Whether you are an eCommerce platform owner or just maintaining your online presence, you want to offer your customers a safe, quick, and easy-to-use payment system. The chosen payment solution has to satisfy both the needs of your customers and your business. So, it has to be protected from fraud, support a variety of payment methods, be convenient to use, and compatible with your platform.
To accept electronic payments and be able to process credit or debit cards, a merchant uses a payment gateway. Choosing the right payment gateway determines the currencies you can accept, the transaction fee, how fast money gets in your merchant account, and the payment methods you’ll offer.
According to Invespcro.com, over 23 percent of customers abandon their shopping carts because of a complex checkout (11 percent) system or too much information required to complete it (12 percent). These statistics confirm that choosing the right payment solution provider is as important as other aspects of a good eCommerce website. But, in order to choose a payment solution, first, we need to understand what is a payment gateway and how it works.
What is a payment gateway?
A payment gateway is a service that authorizes and processes payments in online and brick-and-mortar stores. A gateway serves as a portal to facilitate transaction flow between customers and merchants. It uses security protocols and encryption to pass the transaction data safely. The data is transferred from websites/application/mobile devices to payment processors/banks and back.
Payment gateways can execute the following transaction types:
Authorization – a type of transaction used to check if a customer has enough funds to pay. It doesn’t include the actual money transfer. Instead, during authorization, a merchant ensures that a cardholder is capable of paying for an ordered item. An authorization transaction is used for orders that take time to ship/manufacture.
Capture – the actual processing of a previously authorized payment resulting in funds being sent to the merchant’s account.
Sale – a combination of authorization and capture transactions. A cardholder is first authorized. Then funds may or may not be captured. It’s a regular payment for immediate purchases, like a subscription purchase, or e-tickets.
Refund – the result of a canceled order for which a merchant will have to apply a refund payment processing to return the money.
Void – similar to refund but can be done if funds were not yet captured.
Payment processing flow
The infrastructure of online payment processing is a little bit more complicated than you might imagine. For the customer, it’s represented by a small window, or a separate website, where they have to pass through the checkout. But actually, processing involves several financial institutions, or tools, verifying the transaction data on both ends, allowing the customer to complete the purchase in a few seconds.
When a customer checks out – passing the card number, expiration date, and CVV – a payment gateway has to perform several tasks, which take about 3-4 seconds:
- Customer. A customer presses a “Purchase” button and fills in the necessary fields to pass the transaction data. The data is encrypted and sent to the merchant's web server via an SSL connection.
- Merchant and payment gateway. After the transaction data is received, a merchant passes it to the payment gateway via another encrypted SSL channel. If any of data is stored by a payment gateway, it is settled in a specific type of secured storage. Usually, gateways don't store actual credit card numbers, but rather save tokens.
- Payment processor. The information goes to payment processors. These are the companies that provide payment processing services as third-party players. Payment processors are connected both with a merchant’s account and a payment gateway, transferring data back and forth. At that stage, a payment processor is passing the transaction to a card network (Visa, Mastercard, American Express, etc.).
- Visa/Mastercard/American Express/Discover. The role of a card network is to verify the transaction data and pass it to the issuer bank (the bank that produced the cardholder’s credit/debit card).
- Issuer bank. The issuer bank also accepts or denies the authorization request. In response, a bank sends a code back to the payment processor, which contains the transaction status or error details.
- Payment gateway. Transaction status is returned to the payment gateway, then passed to the website.
- Customer and issuing bank. A customer receives a message with the transaction status (accepted or denied) via a payment system interface.
- Issuer bank. Within a couple of days (generally the next day), the funds are transferred to the merchant's account. The transaction is performed by the issuing bank to the acquiring bank.
Payment processing scheme.
Now we are moving closer to payment gateways in their variety. To integrate a payment system into your website, you will have to follow multiple steps.
Payment gateway integration
Generally, there are four main methods to integrate a payment gateway. All of them differ by two major factors:
- whether you must be in compliance with any financial regulation (PCI DSS), and
- the degree of user experience concerning the checkout and payment procedure.
So let’s discover what the options are here and which integration methods suit your needs.
What is PCI DSS compliance and when do you need it?
In case you just need a payment gateway solution and don't plan to store or process credit card data, you may skip this section, because all the processing and regulatory burden will be carried out by your gateway or payment service provider.
But in case you're going to deal with sensitive financial data, you’ll need to comply with some industry regulations. Payment Card Industry Data Security Standard (PCI DSS) is a necessary element for processing card payments. This security standard was created in 2004 by the four biggest card associations: Visa, MasterCard, American Express, and Discover.
