So, how does a payment gateway work? What is a payment gateway anyway?
A lot of blogs will give you a vague answer to this question.
But sometimes, we just need to dig deep, don’t we?
So, we created this blog to explain how a payment gateway works in detail.
And when we use the term ‘detailed’, we don’t play around. 🙂
Let’s get started then?
P.S. Wanna test your knowledge before moving ahead in the blog? Give it a try!
What is Payment Gateway?
A payment gateway is a platform that allows any online business to accept payment. It can offer payment options like cards (debit and credit), digital wallets, UPI and more.
Now, these online businesses are known as merchants. They can range from eCommerce industries to any SaaS businesses.
Traditionally payment gateways in India were provided by banks in the early 90s. But, since the late 90s, private 3rd party corporations have entered the foray.
Today, most organizations integrate with these third-party payment processors to collect payments from their customers. Similarly, they can be used to disburse payments to vendors and employees.
Example of Payment Gateway
How can we explain what is a payment gateway in the easiest way possible?
We use an analogy of course!
Let’s say that you are a furniture manufacturer that needs to ship the products to distant areas.
Here, the train making the transport possible is your payment gateway.
Just like the train, the payment gateway ensures the safe transfer of your payment details to the acquiring bank.
Cashfree Payments offer you the best payment gateway in India at the lowest payment gateway charges.
Now that we have understood what a payment gateway is, let’s check how it works.
But for that, let’s figure out the players working alongside a payment gateway making credit card processing possible.
Players Involved in Online Payment Processing
A traditional payment gateway works with 5 major players.
Here’s what they are and what they do.
Issuer or Issuing Bank
Financial Institution that issues cards (Visa/MasterCard) to customers — account holders or cardholders.2d
Role of the Issuer
- Manages cardholder participation and activation in 2D secure service (Verified by Visa or SecureCode by MasterCard).
- Validates cardholder at the time of each online purchase.
- Provides digitally signed response to the merchant for each authenticated transaction.
- Holds responsibility for the authentication experience of their cardholders.
Cardholder or Customer
The account holder of the debit or credit card.
Role of the Cardholder
- Uses the card to pay for purchases over the internet or other PoS.
- The cardholder activates the card once for 2-factor authentication like 3-D secure, Verified by Visa or SecureCode by MasterCard.
The financial institution (banking accounts, payfacs) that contracts with merchants for acceptance of debit and credit payment cards.
In simple terms, this is the bank that holds the merchant’s account.
Role of the Acquirer
- Registers merchants for card networks (Visa, RuPay and MasterCard, etc)
- Ensures that merchants are operating under a merchant agreement with the acquirer. This agreement should be in accordance with the rules and technical requirements for the card network program.
Merchant or Business
Offers merchandise, software or service at a website or mobile app. The merchant accepts payments from a cardholder who makes purchases over the internet.
Role of the Merchant
- Operates software to support a 3-D secure program like Verified by Visa and SecureCode by MasterCard. This software is referred to as Merchant Plug-In (MPI).
- The Merchant might develop their own solution or integrate with PGs like Cashfree Payments to accept payments from its customers.
Card infrastructure providers like Visa and MasterCard.
Role of the Card Networks
- Verifies issuer’s authentication results.
- Routes authorization requests to issuers and sends responses to acquirers for return to merchants.
These players interact with each other to make online payment processing possible.
However, there is one thing you must know when it comes to payment gateways in India
Different players have their own set of rules and regulations. This ensures that every transaction undergoes securely and conveniently.
Now, let’s come to the next logical question.
How does a payment gateway work?
Well, there are two ways of going about it. We can either answer this in a concise manner or the detailed one.
Or we can do both.
How Payment Gateway Works: Concise Versions For Beginners
We have already covered the players involved in online payment processing.
Let’s head straight to the answer.
- First, a customer enters their card details on the merchant’s site. The merchant may have a hosted payment gateway or a self hosted payment gateway.
The payment gateway encrypts and tokenizes the payment details. The details can be card numbers, VPA in UPI, CVV number, etc.
- Then, the payment gateway forwards the payment information to the Acquiring Bank. This is done through a payment processor.
