eCommerce Payment Gateways: An Introduction
If you’re thinking of selling products online through your website, then using an eCommerce payment gateway is simply a must.
Setting up a payment gateway can however, be a daunting task, especially if you’re new to setting up websites and online transactions. You might be asking yourself – where do I start?
Well fear not – it’s simpler than it seems!
Historically it has been difficult and time consuming to set up a system where a customer can submit an order for a product through an online website, have the funds taken from their account, and the funds transferred to the merchant’s account.
Setting up a merchant account involved visiting the bank in person, setting up multiple agreements, adhering to the bank’s requirements, as well as meeting the bank’s risk requirements and providing a large initial deposit.
Nowadays, much of this is minimized and can be done online. Thankfully, with the introduction of fully inclusive solutions, this process has been made quick and simple, with many payment gateways taking just minutes to set up.
But first let’s get into exactly what a payment gateway is – although if you already understand what a payment gateway is, then you can skip this section!
What is a payment gateway?
A payment gateway is essential a system that allows you to receive payments from your customers for online products or services.
From the point of a customer placing an order for a product or service, a payment gateway should handle the customer’s payment transaction – receiving the payment and depositing it in your bank account or merchant account.
If you’re new to eCommerce though you may still be asking – why do I need payment gateway?
Well, the simple answer is you need a payment gateway so that you can get paid for your product sales through your online store. WIthout one, you would struggle to gain income from your online business! You wouldn’t want to go back to posting cheques, or going in to the bank to send money, would you?
While there are alternative methods of sending money like Apple Pay or Android Pay, these systems offer many more features than traditional payment gateways, so we will be returning to these later.
What are the main types of payment gateways?
In general, most payment gateways can be categorized into Onsite and Offsite gateways. In this section we will explain what each type of gateway is, the differences between the two, as well as the pros and cons of each.
An onsite payment gateway is, as the name suggests, a payment gateway that allows you to receive transactions directly on your website. This means that customers can enter their card details, pay for their products, and complete the transaction without ever needing to leave your website. Visitors are never redirected to an external payment gateway provider website, unlike with Offsite payment gateways.
Onsite gateways can also be either visible, or invisible – meaning the visitor will either see the payment gateway provider’s branding, or they won’t see any branding. Smaller to medium sized businesses will most commonly have onsite payment gateways with the provider’s branding visible, because it’s easier and often cheaper to setup than a non-branded gateway. Larger businesses may have invisible onsite gateways with no branding from the gateway provider, if they have the resources and budget to implement this.
Stripe would be an example of a payment gateway with an onsite option, as the checkout part of the transaction can occur on your website without needing to visit the payment gateway’s website, although the actual payment processing happens on their end. Stripe will still show Stripe branding though, so it’s not a fully invisible onsite gateway. As with most onsite payment gateways, you would need to use Stripe’s API on your website for this to work.
Perhaps the biggest benefit of using an onsite payment gateway system is that the checkout process happens seamlessly through your website and is in many cases, much simpler than offsite gateways. Customers don’t have to visit external websites before completing the transaction, meaning your customers have much less chance of getting confused.
This in turn means that you’re less likely to see your customers abandoning the purchase during the checkout process – which can mean less loss of revenue!
As onsite gateways don’t require the customer to be taken to the payment gateway provider’s website, there’s a few extras you need to account for. The most important consideration with an onsite gateway is that you’ll need to go through a lot of audits and security testing to verify that your website meets the requirements for an onsite payment gateway
First your website needs to pass an extensive PCI audit before being able to host an onsite payment gateway. This involves meeting many security requirements including relevant protection of card details, implementing access control measures, maintaining a secure network, and much more which we will go into detail with further into this post.
Your provider may also require you to undergo additional security tests such as server penetration testing and meeting GDPR compliance, depending on which payment gateway you choose.
Perhaps the most noticeable downside of using an onsite payment gateway is that the costs are usually higher. You’ll often find that you have to pay to install and use the software on your website. Implementing an onsite gateway on your website also requires that you have technical knowledge about API’s and payment gateways, so you may also need to contract a developer to help you add the payment gateway.
