What is an eCommerce Payment Gateway? And How Does It Work?

What is an eCommerce Payment Gateway? And How Does It Work?

Have you ever wondered how online businesses automatically process online payments? Well, this is the blog for you.

We’re going to look at the tech behind an online store and share some tips for when you’re setting up an eCommerce business.

Processing debit and credit card payments in a traditional brick and mortar store is pretty straightforward. A customer hands over their card and you use a POS terminal to process the payment.

However, since eCommerce transactions are completed over the internet, there’s no way a customer can physically present their card.

To process online payments, websites need the digital equivalent of a POS terminal, which is called a payment gateway.

A payment gateway is a bit of tech that serves as a secure link between a company’s website, a customer’s card issuer and the seller’s merchant account.Sounds simple, right?

Unfortunately, when it comes to financial technologies, things are rarely simple and payment gateways are no different.

In the rest of this blog, we’ll look at how payment gateways work, data security concerns, platform integration, typical costs and much much more. Let’s get started!

If you already know about payment gateways and just want to find the cheapest one for your online business, why not check out our comparison engine? Most businesses that try Cardswitcher can save up to 40% on their payment processing fees. So, what are you waiting for? Start saving money now!

 

 

How does a payment gateway work?

As we mentioned above, a payment gateway is a service that allows merchants to accept credit and debit card payments on their websites.

Below is a super simple illustration showing how a payment gateway works.

How does a payment gateway work?

We can break the online payment process down into five steps.

  1. Your customer browses your site and finds something they like the look of. They add the product or service to their basket and hit checkout.
  2. Your customer enters their card information, including their name, address and card numbers.
  3. Your payment gateway secures that card information and forwards it to the acquiring bank.
  4. The acquiring bank then forwards the card information to the card scheme that has branded the card and then onwards to the issuing bank. If the card information matches the issuing bank’s records, the transaction is approved.
  5. The success is reported back to the payment gateway, which, in turn, reports it back to your site.

And just like that, a website has automatically processed an online payment.

Payment gateways can purr away in the background of an online business, autonomously processing tens, hundreds or thousands of transactions every single hour.

At its peak last year, Amazon sold a staggering 636 products every single second! That is some amount of work for its payment gateway!

While few businesses have to deal with the massive volume of transactions that Amazon receives, the gateway you select will inevitably affect the quality of your checkout.

Pick the right payment gateways and your customers will enjoy friction-free checkouts and you’ll enjoy sky-high conversions.

Choose the wrong provider, however, and you’ll endure mountains of rejected transactions, ridiculous fees, abysmal customer service and paper thin integration. But more on that later.

 

Should a payment page be hosted or integrated?

Generally speaking, payment gateways come in two varieties: hosted or integrated.

Whether it’s a hosted or integrated gateway basically determines how your customer’s sensitive payment information gets from their wallet to the payment gateway. Both hosted gateways and integrated gateways have their share of advantages and disadvantages.

 

Hosted Gateways

Hosted payment gateways work by redirecting your customers to a page owned and operated by your payment gateway provider. That page allows your customer to enter their payment details and then processes the transaction. Once everything is confirmed, your customer is redirected back to your website.

Hosted Gateways

The big positive with hosted gateways is data security. Specifically, you don’t have to worry about how your website handles sensitive data because it doesn’t actually handle any!

The main drawback of a hosted gateway is the flipside of its big positive. For a customer to make a payment, you redirect them to the payment gateway’s website to enter their details.

The redirect is incredibly important as the customer may wonder why they are being sent to another site when they are buying something from you. The good news is many providers will actually allow you to brand your payment pages, which reduces that confusion and streamlines the whole process.

If the redirection is handled poorly, however, it can have a detrimental effect on your conversion rates.

 

Integrated Gateways

Integrated payments work by asking your customers to enter their data directly into your website. Once your website has the data, it bundles it up and sends it to the payment gateway via an API.

(An API (application program interface) and is basically a way for two systems to automatically talk to each other.)

Integrated Gateways

The main advantage of integrated gateways is that they allow you to retain complete control of your checkout process. There’s no redirection of users and no awkward swap between websites. A customer browses on your website and pays on your website.