To become PCI compliant, you will have to complete 5 steps:
- Define your compliance level. There are four levels of compliance that are determined by the number of safe transactions your business has finished. Transactions count if they were done via MasterCard, Visa, American Express, or Discover cards, and there was a certain number of successful transactions.
- Study the PCI Self-Assessment Questionnaire (SAQ). SAQ is a set of requirements and sub-requirements. The latest version has 12 requirements.
- Complete the Attestation of Compliance (AOC). AOC is a kind of exam you take after reading the requirements. There are 9 types of AOC for different businesses. The one required for retailers is called AOC SAQ D - Merchants.
- Conduct an External Vulnerability Scan by the Approved Scanning Vendor (ASV). The list of ASVs can be found here.
- Submit your documents to the acquirer bank and card associations. The documents include the ASV scan report and your filled-in SAQ and AOC.
Given this information, we’re going to look at the existing integration options and explain the pros and cons of each. We’ll also focus on whether you must comply with PCI DSS in each case as we explain what integration methods suit different types of businesses.
A hosted payment gateway acts as a third party. So it requires your customers to leave your website to complete a purchase. Basically, that’s the case when a customer is redirected to a payment gateway web page to type in their credit card number. When the transaction data is sent, the customer is redirected back to the merchant’s page. Here they finalize the checkout where transaction approval is shown.
Hosted payment gateway work scheme
The pros of a hosted payment gateway are that all payment processing is taken by the service provider. Client card data is also stored by the vendor. So using a hosted gateway requires no PCI compliance and offers pretty easy integration.
The cons are that there is a lack of control over a hosted gateway. Customers may not trust third-party payment systems. Besides that, redirecting them away from your website lowers conversion rate and doesn’t help your branding either.
How to integrate: Integration guides are generally open on the vendor's websites and the connection happens through an API. For example, PayPal Checkout suggests integration in the form of a Smart Payment Button. Basically, it's a piece of HTML code that implements a PayPal button on your checkout page. It invokes the PayPal REST API calls to validate, collect, and send payment information through a gateway, whenever a user triggers the button.
Best fit for: small or local businesses that are more comfortable using an external payment processor.
Direct Post method
Direct Post is an integration method that allows a customer to shop without leaving your website, as you don’t have to obtain PCI compliance. Direct Post assumes that the transaction’s data will be posted to the payment gateway after a customer clicks a “purchase” button. The data instantly gets to the gateway and processor without being stored on your own server.
The pros of this method are equal to an integrated payment gateway. You get the customization options and branding capabilities, without PCI DSS compliance. The user performs all the necessary action on one page.
The con is that a Direct Post method isn’t completely secure.
How to integrate: A vendor would set up the API connection between your shopping cart and its payment gateway to post the card data.
Best fit for: can be used by businesses of all sizes.
Non-hosted (integrated) method
An integrated payment gateway basically means there are no third parties involved at the payment checkout stage of. Companies using integrated gateways obtain PCI DSS compliance, which means they're in charge of storing, securing, and conducting initial verification for each transaction. This is done by installing a payment gateway solution available on the merchant’s website.
In some cases, companies can use a white label payment gateway as a non-hosted solution. This is basically a prebuilt gateway that can be customized and branded as your own. Here are some well-known white label solutions designed for merchants:
An integrated gateway can be a dedicated source of revenue, as merchants that obtain all the necessary compliance become payment service providers themselves. This means your business can process payments for other merchants for a fee. But, besides the regulatory aspect, being a payment gateway provider brings a technological burden, because you need an infrastructure to safely store transaction data, credit card tokens, etc.
The pros are that you have full control over the transactions at your website. You can customize your payment system as you wish, and tailor it to your business needs. In case of a white-label solution, the payment gateway is your branded technology.
The cons generally are all about maintaining the infrastructure of your payment system and the related expenses. To use an integrated gateway, you have to be PCI compliant first of all, because you will have to store all clients’ credit card data on your own servers. Also, integrating the gateway can be tricky if you want to add custom functionality.
How to integrate: Non-hosted payment gateways are integrated via APIs to your server. Consequently, it will require an engineering team to perform the integration. Most vendors have well-documented integration guides, API references, or developer portals.
Best fit for: for medium and large businesses that rely heavily on branding and user experience.
Choosing a payment gateway provider
Now, you can choose a payment solution for your business considering all factors, your business specifics, and your customers. Here are some things to consider prior to deciding on a provider.
Study the pricing
Payment processing is complex, as it includes several financial institutions or organizations. Like any service, a payment gateway requires a fee for using third-party tools to process and authorize the transaction. Every party that participates in payment verification/authorization or processing charges fees. Transactions commonly are billed according to the amount, location (across a certain country or international), and type of a product (physical or digital).
