What Is Payment Gateway?

A payment gateway is the technology layer that sits between a merchant's website or point-of-sale system and the payment processor. Its primary job is to securely capture payment information (card numbers, bank details, wallet tokens), encrypt it, transmit it to the payment processor for authorization, and relay the response (approved or declined) back to the merchant. In the physical world, the card terminal at a store serves a similar function — the payment gateway is essentially the online equivalent.

## How a Payment Gateway Works

When a customer enters their payment details at checkout, the payment gateway performs several critical functions in rapid succession — the entire process typically takes 1-3 seconds:

**Step 1 — Data capture and encryption**: The customer enters their card number, expiration date, CVV, and billing information. The payment gateway encrypts this data using SSL/TLS encryption before it leaves the customer's browser, ensuring that sensitive card data is never exposed in transit.

**Step 2 — Transmission to processor**: The gateway forwards the encrypted payment data to the payment processor (or acquirer), along with transaction details like the amount, currency, and merchant identifier.

**Step 3 — Authorization request**: The payment processor routes the authorization request through the appropriate card network (Visa, Mastercard, American Express) to the customer's issuing bank. The issuing bank checks the card's validity, available balance, fraud rules, and any 3D Secure authentication requirements.

**Step 4 — Authorization response**: The issuing bank sends back an approval or decline code through the same chain — card network to processor to gateway. If 3D Secure is required, the gateway manages the redirect to the bank's authentication page.

**Step 5 — Response to merchant**: The gateway relays the authorization response to the merchant's checkout page. If approved, the merchant can confirm the order. If declined, the customer is prompted to try a different payment method.

**Step 6 — Settlement**: At the end of the day (or in batches), the gateway sends the day's approved transactions to the processor for settlement — the actual movement of funds from the issuing bank to the merchant's bank account.

## Gateway vs Processor vs PSP

Understanding the distinction between these three concepts helps clarify what a payment gateway actually does:

The **payment gateway** handles the front-end — capturing data, encryption, and communication. It is the technology interface.

The **payment processor** handles the back-end — routing transactions through card networks, communicating with issuing banks, and settling funds. It is the financial plumbing.

A **PSP (Payment Service Provider)** bundles both functions (and typically a merchant account) into a single integrated service. Modern PSPs like Stripe, Adyen, and Square include a built-in payment gateway as part of their platform, so merchants don't need a separate gateway provider.

Historically, merchants had to piece together separate providers: a merchant account from a bank, a payment processor, and a payment gateway. Today, most businesses use a PSP that includes all three, though some enterprise merchants still use standalone gateways for specific reasons (legacy systems, multi-processor routing, specialized features).

## Hosted vs Integrated Gateways

Payment gateways come in two main deployment models:

**Hosted gateways** redirect the customer to a payment page hosted by the gateway provider. The customer enters their card details on the gateway's domain, and after payment, they are redirected back to the merchant's site. Examples include PayPal Standard and Stripe Checkout (hosted mode). The advantage is that the merchant never handles raw card data, significantly reducing PCI compliance scope. The disadvantage is less control over the user experience and a redirect that can increase cart abandonment.

**Integrated (embedded) gateways** allow the merchant to embed payment fields directly into their own checkout page using JavaScript libraries or iframes. Examples include Stripe Elements and Adyen Web Drop-in. The card data is captured in a secure iframe hosted by the gateway, so the merchant's server still never touches raw card data, but the customer experience is seamless — no redirects. This is the preferred approach for most modern e-commerce sites.

## Security and PCI Compliance

Security is the gateway's most critical function. Payment gateways must comply with PCI DSS (Payment Card Industry Data Security Standard), the set of security requirements established by the card networks for any entity that stores, processes, or transmits cardholder data.

A well-implemented payment gateway significantly reduces the merchant's own PCI compliance burden. When using a hosted gateway or embedded fields (iframes), the merchant's servers never handle raw card numbers — only the gateway's PCI-compliant infrastructure touches the data. This means the merchant can self-assess under the simplified SAQ A or SAQ A-EP questionnaire rather than the full SAQ D, saving significant time and cost.

Payment gateways also implement additional security features:

- **Tokenization**: After the initial transaction, the gateway replaces the card number with a non-sensitive token that can be stored by the merchant for future charges (subscriptions, one-click checkout) without storing actual card data. - **3D Secure**: The gateway manages the 3D Secure authentication flow (Verified by Visa, Mastercard Identity Check), redirecting the customer to their bank's authentication page when required and passing the authentication result to the processor. - **Fraud screening**: Many gateways include or integrate with fraud detection tools that analyze transactions for suspicious patterns (unusual locations, velocity checks, device fingerprinting) before submitting them for authorization. - **Address Verification (AVS)**: The gateway submits the billing address to the issuing bank for verification, and the response indicates whether the address matches the one on file. - **CVV verification**: The gateway submits the card verification value for validation, adding another layer of authentication.

## Choosing a Payment Gateway

For most businesses today, the payment gateway is chosen implicitly when selecting a PSP. If you use Stripe, you use Stripe's built-in gateway. If you use Adyen, you use Adyen's gateway. The standalone gateway market has shrunk as PSPs have vertically integrated.

However, choosing a standalone gateway still makes sense for enterprise merchants who want to route transactions to multiple processors (for cost optimization or redundancy), businesses with legacy systems that are already integrated with a specific gateway, and merchants in specialized industries that need gateway features not offered by mainstream PSPs.

Key factors when evaluating a gateway include supported payment methods, security certifications, uptime and reliability, latency (speed of authorization), 3D Secure support, tokenization capabilities, and the quality of APIs and documentation.