Have you ever wondered how websites automatically process payments? Well, this is the blog for you.
We’re going to look at the tech behind eCommerce businesses and share some tips for when you’re setting up an eCommerce business.
Processing card payments in a bricks and mortar store is pretty straightforward. A customer hands over their card and you use a POS terminal to process the payment.
However, since eCommerce transactions are completed over the internet, there’s no way a customer can physically present their card.
To process payments, websites need the digital equivalent of a POS terminal, which is called a payment gateway.
A payment gateway is a bit of tech that serves as a secure link between a company’s website, a customer’s card issuer and the seller’s merchant account.
Sounds simple, right?
Unfortunately, when it comes to financial technologies, things are rarely simple and payment gateways are no different.
In the rest of this blog, we’ll look at how payment gateways work, data security concerns, platform integration, typical costs and much much more. Let’s get started!
How does a payment gateway work?
As we mentioned above, a payment gateway is a service that allows merchants to accept credit and debit card payments on their websites.
Below is a super simple illustration showing how a payment gateway works.
We can break the payment process down into five steps.
- Your customer browses your site and finds something they like the look of. They add the product or service to their basket and hit checkout.
- Your customer enters their personal information, including their name, address and card numbers.
- Your payment gateway secures that information and forwards it to the acquiring bank.
- The acquiring bank then forwards the information to the card scheme that has branded the card and then onwards to the issuing bank. If the information matches the issuing bank’s records, the transaction is approved.
- The success is reported back to the payment gateway, which, in turn, reports it back to your site.
And just like that, a website has automatically processed a payment.
Payment gateways can purr away in the background of a business, autonomously processing tens, hundreds or thousands of transactions every single hour.
At its peak last year, Amazon sold a staggering 636 products every single second! That is some amount of work for its payment gateway!
While few businesses have to deal with the massive volume of transactions that Amazon receives, the gateway you select will inevitably affect the quality of your checkout.
Pick the right payment gateways and your customers will enjoy friction-free checkouts and you’ll enjoy sky high conversions.
Choose the wrong provider, however, and you’ll endure mountains of rejected transactions, ridiculous fees, abysmal customer service and paper thin integration. But more on that later.
Should a payment page be hosted or integrated?
Generally speaking, payment gateways come in two varieties: hosted or integrated.
Whether it’s a hosted or integrated gateway basically determines how your customer’s sensitive information gets from their wallet to the payment gateway. Both hosted gateways and integrated gateways have their share of advantages and disadvantages.
Hosted payment gateways work by redirecting your customers to a page owned and operated by your payment gateway. That page allows your customer to enter their payment details and then processes the transaction. Once everything is confirmed, your customer is redirected back to your website.
The big positive with hosted gateways is data security. Specifically, you don’t have to worry about how your website handles sensitive data because it doesn’t actually handle any!
The main drawback of a hosted gateway is the flipside of its big positive. For a customer to make a payment, you redirect them to the payment gateway’s website to enter their details.
The redirect is incredibly important as the customer may wonder why they are being sent to another site when they are buying something from you. The good news is many providers will actually allow you to brand your payment pages, which reduces that confusion and streamlines the whole process.
If the redirection is handled poorly, however, it can have a detrimental effect on your conversion rates.
Integrated payments work by asking your customers to enter their data directly into your website. Once your website has the data, it bundles it up and sends it to the payment gateway via an API.
(An API (application program interface) and is basically a way for two systems to automatically talk to each other.)
The main advantage of integrated gateways is that they allow you to retain complete control of your checkout process. There’s no redirection of users and no awkward swap between websites. A customer browses on your website and pays on your website.
However, like hosted gateways, the key drawback of an integrated gateway is actually the flipside of its key benefit.
If you’re accepting sensitive data directly on your site, you are responsible for its security. You have to make sure you comply with data security regulations and legislation, which can be complex and expensive.
How secure are payment gateways?
If you are asking your customers to enter their credit card details on your website, it’s important the technology you are using is watertight. When data security goes wrong, breaches are hugely damaging for both your business and your customers.
Thankfully, as with most financial tools, services and institutions, payment gateway developers take security incredibly seriously.
Reputable payment gateway suppliers will be level 1 compliant with the Payment Card Industry Data Security Standard (PCI DSS).
Level 1 is the strictest standard set by PCI DSS and requires annual on-site security assessments, in-depth penetration testing and a host of other checks.
In short, if a payment gateway supplier is level 1 compliant, it’s a good sign that they take security very seriously.
Are payment gateways susceptible to fraud?
Payment gateways can be more secure than Fort Knox but that won’t necessarily protect you from fraudulent transactions.