- gateway setup fee,
- monthly gateway fee,
- merchant account setup, and
- a fee for each transaction processed.
Read all the pricing documentation to avoid hidden fees or additional expenses.
Check transaction limits for a given provider
While fees and installation charges are inevitable, there is one thing that may determine whether you can work with a certain provider. Gateway providers set transaction limits as a minimum and maximum amount. Both values are of interest for merchants and their business, as you want to use a single gateway for all the available products.
So, let’s take for example Stripe as one of the biggest players. Their transaction limit minimum is $0.50 and $999,999.99 is their maximum. The maximum amount will probably suit the majority of businesses that don't trade bonds or real estate online. But if your business is selling, say, stock music tracks for a price as low as $0.10, this may affect your choice even though making a $0.10 purchase is extremely rare.
The second thing you should pay attention to is daily or monthly transaction limits. These occur pretty rarely, but also play a huge role for gateway provider choice.
Examine merchant account options
A merchant account is an agreement between a merchant and an acquiring bank, by which a merchant allows a bank to process their transactions. Additionally, a merchant agrees to follow the operational regulations of credit card processing established by credit card companies.
A merchant account can be opened through banks or payment gateway providers, that offer merchant accounts as a part of a service. This includes payment processors. If you already have a merchant account, consider what that provider offers. Otherwise, it’s better to choose a provider that offers a merchant account from the start.
Make sure the gateway supports necessary payment methods and credit cards
As of 2019, the most popular payment methods remain credit cards, varying from 82 to 69 percent of all shoppers in different regions according to Statista. Second place is occupied by various electronic payment methods like PayPal, Union Pay, and Alipay, ranging between 51 and 80 percent of all shoppers.
In terms of credit cards as a major payment method, you have to make sure a payment gateway accepts all the required credit card networks.
Another aspect is multi-currency support. If your business is international, you want your customers to be able to pay, no matter what currency they use. Popular gateway providers offer multi-currency support processing with or without an additional fee. If you are going to use a hosted payment system, there are also localized checkouts available.
Consider mobile payments
While mobile payments are acquiring money from the credit card accounts, accepting Apple Pay or Google Pay means supporting a different payment method. In short, mobile payments have their own tokenization process, and come as a separate method in all payment gateway services.
Depending on the country you're running your business in, mobile wallets may or may not be available. But the three major applications, Apple Pay, Google Pay, and Samsung Pay, currently support all four main credit card networks and operate in hundreds of countries. So, you have to scan the provider’s page and find the corresponding information on whether the gateway supports mobile wallets and which ones.
Keep in mind that there are also different transaction limits set for a given time period, for example, PayPal.
Ensure your product type is permitted by the provider
Generally, there are two types of products considered by providers: digital and physical.
Some of the payment solution providers offer their services both for physical and digital products. But it's not rare for only one type of product to be available in use of a certain system. So, before subscribing to a provider, make sure it permits your type of a product.
Popular payment gateway providers
The horde of gateway providers is overwhelming, so we’ve picked some of the biggest, most reliable options.
Table of payment gateway providers features
Stripe is an eCommerce tailored-payment solution. Stripe accepts all major payment methods, including mobile payment providers such as Apple Pay, WeChat Pay, Alipay, and Android Pay.
The service is fully loaded with its comprehensive documentation, international support, and monitoring system. It has a simplified PCI compliance procedure, with 135 supported currencies, and allows for integrating with other third-party platforms.
Pricing: Stripe charges no setup fees. The standard package charges 2.9 percent + $0.30 per transaction. Additionally, there is a fee for international card processing (1 percent). But Stripe also offers a customized solution and pricing package for large businesses. The chargeback amount is a fixed $15.
PayPal is one of the most widely accepted electronic payment methods in the world. PayPal offers scalable solutions for businesses of different sizes. Through its gateway, PayPal offers processing of all the major credit and debit cards, and PayPal payments themselves, with various other methods. It also has multiple services, which include PayPal Payments Pro, PayPal Express Checkout, and Braintree.
PayPal is often integrated as a hosted payment solution. PayPal Payments Pro is an upgrade you may obtain if you want an integrated checkout right on your website. PayPal Express Checkout is the easiest option, as it simply adds a PayPal button to your website. Braintree is a separate payment solution, but it is a PayPal division. The main advantage of using Braintree is that it bills international transactions without an additional fee.
Pricing: PayPal’s pricing model is complex, and includes different calculations for micropayments, their platform usage, and international transactions. Domestic transactions are billed at 2.9 percent + $0.30 per transaction. Outside the US transactions are 3.9 percent + a fee based on the currency used. There is no monthly fee for the standard PayPal, but Payments Pro charges $30 monthly for a subscription. The chargeback amount is $20, and for Braintree, with equal pricing for transactions, it is $15. No setup fees are included.
