Payment Gateway

A payment gateway is a network communication between the customer, bank and business owner. The processing system is either operated by a bank or third party merchant like PayPal and AWEPay, to transmit money from the customer’s account to financial institutions.

A payment gateway is a service provider of e-commerce applications that allow credit card payments for e -businesses, online retailers , bricks and clicks, or traditional brick and mortar. It is similar to a physical point of sale terminal located in most retail outlets. Payment gateways protect credit card details by encrypting sensitive credit card data, to ensure that information passes securely between the customer and the merchant and also between merchant and payment processor .

A payment gateway facilitates the transfer of information between a payment portal ( such as a website , mobile phone or interactive voice response service ) and the Front End Processor or acquiring bank .

Normal transaction process

When a customer orders a product from a payment gateway enabled merchant, the payment gateway performs a variety of tasks to process the transaction.

A customer places an order on the website by pressing the ‘ Submit Order ‘ or equivalent button, or perhaps enters their card details using an automatic phone answering service .

If the order is via a website, the customer’s web browser encrypts the information to be transmitted between the browser and merchant’s web server. Among other methods , this can be done via SSL (Secure Socket Layer) encryption. The payment gateway can allow transaction data to be sent directly from the client browser to the payment gateway, bypassing the merchant system. This reduces the Payment Card Industry Data Security Standard dealer compliance obligations without redirecting customers away from your website.

The merchant will then present the details of the transaction to their payment gateway. This is another (SSL ) encrypted connection to the payment server hosted by the payment gateway.

The payment gateway sends transaction information to the payment processor used by the merchant’s acquiring bank.

Payment processor will then send the transaction information to the card association (eg , Visa / MasterCard / American Express ). If American Express or Discover Card was used , then the processor acts as the issuing bank and directly provides a response of either received or declined to the payment gateway. Otherwise [ eg MasterCard or Visa card was used ] , the card association routes the transaction to the correct card issuing bank.

Credit card issuing bank receives authorization requests and fraudulent checks and credit or debit card and then sends a response back to the processor ( via the same process as the request for authorization ) with a response code [ eg, approved , denied ] . In addition to communicating the plight request of such permission, the response code is used to determine the reason why the transaction failed ( such as insufficient funds , or bank link not available). Meanwhile, the credit card issuer holds the permissions associated with the merchant and the consumer for the amount approved . This may affect the ability of consumers to continue spending (eg, because it reduces the line of credit or as it put a hold on some of the funds in the account debit).

The processor finally sends the authorization response back to the payment gateway.

The payment gateway receives the response , and sends it on to the website (or whatever interface is used to process the payment ) where it is interpreted as a relevant response then relayed back to the merchant and the cardholder . This is known as Truth or ” Auth ”

The entire process typically takes 2-3 seconds.

Merchant then fulfill the order and the process is repeated , but this time to ” Clear” the authorization by the transaction . Usually the “Clear ” initiated only after the merchant has to meet the transaction (eg, the message is sent ) . This results in a ‘ clearing ‘ bank issues ‘auth ‘ (ie : move auth – hold on a debit card ) and provide them to solve the merchant acquiring bank .

Merchant submit all approved authorizations in ” batches ” (eg end of the day ) , to banks for settlement via the processor.

The Bank receives request for settlement from credit card issuers.

Credit card issuers make payments to the acquiring bank  (eg the next day)

Bank will then deposit the subsequently approved amount of funds into the merchant’s banking account ( example : the day after ). This could be an account with the acquiring bank if the merchant holds a savings/current account in the same bank, or an account with another bank.

The entire process from authorization to settlement to funding typically takes 3 days.

Many payment gateways also provide tools to automatically screen orders for fraud and calculate tax in real time prior authorization request is sent to the processor. Tools to detect fraud include geolocation , velocity pattern analysis , OFAC list lookup , lookup ‘ black – list ‘ , delivery address verification , computer finger printing technology , identity morphing detection, and basic AVS checks .


Since customers are usually required to enter personal details, the entire communication of ‘ Submit Order ‘ page (ie customer – payment gateway ) is often carried out through HTTPS protocol .

To confirm the results page request payment, a signed request is often used – that is the result of a hash function in which the parameters of an application confirmed by a « secret code » , known only to the merchant and payment gateway .

To confirm the request from the payment page, sometimes the server IP must be verified.

There is a growing support by acquirers , issuers and subsequently by payments gateways for Virtual Payer Authentication (VPA ), implemented as 3 -D Secure protocol – branded as Verified by VISA , MasterCard SecureCode and J / Secure by JCB along with the Card Verification Value , which adds an extra layer of security for online payments. 3 -D Secure promises to alleviate problems facing online merchants, like the inherent distance between the seller and buyer, and the inability of the first to easily confirm the identity of the second.

Payment Gateway must be compliant with PCI DSS , the Payment Card Industry Data Security Standard , which ensures security of the cardholder data

Roles of payment gateways:
Payment gateways ensure that transactions are processed in a fast and secure way, without error and without requiring a lot of modification to the bank host. In addition, the payment gateway can efficiently handle Internet protocol and data exchange, and no permission access when the customer leaves the gateway.

Generally payment gateways can deliver the following:

  1. Payment through the Internet, otherwise called e-payment;
  2. No modification to bank server host;
  3. Graphical user interface (GUI) for system management, instead of command and code processing;
  4. Compatibility with other payment methods such as debit cards, electronic cheque, electronic cash and microelectronics pay;
  5. Complete merchant payment processing, including authorization, data capture, settlement and reconciliation;
  6. Monitoring of online activities to avoid fraud cases, such as generating ongoing reports and tracking each transaction;
  7. Decrypt and encrypt Internet packet to ensure the security of online transactions;
  8. Sync transactions between the bank, customer and merchant account, so that all parties receive the same information.

The composition of payment gateways:

  1. Master module
  2. Communication module
  3. Data processing module
  4. Database module
  5. Statistical liquidation module
  6. Query print module
  7. System management feature designed module
  8. Exception handling module
  9. Security module

E-commerce workflow involves product delivery:

  1. Customers create a purchase order that is sent to the seller. The order information includes product name, quantity, and a series of product details.
  2. Seller receives the purchase orders, and sends requests to the supplier in accordance with the customer’s requirements.
  3. The supplier receives and reviews the order, and replies the seller with order confirmation, such as stock availability.
  4. Once stock availability is confirmed, the seller will contact transporters to check the delivery date and method of delivery, e.g. by air, by sea etc.
  5. Seller replies to the customer’s order and at the same time, issues a shipping notice to both supplier and transporter.
  6. Seller issues a notice of payment through the payment gateway and once the money goes through, seller instructs transporter to begin delivery according to the shipping notice.
  7. Payment gateway issues a successful transaction notice to customer and seller.

For service industries, e.g. payment of phone bills, the payment process is simplified because there is no need for stock query checking and transportation schedules.