An offsite payment gateway is where the customer is taken from your website to the payment gateway provider’s website to make the payment, during the checkout process. Essentially this means that the payment gateway provider handles all of the transaction from the customer entering their card details, to you receiving the funds – without any of this being processed on your website. Offsite payment gateways can be very simple and quick to set up, making them perfect for startups or smaller businesses.
An example of a payment gateway with an offsite option would be Worldpay (which does also have an onsite version). Typically you would be redirected to Worldpay’s website to complete the transaction and verify your payment details, after which you’d be taken back to the merchant’s website.
One of the biggest benefits of offsite payment gateways is the lower costs involved in setting the system up and maintaining it. Many offsite payment gateways are considerably cheaper than onsite payment gateways, and some are even free.
Another substantial benefit of using an offsite gateway is the easier and quicker setup process. Offsite payment gateways are usually much simpler and faster to set up than onsite payment gateways, so it’s often the popular choice for smaller websites or businesses.
Offsite payment gateways don’t come without their downsides though. One of the most apparent downsides is that redirecting customers to the payment gateway provider’s website during the checkout process can cause a loss of trust in your brand – as you’re not processing everything on your own website, and are instead relying on a third party.
Regular subscriptions can also be more hassle with offsite gateways, as providers won’t typically keep your card on file – meaning you may need to check back and pay each time.
A side effect of this is that customers are more likely to abandon the checkout process after being redirected to the payment gateway provider’s website. Since they’re being taken away from your website, they’re more likely to give up on the purchase.
What are the main payment gateway providers?
Over the years many payment gateway providers have been started, each striving to find their place in the eCommerce world. Some of the bigger payment gateway providers you will have no doubt heard of, however due to the sheer number of payment gateways available now, we won’t be covering all of them here.
In this section we will explain the most popular and biggest payment gateway providers.
Stripe has been one of the most popular payment gateways in the market for a few years now and has grown to become available in over 20 countries, and over 135 currencies. With a clear pricing structure, great ecommerce integration, and an easy to use interface, Stripe has been the go-to payment gateway for many online businesses.
Stripe not only lets you handle billing of recurring customers, it also lets you process one-off payments, and even handle in-person payments.
Another advantage Stripe has is it’s developer-centric design, with the API allowing you to customise the checkout experience to your own requirements.
Since its beginnings in 1998, PayPal has grown to become the biggest and most recognised player in the eCommerce game. You’re probably already aware of PayPal and it’s no surprise – it’s easily the most widely used payment gateway system in the world.
As a payment gateway, PayPal provides a myriad of features designed to help streamline every aspect of an eCommerce transaction. Not only does PayPal provide payment gateway systems for merchants selling products online, it also provides casual services for users to transfer money between friends and family, or other businesses.
Flexibility and ease of use are PayPal’s biggest selling points, and there are very few systems that match it. PayPal is one of the easiest systems to set up and integrate with your store, with dedicated apps for your smartphone to process payments.
While PayPal may be one of the biggest end-user payment gateways, WorldPay is the largest payment gateway provider in the United Kingdom.
Due to it’s high level of flexibility and security, WorldPay is used by many big businesses all throughout the UK, such as The British Heart Foundation, Tesco, and HMV. Data security standards are the focus and WorldPay is fully PCI DSS compliant – which straight away makes it the go-to choice for many businesses in the UK.
Payment Gateways vs Payment Processors
Payment gateways and payment processors are both key functions in the payment processing chain. You may have heard of both of these however the two are commonly confused with one another. The two terms are closely related and at first glance, the two terms look synonymous. They are in fact, entirely different systems with different functions.
In order to gear your website for handling payments securely and efficiently, it’s important to understand what these two distinct systems are and what they’re used for.
In this section we will explain the key differences between payment gateways and payment processors.
What is a payment processor?
A payment processor is essentially a system which communicates transactional information between the merchant selling the product, the merchant’s bank account, and the customer’s bank account. These systems work in the background to process all of the transactional data between a merchant account and the payment gateway.
Essentially the process goes as follows:
The payment processor connects to the payment gateway, which receives transactional information from the customer’s bank account. The payment processor validates and executes the transaction, after which, the payment gateway is notified if the transaction was successful. Finally the payment processor deposits the funds into the merchant’s bank account.
