The Complete Guide To Online Credit Card Processing With A Payment Gateway
It’s no exaggeration to say that the internet and eCommerce have radically transformed the way we shop for and buy things more than any other development since mail- and telephone-ordering became available over 100 years ago. Today, we can buy things online from the comfort of our own homes, and using credit cards to pay for those things is both convenient and secure. Of all the numerous software applications that make this possible, none is more important than the payment gateway.
What is a payment gateway? At its simplest, a payment gateway is a software application that acts as a conduit between an eCommerce merchant’s website and the bank that will authorize (or decline) a customer’s credit card payment. Payment gateways can also process direct transactions using payment methods such as eCheck (ACH) payments or bank-issued debit cards. Regardless of the payment method used, the primary function of the payment gateway is to securely transmit sensitive credit/debit card or bank account information from the customer to the customer’s issuing bank and all other parties that are involved in the transaction.
Table of Contents
How a Payment Gateway Works
Although it’s a rather complex process, it’s important to understand how a payment gateway works. To a customer, it’s pretty simple: click on a “Buy” button, enter your payment information, confirm your order, and then sit back and wait for a package of goodies to arrive in the mail. Behind the scenes, there’s a lot more going on.
Let’s start with a visual representation of how a payment gateway processes a transaction:
Here’s how the sausage is made:
- Step 1: The customer places an order and provides a payment method. For this example, let’s assume that the customer has placed the order through your eCommerce website, and that they’re using a Visa credit card issued by Bank of America as their payment method. As a merchant, all you have is the customer’s name, billing address, credit card number (or a token representing the number), expiration date, and possibly a credit card verification (CCV) number. There’s no magstripe to swipe or EMV chip to dip. Because of this, the credit card transaction will be processed as a “card-not-present” transaction, and the processing rate will be higher due to the increased risk associated with not being able to physically verify the credit card or the customer’s identity. The customer’s information is uploaded–usually through a secure, SSL connection–to the payment gateway, which encrypts it and sends it on its way.
- Step 2: The first stop is the merchant’s processor. Note that this is the company that actually processes the transaction, and not necessarily your merchant account provider. If your account provider uses a backend processor (commonly First Data or TSYS), that’s where the information will go. Some of the larger merchant account providers are direct processors, meaning there’s no middle man.
- Step 3: The processor then routes the transaction data to the credit card association (in this case, Visa). Although the most popular credit card associations (i.e., Mastercard and Visa) can’t approve or decline a transaction, they need to know about it because they’re going to charge a small fee (known as the interchange) for every approved transaction. Your processor will pay this fee and pass it on to you when they process your transaction. Other credit card associations, such as American Express and Discover, function as the issuing bank and can approve or decline the transaction themselves.
- Step 4: This is the most critical step of this entire process for Visa and Mastercard transactions because this is where the transaction is either approved or declined. Is the credit card valid? Is the customer an authorized user of the card? Are there sufficient funds available that the transaction won’t exceed the card’s credit limit? Are there no other holds or freezes on the card? If the answer to all the above is yes, then the transaction will be approved. If not, it will be declined and the bank will transmit a code identifying the reason why it was declined.
While all of this seems convoluted, these first four steps occur within a few seconds of the customer placing an order. This is because the processes involved are all completely automated these days, so you don’t have to wait for a human to review any of the information being transmitted.
- Step 5: If the transaction is approved, then the transaction information starts to flow back in the other direction. Once the issuing bank has authorized the transaction, it must transmit that authorization back to all affected parties in the payment processing network, starting with the credit card association.
- Step 6: The authorization passes from the credit card association to the processor.
- Step 7: The authorization passes through the gateway.
- Step 8: The authorization passes to your website so you and your customer know that the card is approved. With a valid authorization, the sale is complete and you can ship the customer’s order. At this point, the customer will see a “temporary authorization” on his or her online credit card account. The transaction “clears” when the issuing bank releases the necessary funds to the acquiring bank to cover the customer’s order and pay all the other parties to the transaction.