- The Acquiring Bank forwards the information to the card networks. For instance, Mastercard, Visa, American Express, RuPay, etc. These card networks run a fraud check and forward the information to the Issuing Bank.
- The Issuing Bank authorizes the payment and checks fund availability. If the customer has enough funds, the Issuing bank sends a positive response to the card networks.
- The card company relays the message to the Acquiring Bank.
- Finally, the payment gateway forwards the status of payment to the merchant and the customer.
- In case the payment is approved, the Acquiring Bank requests the funds from the Issuing Bank. The Payment Aggregator receives the funds and settles them with the merchant.
The settlement can be instant or standard, as per the pre-decided agreement.
Well, this was the concise version of how a payment gateway works.
However, if you want to understand the concept in detail, read on!
First to understand “what is payment gateway”, we need to understand the payment gateway architecture.
Let’s dive in.
What is Payment Gateway Architecture? The Different Software Components
So, what are the various software entities involved in online payment processing?
Well, it goes something like this.
The section covers the basic flow which has three steps.
A payment gateway uses 4 different parties to ensure that payment goes in a completely secure and seamless fashion.
And that too- in a matter of minutes!
The payment gateway works under the 3D secure authentication protocol, which has 3 components.
But what is a 3D secure payment gateway?
3D secure is an XML-based protocol designed by Visa, that adds an additional security layer for online card transactions.
This protocol has been adopted by other leading global card networks like MasterCard, American Express, and more.
The ‘D’ in 3D-Secure stands for ‘domain.’
Naturally, there are 3 of them — the acquiring domain, the issuing domain and the interoperability domain.
The interoperability domain links the former two together.
Here are their function in a 3D-Secure payment gateway.
Issuer Domain – Access Control Server (ACS)
The issuing domain is where the issuing bank operates.
They issue cards to cardholders, who use them to make online purchases.
The bank deploys a server known as the access control server (ACS). It’s used to receive 3D secure messages, process the messages and authenticate the card user and the transaction.
Interoperability Domain – Directory Server (DS)
The interoperability domain consists of the Directory Server deployed by the card network.
It can be considered the foundation holding the entire 3D-secure mechanism together.
The directory server acts as a ‘directory’ for the acquiring and issuing bank to transact money between each other.
As the name suggests the directory serves as a mapping server where acquiring banks send a message to the card network’s DS.
It holds the “directory” of all the BIN ranges of the corresponding issuing banks. The Directory Server will receive the message from the MPI and check the card number against the BIN range directory.
Thereafter, it forwards that message to the correct issuing bank. The issuing bank would then proceed with authenticating the card user.
The Acquiring Domain – Merchant Plug-In (MPI)
The acquiring domain is where the payment gateway and acquiring banks sit.
They initiate the transaction, which they wish to be authenticated.
In order to do so, entities in acquiring space need to deploy a “merchant plug-in”, also known as “MPI”.
Payment Switch could be thought of as an independent entity that facilitates communication between all these players.
The payment gateway uses a switch exclusively to communicate with various stakeholders during a payment procedure.
It is expected to be highly reliant, have great performance, and versatile, as it has to process a variety of payments gazillion times a day.
The payment switch:
- facilitates the processing of real payments between providers and accepts the request for payment.
- Understands which providers it needs to process with
- Formats the message for that provider and sends it to them
- Gets a response
- Changes the response to a generic format and sends the response back to the caller
Now that we covered these steps, lets check out how they interact to make online payment processing possible!
How Payment Gateway Works? : Detailed Version For Experts
Step 1: Card Authentication
The first step in a transaction is to authenticate the cardholder’s account number and see if it is a part of the issuer’s card which is in the range of the 3D secure platform.
The merchant server plug-in (MPI) communicates with the card network to confirm if the card is valid.
Moreover, it checks if the card is a part of the 3D-secure platform (secret code, or one-time passwords).
These are the following steps when it comes to card authentication.
