What is a payment gateway, and how does it work?

The term ‘payment gateway’ is not well known outside of the world of payments, but many of us use them every day. Without them, commerce on the internet would be slower, more expensive and less safe.

A payment gateway is a technology that enables and securely processes online payments made through websites, mobile apps or any other type of digital platform.

Payment gateways are the digital equivalent of point-of-sale terminals where customers might insert a card (or, increasingly, tap) in order to pay, and it forms the bridge between the digital store and its payments infrastructure.

A payment gateway acts as the intermediary between the merchant and the customer, ensuring that essential payment information is transmitted securely and allowing for the smooth completion of a transaction.

Using a payment gateway can offer a number of benefits for businesses and their customers. For example:

• Access to more customers/payment options: the basic promise of a payment gateway is that it offers access to more payment methods. This creates a virtuous cycle, as the increased number of options leads more customers to choose to shop at a particular store, meaning the store has a larger pool of potential customers to sell to.
• Greater security: payment gateways globally are required to meet strict security standards, such as PCI DSS. As a result, businesses and customers that use payment gateways benefit from strong protections. They also often incorporate fraud prevention technology to further protect customers
• Better control of payments: payment gateways offer businesses more streamlined settlement of payments and allow for automated billing and transaction management, giving businesses far more visibility and control of their cash flow

Here’s an overview of how a payment gateway typically works:

1. Customer initiation. The customer initiates an online payment and is taken to a checkout flow or page where they choose their preferred payment method (e.g. Pay by bank, credit or debit card, manual EFT, cash, debit order, etc.). This payment page is either entirely hosted by the merchant’s chosen payment gateway or certain fields in a merchant-hosted page are encrypted, and the information is securely passed onto the payment gateway.
2. Data encryption. The payment gateway encrypts the payment information provided by the customer, ensuring that sensitive data – like credit card numbers, for example – can’t be intercepted by bad actors.
3. Authorisation request. The encrypted payment information is sent from the merchant’s website or app to the payment gateway. The gateway then transmits the information to the appropriate payment processor for authorisation. In the case of card payments, this processor–or acquirer–is typically a financial institution or bank licensed to accept card payments.
4. Authorisation process. The payment processor verifies the customer’s payment details, checks for available funds, and performs various fraud checks. If everything balances, the processor sends an authorisation code to the payment gateway.
5. Transaction approval. The payment gateway receives the authorisation code from the payment processor and informs the merchant that the transaction has been approved. At this stage, the customer should see a confirmation on the merchant’s site or app indicating that the payment was successful.
6. Funds settlement. Authorised funds are then transferred from the customer’s account to the merchant’s account. This process involves the payment processor and the merchant’s acquiring bank. Settlement times tend to vary depending on the payment method and financial institutions involved.
7. Payment confirmation. The payment gateway sends a confirmation to both the customer and the merchant, providing details of the completed transaction, essentially acting as a receipt of funds sent and received.

The majority of these processes are invisible to the customer and occur almost instantaneously. Below is an example of the conventional process for an online card transaction.

Types of payment gateways

Payment gateways can come in a number of different forms, each with their own particular advantages. Here are the main types:

Hosted payment gateways

As the name suggests, a hosted payment gateway redirects customers to the payment processor’s own platform to complete the transaction, before redirecting them back to the merchant’s site.

These place less of a PCI compliance burden on the business, and so are ideal for smaller businesses that do not want to handle sensitive payment information directly or design their own unique payments flow. However, redirecting to another platform adds a layer of friction to the process, which can have an impact on conversion.

Self-hosted payment gateways

With self-hosted gateways, the transaction occurs directly on the merchant’s platform. So the merchant collects the payment data and then sends it to the payment gateway. This offers more control over the checkout experience, but places a more responsibility on the merchant for security and PCI compliance.

API-hosted payment gateways

Similar to a self-hosted gateway, API-hosted gateways allow merchants to integrate the gateway’s payment processing capabilities directly into their platform via API, allowing for a seamless user experience. Like self-hosted gateways, however, this does place a higher compliance and security burden on the merchants.

Local bank integration

A local bank integration connects the merchant’s platform with a local bank’s payment system. The customer completes the payment on the bank’s system and is redirected back to the merchant’s site afterward. This offers a simple option for businesses and customers who prefer dealing with their local bank, but brings severe limitations in both the payment options available and the merchant’s ability to scale across geographies. It also requires the business to manage these direct integrations with all the banks in a particular market, which requires significant development and financial management resources.

Direct post

A direct post payment gateway sends the payment data directly from the customer’s browser to the payment gateway, bypassing the merchant’s servers entirely. This allows the merchant to reduce their PCI compliance burden while still offering a custom experience. However, this can raise security concerns on the customer’s side.

Unpacking the difference between a payment gateway and an acquirer

Payment gateways and acquirers both play crucial roles in the payment processing ecosystem, but they serve distinct functions in facilitating online transactions.

In brief, payment gateways focus on securely transmitting payment data and managing the customer-facing aspects of online transactions, while acquirers handle the back-end processes of transaction authorisation, funds collection and settlement between the merchant’s bank and the customer's bank.

A deep dive into payment gateways and their function

A payment gateway acts as an interface between the merchant’s website or app and the payment network, transmitting payment information from the customer to the acquiring bank or payment processor for authorisation and settlement. You can think of it as an online payment portal.

A merchant might integrate a payment gateway into their website or app to enable online transactions, leveraging APIs and plugins to add payment processing functionality to their platforms and to enable a better user experience for their customers when making a secure payment.