However, like hosted gateways, the key drawback of an integrated gateway is actually the flipside of its key benefit.

If you’re accepting sensitive data directly on your site, you are responsible for its security. You have to make sure you comply with data security regulations

 

How secure are payment gateways?

If you are asking your customers to enter their credit card details on your website, it’s important the technology you are using is watertight. When data security goes wrong, breaches are hugely damaging for both your business and your customers.

Thankfully, as with most financial tools, services and institutions, payment gateway developers take security incredibly seriously.

Reputable payment gateway suppliers will be level 1 compliant with the Payment Card Industry Data Security Standard (PCI DSS).

Level 1 is the strictest standard set by PCI DSS and requires annual on-site security assessments, in-depth penetration testing and a host of other checks.

In short, if a payment gateway supplier is level 1 compliant, it’s a good sign that they take security very seriously.

 

Are payment gateways susceptible to fraud?

Payment gateways can be more secure than Fort Knox but that won’t necessarily protect you from fraudulent transactions.

The good news is payment gateways typically come with dozens of configurable fraud prevention tools. There’s far too many to talk about in detail so we’ve picked out three popular tools you may have heard of.

First, 3-D Secure. 3-D Secure is the name given to the security protocols operated by card networks. Visa runs Verified by Visa, Mastercard’ runs SecureCode, American Express runs Safekey and so on.

Verified by Visa

“Verified by Visa protects you from fraud and gives you extra peace of mind when shopping online.”

Mastercard SecureCode

“Mastercard SecureCode® provides enhanced security for online shopping.”

American Express SafeKey

“If you love to shop online, it’s important to stay safe. SafeKey makes the process secure, so you can focus on the fun part – choosing what to buy.”

While the specifics of the security check vary depending on the network, customers will usually be asked to enter an additional password separate from their password for your website. If the password doesn’t match the records held by the network, the transaction is automatically rejected.

This additional check helps confirm that the customer is actually the cardholder and not just someone who has stolen the card or account.

It’s worth highlighting that 3-D Secure is a completely optional tool. Merchants can and do turn it off, often mistakenly believing that it hurts their conversion rate.

Second, velocity checks by IP address. This tool basically keeps track of how many times a particular IP address has been used to place an order. If one IP address attempts to place a dozen different orders with a dozen different credit cards in the space of one hour, it’s highly likely that a fraudster is working through a pile of stolen cards.

If this sort of activity is detected, the IP address is usually blocked for a set period of time.

Third, location blocking. Certain countries have higher incidences of fraud than others. Developing economies, for example, are often online fraud havens because the police simply do not have enough resources to crack down on it.

If your business is based in Brighton and you receive a flurry of transactions from Botswana, they are more likely to be fraudulent.

 

Should payment gateways use tokenisation?

In order to reach PCI compliance, all sensitive payment information—card numbers, CVV2 information, etc—must be encrypted.

Businesses have two options here: traditional encryption or tokenisation. Traditional encryption methods have been around for decades so we’re not going to touch on them here.

Tokenisation, however, is relatively new and is starting to gain real traction in the payment industry. Tokenisation works by taking a card number and replacing the 16-digit number with a randomised token.

For example, someone’s actual credit card number might be 4462 9921 4164 1212 and their token AB6690LPZZ24789G.

The token is non-descriptive and doesn’t bear any relation to the actual data it’s linked with. Unlike encrypted data, there is no way to crack the encryption and reverse engineer it back to the card number. This means even if a hacker did steal the token, it wouldn’t be of any use.

Because the token maps back to the actual data through the tokenisation system, merchants are still able to process transactions through the system.

Ultimately, tokenisation means you aren’t storing sensitive card data and that’s good for data security.

Tokenisation is also really helpful for streamlining your checkout process.

For example, think about recurring payment. When a customer enters their card details on your website, they are tokenised and stored.

Now, because their details are tokenised all future payments can be made with a secure one-click feature. That means your customer doesn’t have to laboriously enter their details for every single transaction.

