.
These rules include routing by bin (bank identification number), routing by amount, routing by the time of the day, etc. Based on the bin identification, switch formats and sends a message to the provider, receives a back response from the provider.
It again formats the received response and returns back to the caller.
Here are some ways with which a payment gateway keeps information secure Security for merchant and security for customer:
A payment gateway ensures the security of the information you put in. Here is a list of things that an online Payment Gateway does to keep your data safe:
- The standard security protocol used in online transactions is SSL(Standard Security Layer) It protects sensitive card information and authenticates the customer’s identity. A payment gateway with SSL can be identified by checking the ‘https’ at the beginning of the web address.
- To authenticate customers and merchants an additional layer of security can be implemented under the 3ds(Three-Domain Secure) protocol. This is a messaging protocol developed by EMVCo.
- Data encryption is one of the most important security measures in the payment gateway, where the data appears scrambled and illegible to anyone but you.
- Another unique way for a secure transaction via payment gateway is tokenization, where sensitive card details are replaced by a string of encrypted characters
Difference Between ‘Acquiring Bank’ and ‘Issuing Bank’
The acquiring bank (also merchant bank or acquirer) is the financial institution that maintains the merchant’s bank account. The contract with the acquirer enables merchants to process credit and debit card transactions. The acquiring bank passes the merchant’s transactions along to the applicable issuing banks to receive payment.
The issuing bank is the financial institution that issues credit cards to consumers on behalf of the card networks (Visa, MasterCard). The issuer acts as the middle-man for the consumer and the card network by contracting with the cardholders for the terms of the repayment of transactions.
Authentication vs Authorization
|Authentication confirms your identity to grant access to the system.||Authorization determines whether you are authorized to access the resources.|
|It is the process of validating user credentials to gain user access.||It is the process of verifying whether access is allowed or not.|
|It determines whether user is what he claims to be.||It determines what user can and cannot access.|
|Authentication usually requires a username and a password.||Authentication factors required for authorization may vary, depending on the security level.|
|Authentication is the first step of authorization so always comes first.||Authorization is done after successful authentication.|
|In simple terms, authentication is determining whether someone is who he claims to be(verifying oneself)||In simple terms, Authorization, on the other hand, is determining his rights to access resources (verifying what you have access to.)|
|In short * Verifies you are who you say you are *Methods a)Login form b)HTTP authentication c) HTTP digest d) X.509 certificates e) Custom authentication method||In short * Decides if you have permission to access a resource *Methods a) Access controls for URLs b)Secure objects and methods c) Access control lists (ACLs)|
What are Payment Gateway Responsible for?
here are some additional responsibilities the befall a payment gateway, and might not be limited to —
- Manages the merchant’s switch configurations – Defines a sub-merchant ID for each merchant payment configuration. And, communicates with the payment switch using this ID to validate transactions.
- Merchant’s transaction roles – defines limitations for merchant’s transactions. e.g the minimum and maximum amount a merchant can transact from a card in a day, restrict transactions from credit cards issued from a particular region, etc.
- Manages the merchant’s 3D secure configurations – As discussed above, the payment gateway communicates with the card-network with the help of payment switch. It checks if the cardholder is enrolled for the 3DS, then the related MPI will then lookup in Card’s directory services and the returns response to the payment gateway.
- Process Payments – makes a request to the payment switch to process payments and receives results and returns to the customer.
- Sends payment records – Receipts and confirmation to merchant and customers
- Encryption and Security – Ensuring that no data is leaked as financial data is extremely sensitive.
How Secure Is A Payment Gateway Process?
A payment gateway can be integrated with most websites and virtual shopping carts to streamline online credit card processing. A shopping cart is usually used before the payment gateway. This function allows your customers to pick and choose the various items they want to buy from your website, including options such as size, color, etc. And at the checkout, the shopping cart totals the items, adds tax and shipping and collects the customer’s shipping and billing information.
Once the shopping cart process is completed, the payment gateway encrypts and store sensitive data, including credit card numbers, ACH account numbers, CVV and CVV2 information. Sensitive data such as Credit Card Numbers need to be protected from any fraudulent activities.
And since security is an integral component of a payment gateway process, the card associations have created a set of rules and security standards which must be followed by anyone with access to card information. This set of rules and security standards is called the Payment Card Industry – Data Security Standard (PCI-DSS or PCI).