Differences between payment processors and payment gateways
Payment processors and payment gateways are often interchangeable, with some platforms functioning as both processors and gateways, so the two terms are often confused with the other.
Functionally the main difference between a payment processor and a payment gateway, is that payment gateways are typically used within e-commerce systems and when a credit or debit card isn’t present. Payment processors on the other hand, rely on payment cards to authorize, encrypt, and process transactions. The two do however, very often work hand-in-hand, to provide a seamless and easy-to-use ordering process.
Think of payment gateways as a POS (point of sale) terminal for online transactions, and payment processors as card processing machine.
When you go into a shop and pay for something with your card in the card reader, the card reader would be the payment processor, while the payment gateway would be the system that transfers the money from your card to the shop (the till system).
How does a Payment Gateway work?
The way a payment gateway system works can often be fairly complex and as such, most people don’t understand how payment gateways work – especially since you don’t know how it works to be able to use one. It can however be helpful when deciding between different payment gateways, so in this section we’ll go over exactly how a payment gateway system functions.
The first step of an eCommerce transaction through a payment gateway is the customer placing an order for the product through the website. This typically involves adding an item to their shopping cart, proceeding to the checkout, and filling in the payment details. The process may differ slightly between websites but this is by far the most common method of ordering a product online.
After receiving the customer’s payment details, the merchant’s payment gateway securely transfers the card information and order information to the payment processor via an HTTPS connection enabled by an SSL certificate on the merchant website. All details are encrypted before being sent to the payment processor in order to avoid any malicious third parties gaining access to payment information.
Next the customer is redirected to the payment processor’s website, to finalize the transaction details. In this step, the customer verifies the payment information to make sure that there’s no errors in the payment details or payment method.
Now the payment processor will communicate with the customer’s bank to either authorise or decline the transaction, depending on whether the required funds are available or not. After this the payment processor will communicate the result of the transaction with the payment gateway. The payment gateway will then verify if the payment is successful, and will display either a message to let the customer know that the payment was unsuccessful, or that the payment was successfully processed.
The customer’s bank will now settle the money with the payment gateway, and the payment gateway will settle the money with the merchant. Finally, the customer will be taken back to the online store of the merchant, where they originally ordered the product.
Onsite Payment Gateway
Completing transactions with an onsite payment gateway system is very similar to an offsite payment gateway system, with the main difference being that the customer isn’t taken to a third party website to process the transaction. The entire transaction process, from checkout to payment confirmation, is all verified and processed on the merchant’s website.
Another difference is that onsite payment gateways will often require the merchant’s website to store the payment details, meaning that card details will be stored in a database along with the customer’s contact details such as name and email address.
Security in Payment Gateways
Since payment gateways deal with extremely sensitive information that people use on a daily basis, ensuring the highest level of security is absolutely paramount. Thankfully, payment gateway providers recognise this, and most payment gateway systems are designed with security at the forefront.
This doesn’t mean that intrusions and security breaches don’t occur however. Many big players have had malware implanted in their networks, theft of customer information, denial of service attacks, and many other forms of malicious activity.
Over the years measures have been taken to drastically increase security standards across payment platforms in order to help minimise the amount of damage that malicious parties can cause to eCommerce transactions, as well as limiting the frequency of intrusions and cyber attacks. Security is one of the biggest selling points in many of the biggest payment gateway providers.
Encryption is one of the most important aspects of a secure payment gateway system. All reputable payment gateways have complete end-to-end encryption, and you should never use one that doesn’t!
Payment details are encrypted as soon as you enter them into the payment gateway, using the payment gateway’s cryptographic public key – and can only be decrypted on the other end by the payment gateway’s private key. The gateway uses an algorithm to ensure that no unauthorised parties can decrypt the payment information being transferred, meaning the data is masked from any malicious parties.
Encryption has become an industry-wide security standard and nearly every payment gateway provides full encryption with all transactional services.
PCI DSS Compliance
Organisations or businesses that handle any kind of customer payment information are subject to the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS is essentially a set of information security standards designed to protect customers of e commerce websites as well as the merchants running ecommerce websites, in addition to helping reduce and minimise payment card fraud.
As per their official website, the main PCI DSS requirements are as follows:
Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management programme
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
Implement strong access control measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an information security policy
- Maintain a policy that addresses information security for employees and contractors.