Steps of Card Authentication
|Verification Request (VEReq)||The merchant server plug-in (MPI) sends a Verification Request message to the card network’s directory server (DS)|
The DS forwards it to the appropriate issuer bank’s ACS to determine whether the card is valid and enrolled in the 3D secure program or not.
|Verification response (VERes)||The card network directory returns a Verification Request to the MPI, indicating whether the card is valid or not as well as enrolled in the 3D-Secure Program. |
These messages are:
Y = Authentication Available – Cardholder is enrolled, Activation During Shopping is supported, or proof of attempted authentication available. The merchant uses the URL of issuer ACS included in VERes to create the Payer Authentication Request.
N = Cardholder Not Participating – Cardholder is not enrolled.
U = Unable to Authenticate or Card Not Eligible for Attempts (such as a Commercial or anonymous Prepaid card).
|Error Messages||This message is shared by the card network’s directory server when the merchant is unable to provide the appropriate credentials.|
These errors can be –
50 – Acquirer is not participating in the 3D secure program51 – Merchant not participating52 – Password is missing53 – Incorrect Password54 – Incorrect Common Name Value in the client certificate
Step 2: Payer Authorization
After verifying the card is legit and can participate in the 3D-Secure program, the actual process of payer authentication takes place for each online purchase.
Now, remember that this is payer authorization as opposed to the card authentication in the previous step.
It can be confusing as the players remain the same even though the function changes.
Instead of the Verification Request and Response (like in the first step), the MPI sends a Payer Authentication Request/Response (PAReq/PARes)
Here, the (PAReq/PARes) are sent from the merchant plug-in to the Access Control Server to initiate the actual authentication.
At this point in the process, the cardholders’ CVV will be verified.
The Access Control Server (ACS) will perform authentication and, if successful, generate an Accountholder Authentication Value (AAV).
It is returned to the merchant within the PARes message.
ACS providers should provide AAV values for all payment attempts to the Issuer.
There can be various authentication results by the Issuer’s ACS. For instance:
Possible Authentication Results:
|Authentication determined by Issuer’s ACS||Transaction Status value|
The issuer has authenticated the transaction successfully by entering the right CVV and other identification parameters
The cardholder’s password (or other authentication information) failed validation, thus, the issuer is not able to authenticate the cardholder.
The following are reasons for authentication failure:
Cardholder fails to correctly enter the authentication information within the issuer-defined number of entries (possible indication of the fraudulent user).
Cardholder “cancels” authentication page.
Merchants are not permitted to submit these transactions for authorization processing.
|Authentication could not be performed|
The issuer ACS is not able to complete the authentication request – possible reasons include:
Card type is excluded from attempts (such as a Commercial Card or an anonymous Prepaid Card)
ACS not able to handle authentication request message
ACS is not able to establish an SSL session with cardholder browser
System failure that prevents proper processing of the authentication request
Merchants may proceed with the above purchases as non-authenticated and retain liability if the cardholder later disputes making the purchase. These are non-Verified by Visa electronic commerce transactions.
When the PARes has a U and an Invalid Request Code of 55, this indicates that the Account Identifier in the PAReq did not match the value returned by the ACS in the VERes. Merchants must view this as an invalid transaction.
Once these steps are finalized, the payment authorization takes place.
The merchant sends a request to get access to funds from the acquirer. The acquirer now submits the request to the Issuing bank.
The issuer reviews the request and decides if enough funds exist to cover the purchase of the customer.
If they do, the authorization is made, the funds are deducted. In case of a debit card or credit line is adjusted for the amount of the sale.
At this time, a transaction code is shared with the MPI, which then is analyzed for successful or unsuccessful authorization.
If the authorization is successful, the merchant can now move to the last step of the payment –capturing funds.
Credit and Debit card capture is the last part of a transaction via a payment gateway. It’s when the authorized money is transferred from the customer’s account to a merchant’s account.
It takes place after a payment undergoes successful authorization.
Essentially, the transaction amount doesn’t reach the merchant account until the funds are captured.
Post the authorization:
- the card network tells the MPI and the issuer that the card is authorized.
- Thereafter, the transaction can take place. The funds can be transferred from the customer’s account to the merchant’s account.
- The authorization bit deducts the credit line or account balance. So, the money is ready to be dispatched to the merchant’s account.