For more protection, submitting an order online is usually completed using an HTTPS protocol, which securely communicates personal information through the parties involved in the Transaction.
This ensures that sensitive information is kept safe while a payment is processed.
A payment gateway service company has gone through the extensive and lengthy process of getting approved to communicate with payment processors. They reduce a business’ liability and ensure that a payment gateway process is safe and secure.
The Payments Industry Landscape: What Does It Look Like Today?
The payments industry is a rapidly changing scene that is constantly in flux due to the introduction of new payment methods, mergers and acquisitions, and new technology. Especially as technology advances, we’re seeing payment technology companies play a bigger role in the payments industry—and many of them are even merging with traditional financial institutions to cater to the latest customer and merchant preferences. Unlike in the past, when payment processing was simply about facilitating the transfer of funds, the newest players in the payment processing world are completely redefining the customer experience and enabling business owners to manage their businesses with incredible ease.
The Payments Ecosystem
The payments ecosystem is made up of a combination of players that interact with each other during the payment transaction process: issuers and acquirers, credit card networks, payment processors, payment gateways, independent sales organizations and value-added resellers, and payment facilitators. All of these entities play specific roles in the payment processing cycle. The following illustration shows some examples of these players.
Acquirers: An acquirer is a bank or financial institution that enables a merchant to accept credit card payments from a customer’s card-issuing bank within a credit card network. These are typically referred to as merchant acquirers An acquirer primarily processes credit or debit card payments on behalf of a merchant, but they can also be either a payment processor or an Independent Sales Organization (ISO)—The acquirer assumes the risk and passes the merchant’s transaction information on to the card brand associations (the card networks), and the issuers, to complete the payment.
Issuers: Issuers are banks or other financial institutions that issue credit cards to consumers on behalf of the card networks. Specifically, these are the bank names that appear on credit cards, such as Chase or Bank of America. They also issue payment to the merchant’s bank (the acquiring bank) on behalf of their customers, which means they assume risk in the event that the customer is unable to pay their credit card balance.
Payment Gateways: A payment gateway is a software application that enables merchants to accept payments made with credit and debit cards for in-store and online transactions. The payment gateway securely encrypts payment information and transfers that data between the merchant’s store or website, the bank that processes the payment, and the bank that issued the card used to make the purchase.
A payment gateway can be positioned either entirely digitally—with credit card information being routed in from the shopping cart on a merchant’s website—or physically, with an in-store POS system at a brick-and-mortar location.
One of the most important aspects of a payment gateway is that it has robust security standards in place to keep cardholder data safe during the transmission process. When a customer uses their payment card, the payment gateway securely sends the customer’s card information to the payment processor. Some gateways, also provide merchants with a broader range of payment processing features and benefits.
ISOs: Independent Sales Organizations (ISOs) sell credit card processing services to merchants, and they act as intermediaries between merchants, payment processors, and acquiring banks. In some cases, they might actually be banks; for example, Wells Fargo is a Fiserv ISO.
ISOs service merchant bank accounts and, at times, create the relationship between a merchant and bank in the first place. ISOs also lease point-of-sale terminals to merchants and may service customers who have problems with their cards. Because an ISO is not a bank, it does not physically manage merchants’ money and it’s also not regulated in the same way.
The Payment Processing Cycle
The payment processing cycle is complex and has a lot of moving parts. When a customer swipes their credit or debit card at a payment terminal, the transaction typically takes only a few seconds—but the process itself entails multiple steps and involves several players that interact with each other. For example, there are companies that work with the other players to process and facilitate transactions, payment processors that provide services to merchants and may facilitate moving money between banks, banks that service merchant accounts and perform the settlement process, and banks that issue credit cards to consumers.
The Authorization Process
- The customer purchases goods or services from the merchant and swipes their credit or debit card through a point-of-sale (POS) terminal or device which captures the customer’s card information.
- The customer’s card information is transmitted to the merchant’s payment processor, who in turn passes the card information and transaction amount to the merchant’s bank (the acquirer, or acquiring bank). Note that some payment processors are also acquiring banks.
- The acquiring bank captures the transaction and forwards the information to the customer’s credit card network (e.g. Visa, Mastercard).
- The card association system then routes the transaction (the issuer, or issuing bank), and requests an approval. The transaction is approved or declined depending on the availability of funds and the status of the cardholder’s account. This approval process is known as authorization.
- The issuing bank sends the response back to the credit card network. If the authorization was approved, the issuing bank assigns and transmits an authorization code along with its response, and a hold is placed on the cardholder’s funds.