Amazon Pay is an eCommerce giant with its platform designed for online retailers. Amazon Pay is integrated via API, offering a semi-integrated payment solution. It’s available across devices, with a focus on mobile use. Amazon service also supports all the major payment methods and credit cards.
Pricing: Domestic transactions are billed at 2.9 percent + $0.30 per transaction. International is 3.9 percent. The refund amount is $20 + taxes, if applicable. No setup or monthly fees.
Authorize.net is designed for small- and medium-sized businesses. Their service also provides all the major payment method support, including PayPal payments and Apple Pay. Authorize.net protects users from fraudulent transactions via its Advanced Fraud Detection Suite. They also support integration with mobile applications.
Pricing: 2.9 percent + $0.30 per transaction. There is a $25 monthly fee for a gateway and $49 for merchant account setup. You may sign up for a payment gateway if you already have a merchant account.
2Checkout provides customizable options for businesses of different sizes, as well as integrated payment solutions. Its biggest advantage is its scalability with packages for different product types. 2Checkout supports all the major payment methods, 87 currencies, and 15 languages localizations.
Pricing: 2Checkout includes 3 packages with different fees. There are no setup, monthly, or recurring payments. The 2Sell fee is 3.5 percent + $0.35 per transaction. 2Monetize is a package tailored to digital product sellers, and its pricing is 6.0 percent + $0.60 per transaction.
Custom payment gateway
There are a lot of payment gateway providers that offer a full shopping experience to your customers and various integration methods. But if you are a large enterprise, you might be interested in building your own payment solution to break free of vendor restrictions.
How to build a custom gateway?
Creating a custom payment gateway requires several steps:
Payment gateway provider registration. Register as a payment gateway provider with a credit card company (or several) through your acquiring bank.
- Contracting with banks. Contract banks that will act as payment processors to handle the actual processing for you. Multiple banks can give you different transaction fees for international transfers, or different rates for currency exchange.
- API development. Develop an API for your gateway and write robust documentation as required within PCI DSS compliance.
- Tokenization solution. Any institution that stores credit card information does it in the form of tokens. This is a security measure when we replace sensitive data with tokens as it reduces the chance of fraud. Tokens contain transaction data and cardholder information, without exposing it to the third parties.
- PCI DSS certification. Become PCI DSS compliant by implementing all the necessary security measures and integrating merchant fraud protection mechanisms on your website.
- Choose additional payment methods. If you need additional methods like PayPal, Bitcoin, or mobile wallets (e.g. Apple Pay), you’ll need to integrate them separately with their APIs.
- Management tools development. Develop a merchant administration web application, or simply an admin panel to allow your staff to control merchant operations.
You may also use open-source payment gateway solutions. It is possible to use an open-source payment gateway (like OmniPay, PayU, or Active Merchant) software that will lower the costs of the engineering. But it will, again, restrict you in customization options.
Developing an independent custom gateway and payment processing infrastructure requires serious expenses that are billed in a range from $150,000 to $800,000. That price includes engineering, maintenance, PCI DSS compliance certification, SSL certification, writing API documentation, and administration expenses. Besides the financial issues, it also requires the time to launch a fully working system and implement it into your product.
However, a custom payment solution can bring a number of benefits:
Lower transaction fees. Establishing your gateway, you avoid a gateway provider as a free-forming factor, which lowers transaction fees.
Customization. A large enterprise business may be firmly restricted by what vendors offer. Even if you find a vendor with low transaction fees and a great number of payment methods, there are always restrictions. Developing a custom payment solution allows you to implement any feature you want, whether those are recurring payments or multi-currency transactions.
Offer payment gateway as a product. With your own custom payment solution, you will be able to offer it to other merchants and agents.
Being a long-time investment, developing a custom payment gateway is quite reasonable for a company with a large yearly revenue. For companies handling fewer than 20 thousand transactions per year, a customer payment solution is unnecessary. But for merchants conducting over 1-2 million transactions, the savings quickly mount up.
Optimizing your gateway and saving costs on transaction fees are reasonable factors to consider. Pitfalls you should be aware of are security issues, which are usually carried by the gateway providers. But, obtaining PCI compliance, and using fraud management will help you to get customer confidence.
So, whether you are choosing a payment gateway/processor provider, or planning to build your own payment portal, it is always a much more profitable solution for an online merchant, unless you are a non-profit website. Websites using an inbuilt payment system are more trusted by customers. And if you are looking for a way to improve client confidence, integrate a payment solution that will inspire trust, support multiple payment methods, and be protected from fraudulent actions.