What is a Payment Gateway?

What Is a Payment Gateway?

A payment gateway is a technology service that authorises and processes card payments for merchants. It acts as the intermediary between the merchant and the financial institutions involved in a transaction -- capturing the customer's card details, encrypting them, and routing them through the card networks to the issuing bank for approval or decline.

Think of it as the digital equivalent of a card machine in a physical shop. When a customer enters their card details on a website, through a mobile app, or over the phone, the payment gateway is the system that securely transmits those details and returns the result.

How a Payment Gateway Works

The payment process happens in seconds, but involves several steps:

• Step 1 -- Data capture The customer enters their card number, expiry date, and CVV/CVC through a payment form, keypad entry, or similar interface
• Step 2 -- Encryption The gateway encrypts the card data using TLS (Transport Layer Security) and transmits it to the payment processor
• Step 3 -- Routing The processor routes the transaction to the relevant card network (Visa, Mastercard, etc.), which forwards it to the card issuer
• Step 4 -- Authorisation The issuer checks the card details, available funds, and fraud signals, then sends back an approval or decline
• Step 5 -- Response The gateway receives the response and passes it back to the merchant and customer

This entire round trip -- from the customer clicking "pay" to seeing the result -- typically takes between one and three seconds.

Payment Gateway vs Payment Processor

These two terms are often confused, but they serve different functions:

• The payment gateway is the front door -- it captures and encrypts the card data and delivers the response to the merchant
• The payment processor is the back office -- it handles the actual communication with card networks and banks to move money between accounts

Some companies provide both services under one roof (like Stripe or Worldpay), which can blur the distinction. Others specialise in one or the other. When evaluating payment providers, it is worth understanding which functions are included and which may require separate agreements.

Types of Payment Gateways

Hosted Payment Pages

The customer is redirected to a payment page hosted by the gateway provider. The merchant never handles card data directly, which simplifies PCI DSS compliance. The trade-off is less control over the checkout experience.

Integrated Gateways

The payment form is embedded directly into the merchant's website or application. This provides a smooth customer experience but means the merchant's systems are in closer contact with card data, increasing PCI DSS scope.

API-Based Gateways

Modern gateways offer APIs that allow developers to build custom payment flows. These provide maximum flexibility and are common in businesses with complex or multi-channel payment needs.

Payment Gateways and Telephone Payments

In a telephone payment scenario, the payment gateway plays the same fundamental role -- authorising the transaction with the card issuer -- but the data capture happens differently. Instead of a web form, the card details are typically entered by:

• An agent typing them into a virtual terminal (which connects to the gateway)
• The customer entering them on their phone keypad using DTMF tones (which are captured and sent to the gateway)
• An IVR system that collects the details automatically and submits them to the gateway

The choice of method has significant implications for PCI DSS compliance. When agents handle card data manually, every workstation, screen, and network segment they use comes into PCI scope. When DTMF masking or IVR systems handle the data instead, the agent environment can be descoped.

Choosing a Payment Gateway

Key factors to consider when selecting a payment gateway include:

• Supported payment methods Does it handle the card types and alternative payment methods your customers use?
• Channel support Can it process payments from your website, phone system, and any other channels you need?
• Integration complexity How easily does it connect to your existing systems?
• Pricing structure Look at per-transaction fees, monthly charges, and any hidden costs
• PCI DSS compliance What level of compliance does the gateway hold, and how does it affect your own PCI scope?
• Settlement speed How quickly do funds reach your account after a transaction?
• Reporting and reconciliation Does it provide the data you need to manage your finances?

For businesses that take payments across multiple channels -- online, in-person, and over the phone -- gateway compatibility across all channels is essential to avoid managing multiple payment integrations.

Payment Gateways and PCI DSS

Payment gateways must be PCI DSS compliant because they handle sensitive card data directly. When choosing a gateway, check that it holds a current PCI DSS certificate at the appropriate level. Using a PCI-compliant gateway does not automatically make your business compliant -- it depends on how card data flows through your systems. If card data passes through your servers before reaching the gateway, those servers are in scope. If you use a hosted payment page or DTMF masking to keep card data out of your environment entirely, you can significantly reduce your PCI scope and simplify compliance.