- Step 9: The acquiring bank places the money in your merchant account and alerts your processor. The processor then processes the transaction. The processor, credit card association, acquiring bank, and issuing bank all get a cut of the processing fee. What’s left gets deposited in your business’s bank account (which is an account different from your merchant account). Although everything up to Step 8 can take place in a matter of seconds thanks to automation, Step 9 takes a little longer. Merchants usually receive their funds within 48 hours of receiving authorization. This time frame can be shorter or longer, depending on several factors. Some processors can get your money to you in about 24 hours. At the same time, if the transaction is flagged as possibly being fraudulent, your funds might be held for several days or longer while the processor investigates the matter.
Payment Gateway VS Merchant Account
Payment gateways and merchant accounts are both somewhat fuzzy concepts, and it’s easy for people to get the two of them confused. A merchant account isn’t a business bank account, but it is an account, with a dedicated merchant ID number. Your merchant account allows payment card funds to be sent by the acquiring bank and processing charges and fees to be deducted by the processor before sending the funds to your checking account. If you run a physical store and are just using a credit card terminal to accept credit cards, you can have a merchant account without the need for a payment gateway.
We've done in-depth research on each and confidently recommend them.
A payment gateway, on the other hand, is simply a web service that allows credit card transactions to be processed over the internet. If you’re in eCommerce, you’ll need both a merchant account and a payment gateway to accept credit cards online.
Because not all merchants need a payment gateway, they usually aren’t a standard feature of a merchant account, although some services do bundle the two together. Instead, merchant account providers will offer them as an optional feature when setting up your account. A merchant account provider might offer you their own proprietary payment gateway, or they might set you up with a third-party gateway, such as Authorize.Net.
Payment Gateways & Third Party Processors
Perhaps the source of confusion between payment gateways and merchant accounts come when a merchant uses a third-party processor (a/k/a payment services provider) to process payment cards. Third-party processors have very different business models than traditional payment card processors. They basically bundle multiple services offered by traditional processors and offer them as one service. With a third-party processor, you don’t set up a merchant account with a bank and give the processor access to the account. Instead, you have a sub-user account with the processor, which has its own merchant account and aggregates the transactions from all of its sub-users (merchants). That’s why third-party processors (or PSPs) are also sometimes called aggregators.
With a third-party processor, a proprietary gateway is a core part of the product offerings (along with any other free software you get). Whereas with a merchant account you might pay a separate monthly gateway fee and a per-transaction fee, the cost of a gateway through an aggregator is built into the processing fees.
What Do Payment Gateway Services Include?
In addition to their basic function of transmitting and receiving credit card transaction data via the internet, most payment gateways also come with several useful “extras.” Features you should consider in choosing a payment gateway include the following:
- Payment Information Storage: No customer wants to have to re-enter their credit card information every time they place an order. Payment information storage builds a database of customer information, so the customer can simply choose a card they’ve used before when they come back to your site. Best of all, the gateway encrypts this information and stores it separately from your website. This provides an additional layer of security and eases your PCI compliance requirements. One potential pitfall with this feature involves data portability, or rather the general lack of it. If you switch to a different gateway provider, you will often lose all your customer data and have to start over from scratch. Depending on the gateway provider, it might be possible to transfer the data to your new gateway, but this can be an expensive and time-consuming endeavor.
- Encryption: All payment gateways encrypt sensitive credit card information before they pass it along to the processing bank. It’s a bonus if the gateway also offers tokenization.
- Recurring Billing: Subscription-based pricing is more popular than ever, and a recurring billing feature can allow you to automate this process. You can also customize things like billing intervals and set up trial periods for your subscriptions.
- Virtual Terminal: As noted above, a virtual terminal is a browser-based version of the physical credit card terminal. A virtual terminal allows you to input a customer’s credit card information and process a transaction directly through your computer’s web browser via an online web form. Virtual terminals can also be set up to run on mobile devices, including smartphones and tablets. In a retail setting, you can attach a USB-connected credit card reader and take advantage of lower, swiped (or card-present) processing rates.