The good news is payment gateways typically come with dozens of configurable fraud prevention tools. There’s far too many to talk about in detail so we’ve picked out three popular tools you may have heard of.
While the specifics of the security check vary depending on the network, customers will usually be asked to enter an additional password separate from their password for your website. If the password doesn’t match the records held by the network, the transaction is automatically rejected.
This additional check helps confirm that the customer is actually the cardholder and not just someone who has stolen the card or account.
It’s worth highlighting that 3-D Secure is a completely optional tool. Merchants can and do turn it off, often mistakenly believing that it hurts their conversion rate.
Second, velocity checks by IP address. This tool basically keeps track of how many times a particular IP address has been used to place an order. If one IP address attempts to place a dozen different orders with a dozen different credit cards in the space of one hour, it’s highly likely that a fraudster is working through a pile of stolen cards.
If this sort of activity is detected, the IP address is usually blocked for a set period of time.
Third, location blocking. Certain countries have higher incidences of fraud than others. Developing economies, for example, are often online fraud havens because the police simply do not have enough resources to crack down on it.
If your business is based in Brighton and you receive a flurry of transactions from Botswana, they are more likely to be fraudulent.
Should payment gateways use tokenisation?
In order to reach PCI compliance, all sensitive data — card numbers, CVV2 information, etc — must be encrypted.
Businesses have two options here: traditional encryption or tokenisation. Traditional encryption methods have been around for decades so we’re not going to touch on them here.
Tokenisation, however, is relatively new and is starting to gain real traction in the payment industry. Tokenisation works by taking a card number and replacing the 16-digit number with a randomised token.
For example, someone’s actual credit card number might be 4462 9921 4164 1212 and their token AB6690LPZZ24789G.
The token is non-descriptive and doesn’t bear any relation to the actual data it’s linked with. Unlike encrypted data, there is no way to crack the encryption and reverse engineer it back to the card number. This means even if a hacker did steal the token, it wouldn’t be of any use.
Because the token maps back to the actual data through the tokenisation system, merchants are still able to process transactions through the system.
Ultimately, tokenisation means you aren’t storing sensitive card data and that’s good for data security.
Tokenisation is also really helpful for streamlining your checkout process.
For example, think about recurring payment. When a customer enters their card details on your website, they are tokenised and stored.
Now, because their details are tokenised all future payments can be made with a secure one-click feature. That means your customer doesn’t have to laboriously enter their details for every single transaction.
Is it easy to integrate a payment gateway?
Payment gateways work alongside shopping cart systems to deliver a complete eCommerce package. Without an integrated payment gateway, you’ve basically got a nice online showroom but no way to take payments.
The problem here is that there’s hundreds of different shopping cart systems and dozens of different payment gateways. With so much variation, it’s inevitable that some gateways will be incompatible with some carts.
The good news is that it’s in the interest of the shopping cart providers to work with as many payment gateways as possible. If a system only works with a handful of gateways, they’re massively reducing their potential market.
In general, most mainstream payment gateways work with most mainstream shopping cart systems and, unless you’re using something very obscure, integration is usually a plug-and-play affair.
If you’re unsure about the compatibility of a gateway, contact the shopping cart provider and ask. It’s a ten-second conversation that could potentially save you countless hours of stress down the line.
How much should a payment gateway cost?
All payment gateway business models work in broadly the same way, charging a small fixed monthly cost for a set number of transactions. If you process more transactions than your plan allows, you’re charged at a slightly higher per-transaction rate.
Here’s a quick example of three payment gateways and their respective costs.
|Payment Gateway||Monthly Cost||Transactions per Month||Cost per Transaction|
As you can see, payment gateway costs are very low, typically between 3p and 10p per transaction and unlike most other payment service providers there isn’t a massive variation in pricing structures.
That means the most important points to think about when selecting a payment gateway are its features and integration options.
After all, if your payment gateway doesn’t integrate with your checkout, it’s utterly worthless.
Quick footnote: Remember that to actually receive payment from a customer, you need a merchant account.
Merchant account providers will also levy a charge on the merchant, which is typically between 0.3-2%, depending on your provider and what type of card your customer is using.
In general, most payment gateways will work with most merchant accounts so it’s a matter of mix and matching for the best combination. Functionality and integration doesn’t vary much between merchant accounts so this is a decision you should make based on price.
Find your perfect payment gateway
Finding the right payment gateway for your business can be a difficult process. Thankfully, many of our partners also offer payment gateways.
Jump over to out payment gateway comparison page, plug in a few details about your business and we’ll show you what deals are available to you.
It only takes two minutes to get a quote and could save you up to 40 percent on your payment processing fees. So, what are you waiting for?