What Is a Payment Gateway: All You Need to Know

What Is a Payment Gateway: All You Need to Know

Secure and timely payments are a key prerequisite for ecommerce merchants as they ensure a steady cash flow.

If the payment process is swift and straightforward, customers are more likely to convert into repeat buyers and develop a long-term relationship with a merchant. To reach this goal, merchants need a reliable payment gateway, an important piece in the payment processing puzzle.

This article explains what a payment gateway is, how it works, and what factors to consider when choosing one.

What is a payment gateway

A payment gateway portal is software that enables merchants to accept credit card payments online. It is equivalent to a POS terminal in a brick-and-mortar store.

A payment gateway collects and encrypts sensitive customer payment information and sends it to the payment processor and the merchant acquiring bank. When the customer leaves their payment information on the checkout page, they are actually interacting with the payment gateway’s front-end. The payment gateway then encrypts the payer’s personal and payment data, keeping it safe from malevolent third parties.

Note: Follow the link to learn more about the differences between a merchant account and a payment gateway.

How Does a Payment Gateway Work?

Payment processing procedure

Payment gateways facilitate online transactions by handling sensitive information in the following stages of payment processing:

  1. The customer enters their bank card information on the checkout page.
  2. The payment gateway encrypts the payer’s personal and payment data to keep the assets safe from unauthorized intrusion and data theft.
  3. The encrypted payment information is sent to the payment processor.
  4. The payment processor delivers the transaction details through the card association to the card-issuing bank.
  5. The bank either approves or declines the payment and notifies the payment processor.
  6. The payment processor forwards the notification to the merchant through the payment gateway.

Note: Learn more about payment processors in our article What Is a Payment Processor?

Types of Payment Gateways

Payment gateway types

There are several types of payment gateways, depending on whether the merchant controls all steps of the payment process or authorize third-party providers to do this on their behalf.

Hosted Payment Gateways

In a hosted payment gateway, the customer is redirected from the merchant’s website to the payment processor’s hosted payment page to complete the payment. When the payment data is submitted, the customer is sent back to the merchant’s website to finalize the checkout.

With a hosted payment gateway, the merchant doesn’t store or deal with the customer’s payment details. Everything is handled by a third-party payment processor.

Such transactions are PCI compliant and secure, but the merchant doesn’t have complete control over the payment process.

Self-Hosted Payment Gateways

In a self-hosted payment gateway, there are no redirects to third-party providers. The merchant collects and stores customers’ payment details and then sends them to the payment processor.

Using this type of payment gateway ensures that the merchant has full control of the payment process.

However, it costs more and takes more time to set up a self-hosted payment gateway. Additionally, the security certification process is complex.

API Payment Gateway

An API (Application Programming Interface) payment gateway is a subcategory of a self-hosted payment gateway. In this gateway, merchants link with the payment processor’s API. Customers submit their credit or debit card data at the checkout, and complete the payment without leaving the merchant’s website.

The entire payment process stays in the merchant’s hands. It is up to the merchant to develop a payment gateway app, build the front-end and integrate the back-end with their payment processor’s API. Thanks to all that control, merchants can fully customize the user experience.

In some API payment gateways, merchants are responsible for payment security and PCI compliance.

However, there are API payment gateways, such as the CCBill’s payment gateway API, which cover PCI compliance on merchant’s behalf. Such integrations are simpler and more affordable for merchants that need fast and efficient payment gateway services.

Note: CCBill provides a user-friendly payment gateway API that allows merchants to efficiently control their customers' purchase flow. Learn more about what an API integration is.

Local Bank Integration

In a local bank integration gateway, the page where the customer is redirected to make the payment is built and supported by the bank. Once they complete the transaction, they return to the merchant’s website.

A local bank integration payment gateway is simple to use. Hence, it’s useful for SMB owners who want to easily accept online payments.

However, it doesn’t typically include refunds or a way to set up recurring payments. Therefore, it’s not meant for subscription-based businesses or merchants aiming to encourage recurring customers.

Things to Consider When Choosing a Payment Gateway

Choosing a payment gateway

Since a payment gateway is the security backbone of payment processing, it is vital to know how to choose a secure payment gateway. To ensure you make the right choice, consider these questions.

How Secure Is the Payment Gateway?

Payment gateways ensure security with data encryption, the SSL protocol, PCI DSS compliance, two-factor authentications and tokenization.