 

Is it easy to integrate a payment gateway?

Payment gateways work alongside shopping cart systems to deliver a complete eCommerce package. Without an integrated payment gateway, you’ve basically got a nice online showroom but no way to take payments.

The problem here is that there are hundreds of different shopping cart systems and dozens of different payment gateways. With so much variation, it’s inevitable that some gateways will be incompatible with some carts.

The good news is that it’s in the interest of the shopping cart providers to work with as many payment gateways as possible. If a system only works with a handful of gateways, they’re massively reducing their potential market.

In general, most mainstream payment gateways work with most mainstream shopping cart systems and, unless you’re using something very obscure, integration is usually a plug-and-play affair.

If you’re unsure about the compatibility of a gateway, contact the shopping cart provider and ask. It’s a ten-second conversation that could potentially save you countless hours of stress down the line.

 

Do high-risk merchants need special payment gateways?

In the payment processing sector, providers classify some businesses as ‘high-risk’. Merchants are typically classified as high-risk for one of two reasons:  they operate in a high-risk industry or they have exhibited high-risk behaviour.

Let’s look at high-risk industries first. Some of the most common high-risk industries include:

  • Pharmaceuticals
  • Gambling
  • Gaming
  • Adult
  • Insurance
  • Multi-Level Marketing
  • Financial Services
  • Telemarketing

This list isn’t comprehensive but it gives you an idea for the sort of industries singled out by payment processors.  Generally, these industries are classified as high-risk for one of three reasons: credit risks, regulatory risks and reputational risks.

But operating within these industries isn’t the only way businesses can be classified as high-risk, though.

If a business owner does something risky—for example, being convicted of money laundering, violating terms and conditions of payment processors or receiving an abnormally high level of chargebacks—their provider may add them to something called the MATCH (Member Alert to High-Risk Merchants) list. Merchant account providers use the MATCH list to quickly screen out high-risk businesses. Generally speaking, payment providers simply won’t accept businesses that are on the MATCH list.

If, for whatever reason, a business is classified as high-risk, they will struggle to buy mainstream merchant services, especially merchant accounts. While there are specialised high-risk products, these are typically more expensive than normal products.

 

How much should a payment gateway cost?

Most standalone payment gateways work in broadly the same way, charging a small fixed monthly cost for a set number of transactions. If you process more transactions than your plan allows, you’re charged at a slightly higher per-transaction rate.

Here’s a quick example of three payment gateways and their respective costs.

Payment GatewayMonthly CostTransactions per MonthCost per Transaction
Sage Pay£19.90<350£0.057
First Data£15.50<500£0.031
Real Pay£19.00<350£0.054

As you can see, payment gateway costs are very low, typically between 3p and 10p per transaction and unlike other merchant services there isn’t a massive variation in pricing structures.

That means the most important points to think about when selecting a payment gateway are its features and integration options.

After all, if your payment gateway doesn’t integrate with your checkout, it’s utterly worthless.

Quick footnote: Remember that to actually receive payment from a customer, you need a merchant account.

Merchant account providers will also levy a charge on the merchant, which is typically between 0.3-2%, depending on your provider and what type of card your customer is using.

Finally, it’s worth talking about integrated payment gateways, which come bundled with a shared merchant account. Think Stripe, Braintree and so on. These gateways charge significantly higher payment processing fees (usually between 1% and 3%) but that includes your merchant account charges.

 

Find your perfect payment gateway

Finding the right payment gateway for your eCommerce website is a super important task. If you pick the wrong gateway, your payment page will become a convoluted mess and your conversions will plummet.

However, if you pick the right gateway, your users will float through your checkout process and the sales will fly in. Here are our top picks for three of the leading eCommerce platforms: WooCommerce, Shopify and Magento.

 

Best WooCommerce payment gateway

WooCommerce is the most popular eCommerce platform on the market, powering approximately one-fifth of all eCommerce websites.

When it comes to payment gateways, merchants have a lot of choice. Here are our top three picks.