Tokenization has become a growing trend in the world of online payments, especially with mobile payment applications becoming more popular. Tokenization is essentially a security measure aimed at adding an additional level of safety to sensitive credit card information.
Tokenization protects sensitive payment data from fraud by replacing it with a number, or token, which is algorithmically generated. The customer’s account number is replaced by a series of randomly generated numbers, referred to as the ‘token’. This is then passed through the internet to the relevant payment processor without the bank details themselves being exposed. The actual customer account number is held in a secure token vault, hidden from malicious third parties.
Tokenization protects users from hackers by hiding the payment data – so even if a hacker does gain access to a system or network, all they will see is a random number, rather than account and card details. Tokens can also be replaced very quickly in the case of a data breach, so replacement cards don’t need to be requested.
Secure Sockets Layer (SSL)
Using a Secure Sockets Layer (SSL) certificate on your website is essential if you’re dealing with sensitive customer information. You will in fact often be penalized in several different ways if you don’t have an SSL certificate on your website!
SSL Certificates secure all information passed between a user’s web browser and a web server, therefore preventing any malicious parties from intercepting the transmission and seeing any sensitive information. You’ll find that nearly every reputable eCommerce website or payment gateway has a trusted SSL certificate in use, and if there isn’t one, then you shouldn’t use that website.
An SSL certificate is a small data file which uses cryptographic keys to secure connections between a web server to a user’s browser.
How does an SSL Certificate Work?
The web server holds a copy of the SSL certificate’s public key which is sent to the browser along with the SSL certificate itself, which the browser then checks against it’s list of trusted Certificate Authorities (CAs) to verify that the certificate is legitimate and not expired or revoked. Once the certificate is trusted by the browser, it creates and encrypts a symmetric session key (using the server’s public key), after which this key is sent to the web server.
Next, the web server decrypts the session key using it’s private key, and sends back an acknowledgement along with the session key, allowing the user’s web browser to start the encrypted session.
Now the browser and server will encrypt all transmitted data, fully securing both from any malicious attacks.
How do I choose my payment gateway?
Deciding on your payment gateway can be difficult when there are so many different options to choose from! You may be asking yourself – which one is right for me? Does it make a difference which one I choose?
In this section we’ll explain how you can make the most informed decision when choosing your payment gateway, with just a bit of research.
When choosing your payment gateway provider, you should consider the following factors:
- Customer Support
- Customer experience
Now let’s go over how you should be thinking about these before you choose your payment gateway.
The pricing structure for each payment gateway is probably the first thing you’ll take into consideration when choosing your payment gateway and that’s understandable – you don’t want to spend too much on a method of receiving money from your customers after all! Make sure that the payment gateway fits your budget but also make sure not to go for the cheapest option, as you’ll often miss out on important features.
Most payment gateways differ in pricing however many of them share a common set of costs. You’ll find that most payment gateways have some or all of the following fees:
- Set-Up Fee – this is usually a one time fee, and can be small or large depending on the payment gateway
- Monthly Fee – this is a running cost which is charged monthly to the merchant, usually between £10 and £50
- Transaction Fee / Transaction Rate – this is what you’ll be charged for each transaction, either a flat fee or a percentage of the transaction amount. This varies for each payment gateway, but will typically be no more than £0.25 or 5% of the transaction.
Generally if you process a larger number of transactions then a lower transaction rate or transaction fee will be more important to you than a low monthly fee – so also take that into consideration.
Since payment gateways handle extremely sensitive personal information on your customers, you’ll want to ensure that the system you choose has all of the necessary security measures in place.
Not only will it be very bad news if your website gets compromised due to an insecure payment gateway, you may also find that fewer people are willing to use your website if it’s not properly secured. Virtually every payment gateway has high levels of security now, so there’s no excuse for choosing an insecure one!
As we detailed earlier in the article, you should be looking for the following in any payment gateway that you might be using:
- PCI DSS Compliance
- SSL Certificate
A bit of common sense goes a long way here as well – make sure to never choose a payment gateway which has a dodgy website or seems suspicious!