- PCI Compliance: Several gateways on the market today simplify PCI compliance for eCommerce merchants. Transactions are conducted on the gateway provider’s servers, instead of the server hosting your website. Because the gateway interface is integrated into your website, the customer never needs to leave your site to complete an order. With this arrangement, you don’t need to maintain a secure network to be PCI compliant (it’s still a good idea, of course).
- API Tools & Developer Information: One of the most appealing features of payment gateways is that they’re generally “plug and play,” meaning you can set them up on your website without having to do any coding. If, on the other hand, you’re a proficient software programmer (or you have access to a web developer who can do it for you), most gateway providers offer a number of APIs (application program interfaces) that will allow you to customize how the gateway functions on your website. Each gateway provider has its own unique set of APIs that you can access.
- QuickBooks Integration: Most major payment gateways will integrate directly with QuickBooks, potentially saving you many hours of manually transferring transaction data into the program.
Integrating Payment Gateways Into Your Online Store
A payment gateway integration connects your payment gateway to a payment device, usually an eCommerce shopping cart. The integration process can be easy or difficult depending on how you’re integrating. If you’re using a popular shopping cart like Shopify or Magento, there are pre-built payment gateway modules that make integration a breeze. If the shopping cart doesn’t have a pre-built module, you’ll have to do a custom integration. This requires the talents of a knowledgeable web developer and can get expensive.
As to signing up for a payment gateway itself, you can either get one as an add-on to your existing merchant account or go directly with an independent payment gateway provider. Currently, the most popular payment gateway on the market is Authorize.Net. Many merchant account providers will set you up with Authorize.Net if you need a payment gateway. You also have the option of signing up with them directly, which is a handy option if you don’t already have a merchant account.
There are, of course, options other than Authorize.Net. The Quantum Gateway, offered by CDGcommerce (one of our favorite providers), is also an excellent choice. This gateway offers all the standard features described above, but the best thing about it is that it’s free to customers who have a merchant account with CDGcommerce. There’s no setup fee, no monthly gateway fee, and you won’t be charged an additional processing fee for transactions. If you prefer to use Authorize.Net, CDGcommerce now also offers this as an alternative gateway. Once again, it’s free – providing significant savings over signing up directly with Authorize.Net.
While Authorize.Net and Quantum are two of the best and most popular payment gateways on the market, there are plenty of other options as well. When evaluating a payment gateway, be sure to look for the features described above. Security, fraud protection, and PCI compliance features are the most important things to consider when selecting a payment gateway.
Do I Need a Payment Gateway?
While a payment gateway is pretty handy, not every business needs a payment gateway.
Obviously, if you’re running a purely eCommerce business, you’re going to need a payment gateway because there simply isn’t a way to accept credit cards through the internet without one. Likewise, businesses that include both retail and online components will also need one. But what about a strictly retail business with no online presence?
If you don’t sell any goods or services over the internet, you don’t necessarily need a payment gateway. However, you might still benefit from one. How? By using a gateway to operate a virtual terminal to turn your laptop or desktop computer into a web-based version of a credit card terminal or POS system. By itself, a virtual terminal application on your computer will allow you to process keyed-in (or card-not-present) credit card transactions. Add a USB or Bluetooth-based card reader – which some virtual terminals support – and you can now swipe or dip credit cards without the need for a dedicated terminal. You will also find that some POS software requires a payment gateway to function.
Payment gateways not only perform the basic function of processing credit card transactions over the web, but also bring a host of security and fraud prevention features that protect both you and your customers. Integrations with online shopping carts and accounting software (such as QuickBooks) help to run your business more smoothly and efficiently.
So, while not every business needs a payment gateway, every business can usually benefit from some aspects of a gateway. Since there are gateways that come with little to no additional cost, it makes sense to consider using one even if you do not absolutely need one.
Have you come across a payment gateway you particularly like? One that you do not like? Share your experience with us. And of course, if you’re in the market for a gateway, don’t forget to check out our run-down of the best payment gateways for small businesses!