There is a given time frame set between an authorization and capture. Usually in the standard procedure:
- Debit cards settlements can take 3-4 days.
- For credit cards, the usual cycle is between 4-28 days.
Leading payment systems for eCommerce providers like Cashfree Payments only take between T+1 days.
Transactional capture happens in 2-ways:
- Automatically: This is the most common scenario. It’s when the credit/debit card capture is automatically sent by the merchant’s acquiring bank on behalf of the merchant.
This negates the condition that the merchant has to manually put in a request for fund capture, and the funds are immediately captured after the authorization takes place.
- Delayed: The merchant requests the ability to control when the funds are transferred to his or her account.
If the request isn’t sent under the authorization period, the authorization expires and capture fails.
This is most common for Paypal, where the money is released only after the customer receives their goods or services.
This was the complete breakdown of what is payment gateway in eCommerce and how it works.
But we bet you still have some queries.
Let us help you in the FAQ section.
FAQs about What is Payment Gateway?
What is payment gateway in eCommerce responsible for?
Here are all the responsibilities of a payment gateway.
- Manages the merchant’s switch configurations – Defines a sub-merchant ID for each merchant payment configuration.
Moreover, it communicates with the payment switch using this ID to validate transactions.
- Merchant’s transaction roles – Defines limitations for merchant’s transactions. Or instance, the minimum and maximum amount a merchant can transact from a card in a day, restrict transactions from credit cards issued from a particular region, etc.
- Manages the merchant’s 3D secure configurations – As discussed above, the payment gateway communicates with the card network with the help of a payment switch.
It checks if the cardholder is enrolled for the 3DS, then the related MPI will then lookup in Card’s directory services and the returns response to the payment gateway.
- Process Payments – Makes a request to the payment switch to process payments and receives results and returns to the customer.
- Sends payment records – Receipts and confirmation to merchant and customers.
- Encryption and Security – Ensuring that no data is leaked as financial data is extremely sensitive.
What are the different types of payment gateway?
Payment gateways can be clustered under two main categories.
On the basis of provider:
- Bank Payment gateways
- Third-party payment gateways like Cashfree Payments
On the basis of payment flow:
- Hosted Payment Gateway: Customer is redirected to the payment gateway’s page for entering payment details. Allows easy integration where PCI DSS compliance is handled by the payment gateway provider.
- Self Hosted Payment Gateway: The customer remains on the payment page hosted by the merchant and enters information. Offers higher control over user payment experience.
- Off Website Payment Gateway: Payment instruments like QR codes, payment links and excel sheet payments.
Read more about types of payment gateway here.
What are payment gateway charges?
Payment gateway charges differ from one provider to another.
The pricing of your payment gateway can fluctuate depending on:
- The type of payment mode
- The pricing of your provider
- The type of settlement (instant or standard)
- The payment instruments used (off or on website options)
What is payment gateway integration?
Your need to integrate your website or app with your payment gateway to accept payments.
Now, most leading providers offer detailed integration guides and SDKs. Moreover, they offer integration instructions in all major languages.
Your payment gateway integration will depend on your type of integration (seamless or normal checkout) as well as your OS.
Here are some links you might find useful.
- Android SDK
- iOS SDK
- React Native SDK Version 2.0.0
- React Native SDK Version 2.1.0
- Flutter SDK
- Cordova SDK
- Android Support SDK: Xamarin
- Xamarin AndroidX SDK
- iOS SDK: Xamarin
- Xamarin Forms SDK
What is payment gateway vs payment processor vs merchant account?
- A payment gateway encrypts/tokenizes the payment details. It communicates the payment info between acquiring bank and the merchant.
- A payment processor communicates the payment details and responses between card networks and Issuing and Acquiring banks.
- The merchant account is a business bank account. The merchant receives the settlement from the acquiring bank here.
So this is how a payment gateway works, there are multiple people, and parties involved in a payment that takes just a few seconds to go through. If you have any further queries regarding Payment Gateways, please do share them in the comment section below.
Also, do checkout Cashfree’s payment gateway. It’s one of India’s premier payment gateway solutions. It accepts over 120+ payment modes such as cards, UPI, digital wallets and more.