At some point while managing your eCommerce website, you may run into technical issues with your payment gateway. Most payment gateways are robust and well designed however none are without flaws, and when something does go wrong, you want to make sure that helpful customer support is on hand to help you out.
Check that the payment gateway provider has a working contact number that you can call in case of emergencies. Ideally you’ll want them to be based in your own country, or an English speaking country, however this will depend on where you are based.
Make sure that their support team is readily available at short notice, whether that’s through a live chat system on their website, or a ticket system. You don’t want to get no reply when something goes wrong with your payment gateway.
A good way of checking how good a payment gateway provider’s customer support is, is to check their reviews. Any poor customer support will likely be reflected in bad reviews from unhappy customers, and good customer support might be praised in good reviews.
Another major consideration is whether you need your payment gateway to be offsite, or onsite – meaning whether your payment gateway should be fully hosted on your site, or the customers should be taken to the payment gateway provider’s website to complete the transaction.
The type of payment gateway you’ll need will depend entirely on your own eCommerce website’s requirements. Many websites can manage fine with an offsite gateway, however in some instances you may need to choose an onsite gateway.
If for example, if you have a more premium website where you don’t want to redirect customers to a different website to process transactions, then an onsite payment gateway would be more suitable for you.
One last consideration you should make when choosing your payment gateway is how good the customer experience will be, or in other words, the ease of use.
Luckily most payment gateways are relatively easy to use nowadays, with many providing very simple and straightforward interfaces for your customers to navigate through. Payment gateways like PayPal and Stripe have very easy to use systems, with mobile applications available for Android and Apple.
You’ll find the overwhelming majority of payment gateways are easy to use and intuitive, so there’s no excuse for choosing a shoddy payment gateway which your users can’t navigate!
Although we’ve covered all the basics of payment gateways systems, it’s worth mentioning a few final things to take into consideration before choosing your payment gateway.
While these next few points aren’t absolutely essential, they will certainly help you make the most informed decision you can.
Some payment gateways require you to set up a merchant account before you can receive any funds from transfers through your website. This doesn’t apply to all payment gateways but having a merchant account can be beneficial in a few other ways, so it’s worth looking into.
A merchant account is a type of account which allows for merchants to receive funds from customer transactions. A merchant account is different to a bank account – a merchant account is simply a place where money is deposited by the payment gateway, and you have no control over the account like you would with a regular bank account.
Typically a payment gateway will deposit funds from completed transactions through your website into your merchant account first. The merchant account would then transfer money to your business bank account on a specific schedule.
3D Secure (3DS) is a newer security system aimed at providing the highest level of authentication for high-risk transactions, in order to prevent fraudulent payments and increase customer confidence.
3D Secure works by redirecting the customer to the debit/credit card provider’s website before completing the transaction – similar to an offsite payment gateway. The difference is that the customer will need to enter a password or authentication code which will be setup with their bank account.
Once the correct details have been provided, the payment will be approved by the card provider and the customer will finally be redirected back to the merchant’s website.
This new form of authentication is already commonplace and adds an additional layer of security to your eCommerce website, which helps to further protect your customers.
The EU has recently introduced a new legislation, along with GDPR, aimed at encouraging safer payment service s and enhancing online security, called the EU Payments Services Directive (PSD2). PSD2 is intended to make cross-border payments easier, as well as increase the security, efficiency, and ease of sending payments.
There are several key requirements of PSD2, the main requirements being Strong Customer Authentication (SCA) and Strong Customer Identity Verification (SCeID). The two work together to provide a strong authentication system for sending payments over the internet. Failure to adhere to these requirements can result in penalties, as set by national regulators.
SCA – Strong Customer Authentication is a two-factor authentication method used for remote access to customer accounts and online payments. When authentication is required, two of the following three factors will be applied:
- Something the customer is
- Something the customer has
- Something the customer knows
SCeID – Strong Customer Identity Verification is another method of verifying a customer’s identity before completing transactions, using strong digital identity verification solutions.
If you’re a small startup or newly established business then you may have found it challenging to compare the different payment gateways and make a decision – hopefully with our guide, you’ll be fully equipped to make the most informed choice possible.
Many of the payment gateways will have all the features you need, but some are designed for specific scenarios. Certain payment gateways provide better transaction rates, extra features, or a higher level of control.