How does a payment gateway work?
By Amanda Reaume
When it comes to processing online and point-of-sale payments, payment gateways are a key part of the transaction. They can even be used to protect your business from liability and onerous compliance requirements. But what exactly are they, and how do they work?
Below, we’ll walk you through what a payment gateway is, what role it plays in accepting payment, and how it can be used to protect you from fraud liability.
What is a payment gateway?
A payment gateway connects a merchant to their bank or processor. It can be used to initiate e-commerce, point-of-sale and in-app purchases.
A payment gateway is a service offered by various industry payment providers that is not directly involved in the flow of money. Instead, it facilitates payments by communicating a customer’s card data with a payment processing network, either via application programming interfaces (APIs) for online payments or a card-present payment solution for brick-and-mortar transactions.
Many payment gateways also offer fraud management tools, such as fraud filters, that help detect and prevent fraud. These tools could include features like address and card verification value checks, geolocation, device fingerprinting, and much more. These incremental features help mitigate the acceptance of fraud before payments become chargebacks.
The person or people who sell products and services and process the transaction.
The person making a purchase with a payment method that requires authorization.
- Issuing bank
The bank or financial entity that issued the customer the credit card they’re using to make a purchase.
- Acquirer or acquiring bank
It’s called the acquiring bank because it’s the financial institution that acquires the payment as a result of the transaction. An acquirer is sometimes called a payment processor.
Payment gateway vs. payment processor
While they are sometimes confused, a payment gateway and a payment processor are separate parts of the payment authorization process.
A payment gateway is the service that collects payment and transaction information and then facilitates the transfer of that information between the customer, website or point of sale and your payment processor. Once the payment processor (which we’ll explain in just a second) responds, the payment gateway lets you know whether the transaction was authorized. When you accept credit card payments through a payment gateway like one of ours, you can seamlessly take payments in person and online, get paid faster and worry less.
In contrast, a payment processor — while still a part of the technology used for credit card transactions — fulfills a different role. More specifically, a payment processor is a service provided by your merchant acquirer that allows you to accept debit and credit card payments by facilitating the authorization and settlement process with the applicable payment card networks.
How it works
Here’s one example of how a payment gateway works.
- The customer makes a purchase using your card reader.
- Once an order is initiated, the payment gateway can accept the payment information from your payment solution. Alternatively, it can directly accept the customer’s payment information to reduce the risk and requirements you must comply with by ensuring you’re never in possession of sensitive cardholder information.
- Either way, the payment gateway then forwards the transaction information — including details like the card number, card expiration date, cardholder’s name and transaction amount — to the payment processor/merchant services acquirers.
- The payment processor forwards the transaction authorization request to the payment card network who will submit the transaction to the issuer of the payment card. The issuer will either authorize or decline the transaction request. The card issuer’s response is then returned back to your payment processor who will, in turn, forward it to your payment gateway.
- The payment gateway forwards the response from the previous step to the website or payment interface that’s being used to process the card payment, and then the authorization is relayed back to you and the cardholder. This process typically takes just a few seconds.
- A customer makes a purchase.
- The payment gateway accepts the payment information from the merchant’s payment solution.
- The payment gateway forwards the transaction information to the payment processor/merchant services acquirers.
- The payment processor forwards the transaction authorization request to the payment card network who will submit the transaction to the issuer of the payment card.
- The issuer authorizes or declines the transaction request.
- The payment processor forwards the response to the merchant’s payment gateway.
- The payment gateway forwards the response to the website or payment interface that’s being used to process the card payment, and then the authorization is relayed back to the merchant and the cardholder.
Payment gateways are incredibly secure and have multiple levels of protection. Generally, payment gateways use Secure Sockets Layer (SSL) encryption. This is when you or the payment gateway protects the customers’ personal information and payment details by changing the information into a pattern that requires a key to decipher.
However, payment gateways can also help with payment security in other ways. Many provide additional fraud-checking features that can help detect fraud up front, mitigating the risk of chargebacks and product loss. Other forms of encryption or security that can be used with payment gateways include tokenization, secure electronic transaction (SET), card verification value (CVV), and 3-D Secure.
Payment gateways are very secure and have multiple levels of payment security. They commonly offer the following industry security features:
- Data Encryption:
Turns card details into a code that can be decrypted through the payment gateway’s private key.
- Address Verification Service (AVS):
Checks if a customer’s address matches the one on file with the credit card provider.
- Secure Sockets Layer (SSL) encryption:
Changes a customer’s personal information and payment details into a pattern that requires a key to decipher.
Replaces information with a random string of characters using a private and public key. This helps protect data at rest so your systems aren’t exposed to PCI-sensitive data.
- Secure Electronic Transaction:
Encrypts data using digital signatures or public-key certificates and verified messages.
- Card Verification Value (CVV):
Verifies (via a three- or four-digit code) that a card user has the card in their physical possession.
- 3-D Secure:
Uses data collected during and before a transaction — including IP addresses, purchase histories and transaction histories — to analyze the risk associated with the transaction. The data is used to authenticate the cardholder with the card issuer. If positively authenticated, merchants can be eligible for fraud chargeback liability protection.
- 6.1 Payment Gateways. Privacy Shield.
- Using 3DSecure (version 2) to protect your business from chargebacks (2022, June 06). Merchant Accounts.ca.
- What is Secure Sockets Layer (SSL) (2023, May 19). Government of Canada.
- What is Credit Card Tokenization (2018, July 5). Merchant Accounts.ca.
- What is Secure Electronic Transaction (SET) (2021, September). TechTarget.
- Top 5 payment gateway security protocols (2023, January 31). Binary Stream.
The PCI Security Standards Council designed the Payment Card Industry Data Security Standard (PCI DSS) to ensure any company or organization that handles cardholder data keeps it private and safe. This standard was adopted by all card brands and requires that all merchants who store, transmit or have access to sensitive cardholder data comply with the 12 PCI DSS requirements (PDF).
While simply using a payment gateway can help decrease the risk of data breaches, there’s more you can — and should — do to remain compliant. For starters, you can reduce your compliance requirements and potential liability if you don’t directly accept credit card information on your website, but instead process it directly through a PCI-compliant payment gateway. For card-present transactions, you can mitigate your risk of non-compliance by regularly updating anti-virus software, restricting access to cardholder data by business need-to-know, and regularly testing your security systems and processes.
It's crucial to stay on top of the 12 PCI DSS requirements not only to protect your customers but to safeguard your company, too. Merchants who do not achieve annual PCI compliance and have cardholder data stolen can be penalized and fined monthly, depending on the size of the company and the scope of non-compliance.
A payment gateway is a key part of an online or brick-and-mortar transaction. It allows for an omni-channel experience — tying in both card-present and card-not-present transactions — which offers you a consolidated solution and view into your transactions. Additionally, this helpful service typically has connections to alternative payment providers, such as gift cards, loyalty programs and more. So, if you’re looking to offer your customers more effortless transactions and empower your business with a simple and secure payment solution, speak to a Chase representative and find out which gateway is the right one for you.