The payment gateway handles the front-end part of the transaction, encrypting and securely transferring a customer’s payment data to the payment processor for approval. Once approved, the payment gateway informs the merchant and customer about a successful transaction.

Payment gateway solutions are critical in safeguarding sensitive payment data during the transaction process. Using encryption and adhering to other industry security standards (PCI DSS compliance, 3D-Secure, MFA, etc.) to protect against data breaches and unauthorised access.

Importantly, payment gateways are responsible for providing a smooth and user-friendly payment experience to a merchant’s customers. Customisable checkout pages and support for multiple methods are important features for merchants to consider when choosing which payment gateway to integrate.

A deep dive into acquirers and their functions

An acquirer, also known as a payment processor or merchant bank, is a financial institution responsible for processing payment transactions on behalf of the merchant. It receives authorised transaction data from the payment gateway, collecting funds from the customer’s account before settling them into the merchant’s account.

The acquirer verifies the payment data received from the payment gateway, authorises the transaction and ensures that the customer has sufficient funds. Once authorised, the acquirer initiates the settlement process to transfer the funds from the customer’s account to the merchant’s account.

Acquirers establish relationships with merchants to provide them with the necessary tools and services for accepting electronic payments. They often provide online payment processing solutions, support for various methods – and in the case of brick-and-mortar commerce, physical point-of-sale (POS) terminals.

Acquirers are also responsible for managing and mitigating fraud and chargeback risks associated with online transactions. They implement various security measures and fraud detection systems to protect both the merchant and the customer.

Lastly, acquirers are responsible for settling the funds from completed transactions into the merchant’s bank account.

The difference between hosted and non-hosted payment pages

As mentioned earlier, in the payment gateway process, merchants have the option of integrating hosted or non-hosted payment pages within their platform.

In the case of a hosted page or hosted payment gateway, the customer is redirected to the payment gateway’s hosted page to fill in their payment details. This method is generally easier and faster to integrate but removes some control from the merchant regarding the payments experience a customer might receive.

With non-hosted or white-labelled pages, the customer is able to complete a secure payment without leaving the merchant’s website by entering their payment details into secure and encrypted fields. Hosted payment pages typically feature fewer steps and no redirects, and may be presented in the merchant’s branding, which can improve conversion.

In both instances, with Stitch, customers can choose whether they’d like to have their details saved for future transactions, allowing for a more seamless, one-click payment experience when they return.

Payment gateways in South Africa

Some of the most well-known payment gateways globally include the likes of PayPal, Stripe, and Square, to name a few. But with the rapid growth of e-commerce, we’re beginning to see more demand for payment gateways in South Africa that match the experiences these established businesses offer, elevating the role Stitch plays in the ecosystem.

For businesses operating in or looking to expand to South Africa, choosing the best payment gateway is dependent on a number of factors like the size of your business, monthly payment processing volumes and the various types of payment methods your customers are more likely to use, among others.

Here are some of the key factors to consider when choosing the online payment gateway solution in South Africa:

• Available payment methods. South African consumers are incredibly discerning when it comes to online payment methods, and have come to expect their preferred payment method to be available. Whilst the vast majority make use of card or bank transfers, the ability to pay in cash for a digital product or service is also in high demand.
   
• Hosted or non-hosted payment pages. The ability to keep your brand at the forefront and leverage your credibility and brand recognition is a valuable feature when it comes to ensuring trust and loyalty among your customer base. By choosing to white-label a checkout flow, you can avoid redirecting your customers to another website’s payment page, and enjoy higher conversion rates.
   
• Security and fraud standards. It’s crucial to ensure the payment gateway you choose adheres to industry standards when it comes to the security of any transaction made through your platform. Looking out for things like PCI DSS certifications, and other security measures like multi-factor authentication, secure data management and 3D-Secure payments, among others all work together to keep you and your customers safe.
   
• Recurring billing. For recurring or subscription-based businesses, the payment gateway you choose needs to be equipped to handle the complexities associated with recurring billing. This entails the secure storage of customer details, automatically charging for payments on agreed-upon schedules, fallbacks for failed transactions and more.
   
• Intuitive UI/UX. A payment gateway’s user interface should be clean, easy to understand and almost unnoticeable. It exists as a guide to help the customer easily and securely execute a payment, void of any barriers or unnecessary information and should aim to reduce the steps to completing a transaction.
   
• Transaction reporting. Accessing data, detailed reports and analytics related to your transactions are important to enable continuous optimisation. The best payment gateway API for your business will offer robust reporting and data.
   
• Simple integration process. The process for integrating a payment gateway is highly dependent on the gateway, as well as which functionality you’re looking for (i.e. hosted or non-hosted). For enterprises, a successful process would require collaboration between your own in-house development team and that of the payment gateway.

In South Africa, some of the most popular payment gateways available include Stitch, Moment, dLocal and Cellulant – but there are many others also available to choose from depending on what specific businesses need.

The Stitch payment gateway for South Africa

At Stitch, our client support and technical integration teams work closely with client teams to co-develop bespoke and customised payments solutions and reduce the time it takes to integrate. We leverage deep connections across the entire payments stack to power seamless access to financial systems, resulting in higher reliability and better performance.

The Stitch payment gateway is designed to reduce failed online payments and streamline payment operations. Our API is built on GraphQL for faster and simpler queries, enabling businesses to seamlessly integrate with their front end. For businesses looking to leverage hosted pages, our native UI has been crafted to drive conversion and boost retention.

Our payments products – including Card, Pay by bank, Debit Order, Manual EFT, Cash and Payouts – are designed to cater to the needs of South African enterprises and their customers, regardless of how they choose to pay or disburse funds.