  • Data encryption. Payment gateways encrypt customer payment card information. The only way to decrypt the information is with a private key. This ensures that information is shared with relevant parties only.
  • SSL protocol. Much like data encryption, SSL creates a safe, encrypted channel to transmit the sensitive payment data to other parties (e.g., payment processor and acquiring bank).
  • PCI DSS compliance. PCI DSS is a set of security requirements all participants in payment processing must adhere to.
  • Tokenization. Tokenization is a special security method in which customer information is replaced with randomly generated clusters of characters that potential hackers and third-party intruders cannot decipher.

These standards and protocols ensure that checkouts and payment forms follow rigorous security regulations.

What Types of Cards Are Accepted by the Payment Gateway?

Cards and payment types accepted by a payment gateway

Offering multiple payment methods reduces the churn rate and fosters long-term customer loyalty.

Visa and Mastercard are the leading card associations on a global level. It's crucial for a merchant to choose a secure and reliable payment gateway supporting with these two card associations.

When choosing a payment gateway, determine credit card processing fees in advance. Bear in mind that the payment gateway, the relevant credit card association, and the issuing bank all take a portion of every processed transaction.

During the selection process, ask about support for alternative payment methods, such as SEPA payments, digital wallets (Apple Pay, CCBill Pay, PayPal, etc.), and the potential additional fees these might incur. Being able to provide alternative payment methods is crucial for merchants aiming at a global audience.

Note: Refer to our article ACH vs SEPA to find out more about these two payment types depending on whether your business operates in the US, European Economic Area (EEA), or both.

Does It Offer Recurring Payments?

Merchants collecting monthly or annual subscriptions, businesses that provide different financial services, and membership sites need a payment gateway that offers recurring payments.

In a recurring payment, the customer leaves their payment data on the merchant’s website during the first payment and authorizes the merchant to draw funds from their card on a regular, predefined basis. The payment gateway memorizes, stores, and keeps the payment details necessary to carry out automatic payments.

Ask potential payment gateways providers if they offer such payment services and at what price.

How Much Does It Cost?

Payment gateways typically offer merchants several packages based on a tiered pricing model.

They often highlight the most affordable pricing plan to draw merchants’ attention to their services. However, pricing plans may depend on the type of the service or product in question, the merchant’s business model, and various risk factors. For instance, merchants with a high chargeback rate are considered high-risk businesses, so payment gateways usually charge higher fees for such transactions.

If the same company is your payment processor and payment gateway, the total costs might be lower than hiring two separate entities for these services.

Make sure to ask about fixed fees and additional costs, such as fees related to chargeback or refund requests.

Limitations of Payment Gateways

Payment gateways come with certain limitations, as explained below.

Security Issues

Payment gateways security issues

Keeping online transactions safe and preventing ecommerce fraud is an essential condition for any successful online business. During the payment gateway selection process, ask the potential gateway providers if they are PCI compliant and how they implement the SSL certificate. Moreover, a trustworthy payment gateway must keep all their security mechanisms updated to enhance 24/7 customer data protection.

Gateways Don’t Always Accept All Types of Payments/Cards

Payment gateways usually advertise their strong points and most popular payment options. However, they don’t typically highlight what types of cards and payments they don’t accept.

Payment limitations may refer to payment method types, certain geographical regions, or high-risk processing.

Merchants need to know who their customers are and what payment methods they prefer. This will help them negotiate the terms and conditions with the most suitable payment gateway provider.

International Shoppers May Not Have a Payment Option

International shoppers might not be able to make a purchase if your payment gateway doesn’t support their region. Furthermore, supporting regional payment methods makes a difference.

For instance, Germany’s most popular payment card is Girocard, leaving Visa and Mastercard far behind. Likewise, in China, Alipay is much more popular than the standard payment options used in North America. A merchant wishing to accept payments from these countries need a payment gateway that supports transactions from these regions. Preferably, the payment gateway should support regional payment methods too.

Consider these market differences and discuss potential issues with your payment gateway provider.

Note: Learn which other things to consider when selecting a payment gateway from our article How to Choose a Payment Gateway for Your Ecommerce Store.


Knowing how different payment gateways work and what their limitations are is essential before entering negotiations with a payment gateway provider.

Merchants who select the most suitable payment gateway for their customers’ needs and payment preferences will ensure a steady cash flow and continuous business development.

The guide above helps merchants understand what elements to focus on when choosing a payment gateway and how the right payment gateway can improve business operations.