  • Braintree: Braintree is part of PayPal and works as a slightly techier version of PayPal’s Pro service. It’s simple to set up and has a flat pricing structure: 1.9% + 20p on all transactions. Braintree is an integrated service so you don’t need to arrange a separate merchant account.
  • Stripe: Stripe is the darling of the tech industry, loved by developers the world over for its powerful API and outstanding documentation. Like Braintree, Stripe comes with a shared merchant account. It charges 1.4% + 20p on all transactions.
  • Authorize.Net: As one of the biggest payment gateway providers, Authorize.Net is always going to be a strong contender for online merchants. It charges £19 per month for the gateway and charges 10p per transaction for authorisation. Since this is a standalone payment gateway, you will also have to pay merchant account fees to your merchant account provider.

WooCommerce supports a tonne of payment gateways—over 100! For a full list of supported gateways, check out their Payment Extension page.

 

Best Shopify payment gateways

Thanks to its super user-friendly UI, Shopify has solidified its position as the pre-built eCommerce platform. Currently, around 18% of all eCommerce websites run on Shopify.

Since Shopify tries to keep its users within its own ecosystem, payment gateway choice is a little more limited. Here are our top three picks, along with Shopify’s own payment system.

  • Shopify Payments: Shopify offers its own payment gateway called Shopify Payments. Online credit card transactions are charged at 2.2% + 20p, 1.9% +20p and 1.6% + 20p for the Basic, Shopify and Advanced tiers, respectively. If you choose to use another payment gateway, Shopify will charge an additional fee: 2% (Basic), 1% (Shopify) and 0.5% (Advanced).
  • Amazon Pay: Amazon Pay is a relatively new payment gateway but it’s gaining traction fast. As you might have guessed, it’s best for merchants who are also selling through Amazon. Pricing ranges from 3.4% + 20p for low volume merchants (less than £1,500 per month) to 1.5% + 20p for high volume merchants (above £55,000 per month).
  • Authorize.Net: As one of the biggest payment gateway providers, Authorize.Net is always going to be a strong contender for online merchants. It charges £19 per month for the gateway and charges 10p per transaction for authorisation. Since this is a standalone payment gateway, you will also have to pay merchant account fees to your merchant account provider.
  • PaySafe: Paysafe is another big player in the payment processing industry. Like Authorize.Net, it’s a standalone payment gateway so you’ll need to arrange a merchant account to pair with it.

Shopify supports over 40 different payment gateways. Check out their payment gateway section for a comprehensive list.

 

Best Magento payment gateway

Magento is the go-to option for big, complicated eCommerce websites. It’s incredibly powerful and flexible and that’s reflected in its payment gateway choice, which is huge. Here are our top three picks for Magento eCommerce websites.

  • Braintree: Braintree is part of PayPal and works as a slightly techier version of PayPal’s Pro service. It’s simple to set up and has a flat pricing structure: 1.9% + 20p on all transactions. Braintree is an integrated service so you don’t need to arrange a separate merchant account.
  • Stripe: Stripe is the darling of the tech industry, loved by developers the world over for its powerful API and outstanding documentation. Like Braintree, Stripe comes with a shared merchant account. It charges 1.4% + 20p on all transactions.
  • Amazon Pay: Amazon Pay is a relatively new payment gateway but it’s gaining traction fast. As you might have guessed, it’s best for merchants who are also selling through Amazon. Pricing ranges from 3.4% + 20p for low volume merchants (less than £1,500 per month) to 1.5% + 20p for high volume merchants (above £55,000 per month).

Magento supports a tonne of payment gateways! For a full list of supported gateways, check out their Payment Integration Extensions page. But watch out as some services are tier-specific.

 

Best payment gateway for your business

Finding the right payment gateway for your business can be a difficult process. Thankfully, many of our partners also offer payment gateways.

Jump over to out payment gateway comparison page, plug in a few details about your business and we’ll show you what deals are available to you.

It only takes two minutes to get a quote and could save you up to 40 percent on your payment processing fees. So, what are you waiting for?

Want to Save 40% on your Card Processing?

Provide a few quick facts about your business & asee how much you could save

Get A Quote Takes 2 minutes