- The authorization code is sent from the card association to the acquiring bank.
- The credit card network sends the approval to the merchant’s payment processor, who in turn sends the approval to the acquiring bank.
- The acquiring bank routes the approval code or response to the merchant’s terminal. Depending on the merchant or transaction type, the merchant’s terminal may print a receipt for the customer to sign.
The Settlement Process
- At the end of each day, the merchant closes out the day’s sales and transmits the information to their payment processor, who in turn transmits the information to the acquiring bank. This step, in which the merchant initiates the transfer of funds to their account, is known as capture.
- The acquiring bank routes all transaction information to the credit card network for settlement, who in turn passes on all approved transactions to the cardholder’s issuing bank.
- The issuing bank transfers the funds to the merchant’s acquiring bank, minus the interchange fee.
- The acquiring bank then deposits the amount, less the discount fee, to the merchant’s bank account.
- The issuing bank bills the cardholder for the transaction.
Making A Choice: The Right Payment Gateway
In addition to their basic function of transmitting and receiving credit card transaction data via the internet, most payment gateways also come with several useful extra features. The ones that you should look out for while selecting the right payment can be:
- Multi- currency acceptance
- PCI Compliance
- Mobile Optimization and SDK
- Flexible Integrations
- Faster Checkout
- Fastest Setup Time
- Support Different Kinds of Payments
- Safe and Secure and more.
So while choosing the right payment gateway for your online store it becomes very necessary to narrow down the features that you require.
A payment gateway facilitates a payment transaction by the transfer of information between a payment portal (such as a website, mobile phone or interactive voice response service) and the front end processor or an acquiring bank.
In simple steps, a payment gateway:
- Captures the credit card transaction
- Encrypts the transaction information
- Routes it to the credit card processor and then;
- Returns either an approval or a decline notice.
This way, your customer knows immediately whether or not their credit card was approved.
This is a seamless process and a customer does not directly interact with the payment gateway as data is forwarded to the gateway via your shopping cart and a secure connection.
Payment gateway is a third-party between merchants and customers that securely take the money from customers and send it to merchant’s’ bank account. It is a virtual equivalent of a physical point-of-sale terminal that located in most of retail outlets.
It performs the most important role in processing and authorizing the payment or transactions between customer and merchants.
Payment gateways encrypt sensitive information and details of payment such as credit cards number. It is to guarantee that the information is passed securely between customer and merchant. Here are the basic steps on how it works:
Step 1: A customer will place an order on the website that they visit by submitting the order, checkout from the cart or any equivalent button.
Step 2: Merchant securely transfers order information to the payment gateway. Customer will pay with their preferred payment methods. The transaction is then routed to the issuing bank or the 3D secure page to request transaction authentication.
Step 3: After the authentication process is successful, the transaction is then authorized or declined (depending on funds available in the customer’s account) by the issuing bank or card (VISA, MASTER, MAESTRO, American Express).
Step 4: Payment gateway sends a message to the merchant accordingly.
Step 5: The bank settles the money with the payment gateway and then the payment gateway settles the money to the merchant.
When using payment gateways, there are three important things that they do when customer wants to make purchase from the merchants’ website. It is either by using credit card, debit card, online banking, cash etc. The three important things are including authorization, settlement and reporting.
Payment gateway providers also provide merchants with other benefits such as virtual terminal that can help receiving payment in the physical outlets through the same methods of payment.
By using a payment gateway, it puts the control of business payment acceptance into your hands hence raising the power to grow business right through your fingertips
So this is how a payment gateway works, there are multiple people, and parties involved in a payment that takes just a few seconds to go through.
Despite its complexities and diverse array of institutions and technologies, the payment industry is truly a cohesive landscape that’s at the forefront of innovation. And increasingly, the industry’s ability to spearhead cutting-edge solutions is driving continued investments and a growing number of mergers and acquisitions. Even as new technologies and acquisitions disrupt the payment landscape, though, one thing’s for certain: the industry will continue to do all that it can to make the payment processing cycle as seamless as possible.
That was a lot for now- to digest, I know all this information on payment gateways may be overwhelming, and I am sure it would have added some value to your knowledge.
If you liked this blog leave a comment and share your feedback; it’s what keeps me improving.
Looking forward to your comments and review on it.
Thank You for reading this blog.
Thanks and Regards,