Payment guides

What is a payment gateway and how does it work?

E-commerce offers merchants great business opportunities to sell their goods and services via the internet. There are various participants involved in the online payment process, one of which is called the Payment Gateway; a digital highway which enables merchants to receive transactions from customers across the internet.

Payment Gateways are fundamental in the complex e-commerce and m-commerce landscape. Depending on the region and the market, e-shoppers use a growing variety of payment methods to purchase products and services online, but whether payments are made via a POS (Point of Sales), NFC (Near Field Communication) or by filling in credit card details on a web-shop’s site, a transaction cannot move from buyer to seller without a so-called Payment Gateway bridging the transaction. When the shopper places an order, the Payment Gateway is the transaction’s first stop on its final way to the e-Merchant’s account.

After the Payment Gateway, it moves from the Card Network to the buyer’s Credit Card issuing Bank for authorization and after approval, the payment will be transferred from the shopper’s Credit Card to the Merchant’s account (MID).

Payment Gateway Authorisation Process Infographic


The Payment Gateway and the Payment Processor are required to comply with the latest Payment Card Industry Data Security Standard (PCI-DSS) to ensure secure transaction and protection of the consumer’s financial data. A Payment Gateway is a Merchant’s secure, PCI-DSS Compliant gateway to sell online as it authorises Merchants to accept card payments from their web shop. The Payment Gateway acts as a mediator between your Web Shop and the Payment Processor. Payment Processors are financial institutions that partner with companies that deal directly with e-Merchants.

Payment Gateways and Payment Processors are part of a secure Transaction Process. Encryption is one of the elements which secure a transaction. The web browser encrypts the information exchanged between the buyer and the Merchant’s website. The Gateway moves the Transaction Data to the Payment Processor which partners with the e-Merchant’s Acquiring Bank. The authorization process involves the Customer and the Payment Processor which refers the Transaction Data to a Card Scheme (i.e. VISA, MasterCard, American Express). The issuing Bank approves or denies authorization within seconds.

The Gateway “fills the order” through SSL encryption. Once the Gateway receives authorization, the payment can be processed. Although this seems rather complex, this entire process is completed within a few seconds. The process between authorisation, settlement and funding can take up to 2 working days.

There are many technical details involved with payment gateways that guarantee the entire process is safe. Because the cardholder is required to enter personal details during the transaction cycle, the Payment Gateway uses an HTTPS protocol. As part of the validation process, a signed request is used. This is the result of the hash function by which the parameters of an application are confirmed by a “secret word”, known only to the Merchant and the Payment Gateway.

To validate the request of the payment page result, sometimes the IP of the requesting server should be authorised. There is a growing support among Acquirers, Issuers and Payment Gateways for Virtual Payer Authentication (VPA), using a 3-D Secure protocol. Branded as Verified by Visa, MasterCard Secure Code and JCB J/Secure, this adds an additional layer of security to relatively anonymous Card-not-Present (CNP) transactions.

The steps described here are repeated to clear the authorisation via a consummation of the transaction. The clearing only commences once the Merchant has completed the transaction, or ‘shipped the order.’ The issuing bank charges the authorisation holder to a debit, enabling a settlement with the vendor’s Acquiring Bank. The Payment Processor resolves all Merchants’ approved authorisations with the Acquiring Bank.

Payment Gateway Capture Process Infographic


Besides handling and securing the payment process, Payment Gateways can offer extended payment services. Their services include Risk Management solutions and Fraud Detection and Prevention tools, such as:

  • Delivery address verification, which is a service that verifies typed addresses and corrects invalid city and/or postcode combinations in near real time. Many fraud management systems verify and correct addresses to improve fraud detection screening and to prevent misrouting of shipments.
  • Address Verification System (AVS) checks are used to verify the address of a person suggesting they own a credit card. The system will check the billing address of the credit card provided by the user with the address on file at the credit card company.
  • Computer finger printing technology, which possesses information collected about a remote computing device for the necessity of identification.
  • Velocity pattern analysis, also referred to as bloodstain pattern analysis, is one of several specialities in forensic science. It consists of the study and analysis of bloodstains with the aim of aiding investigators to reach conclusions about the nature, timing and other details of the crime.
  • Identity morphing detection.
  • This is the process or technique of identifying the geographical location of a person or device by using digital information processed by the internet.

After reading the above explanation, it becomes clear that a Payment Gateway is much more than a transaction’s digital highway. It is an indispensable stakeholder in the entire payment process and includes additional security layers, compliance with the law and a variety of risk management tools, which protect online Merchants against cybercrime.

If you would like more information about payment gateways, please contact Centus and speak to one of our representatives.

See more