What is a Payment Gateway? How Does it Work?

So, how does a payment gateway work? What is a payment gateway anyway?

---

We created this blog to explain what is a payment gateway and how it works in detail.

And when we use the term ‘detailed’, we don’t play around. Then, let’s begin!

What is a Payment Gateway?

A payment gateway is a platform that allows any online business to accept payment. It can offer payment options like cards (debit and credit), digital wallets, UPI and more. 

Now, these online businesses are known as merchants. They can range from eCommerce industries to any SaaS businesses. 

Traditionally payment gateways in India were provided by banks in the early 90s. But, since the late 90s, private 3rd party corporations have entered the foray. 

Today, most organizations integrate with these third-party payment processors to collect payments from their customers. Similarly, they can also help to disburse payments to vendors and employees. 

Example of Payment Gateway

How can we explain what is a payment gateway in the easiest way possible?

We use an analogy of course!

So, let’s say that you are a furniture manufacturer that needs to ship products to distant areas.

Here, the train makes the transport possible. Similarly, your payment gateway makes payments possible.

Just like the train, the payment gateway ensures the safe transfer of your payment details to the acquiring bank. 

Cashfree Payments offer you the best payment gateway in India at the lowest payment gateway charges. 

Now that we have understood what a payment gateway is, let’s check how it works.

But for that, let’s figure out the players working alongside a payment gateway making credit card processing possible.

Players Involved in Online Payment Processing

A traditional payment gateway works with 5 major players. 

So, here’s what they are and what they do. 

The Issuer or Issuing Bank

Financial Institution that issues cards (Visa/MasterCard) to customers —  account holders or cardholders.2d

Role of the Issuer

1. Manages cardholder participation and activation in 2D secure service (Verified by Visa or SecureCode by MasterCard)
2. Validates cardholders at the time of each online purchase
3. Provides digitally signed responses to the merchant for each authenticated transaction
4. Also holds responsibility for the authentication experience of their cardholders

Cardholder or Customer

The account holder of the debit or credit card.

Role of the Cardholder

1. Uses the card to pay for purchases over the internet or other PoS
2. The cardholder activates the card once for 2-factor authentication like 3-D secure, Verified by Visa or SecureCode by MasterCard

Acquirer

That financial institution (banking accounts, payfacs) contracts with the merchants to accept debit and credit payment cards. 

In simple terms, this bank holds the merchant’s account.

Role of the Acquirer

1. Registers merchants for card networks (Visa, RuPay and MasterCard, etc.)
2. Ensures that merchants are operating under a merchant agreement with the acquirer. This agreement should be according to the rules and technical requirements for the card network program

Merchant or Business

Offers merchandise, software or service at a website or mobile app. The business merchant accepts payments from a cardholder who makes purchases over the Internet.

Role of the Merchant

1. Operates software to support a 3-D secure program like Verified by Visa and SecureCode by MasterCard. This software is referred to as Merchant Plug-In (MPI)
2. The Merchant may either develop their own solution or integrate with PGs like Cashfree Payments to accept payments from its customers

Card Networks 

Card infrastructure providers like Visa and MasterCard.

Role of the Card Networks

1. Verifies the authentication results of the issuer
2. Also routes authorization requests to issuers and sends responses to acquirers for return to merchants

Therefore, all these players interact with each other to make online payment processing possible. 

However, there is one thing you must know when it comes to payment gateways in India

Different players have their own set of rules and regulations. Thus, it ensures that every transaction undergoes securely and conveniently. 

Now, let’s come to the next logical question.

So, how does a payment gateway work?

Well, there are two ways of going about it. We can either concisely answer this or in detail. 

Or we can also do both!

P.S. Wanna test your knowledge? Give it a try!

How Payment Gateway Works?

We have already covered the players involved in online payment processing. 

Then, let’s head straight to the answer. 

1. First, a customer enters their card details on the business site. It may have a hosted payment gateway or a self-hosted payment gateway
   
   Then, the payment gateway encrypts and tokenizes the payment details. The details include card numbers, VPA in UPI, CVV number, etc.
   
2. The payment gateway then forwards the payment information to the Acquiring Bank and does it through a payment processor
   
3. Now the Acquiring Bank forwards the information to the card networks. For instance, Mastercard, Visa, American Express, RuPay, etc. These card networks run a fraud check and forward the information to the Issuing Bank
   
4. The Issuing Bank authorizes the payment and checks fund availability. If the customer has enough funds, the Issuing bank sends a positive response to the card networks
   
5. The card company relays the message to the Acquiring Bank
   
6. Finally, the payment gateway forwards the status of payment to the merchant and the customer
   
7. In case the payment is approved, the Acquiring Bank requests the funds from the Issuing Bank. The Payment Aggregator receives the funds and then settles them with the merchant
   
   The settlement can be instant or standard, as per the pre-decided agreement. 

Well, this was the concise version of how a payment gateway works. 

However, if you want to understand the concept in detail, read on!

So, First to understand ‘what is payment gateway’, we need to understand the payment gateway architecture. 

Let’s dive in. 

What is Payment Gateway Architecture? The Different Software Components

So, what are the various software entities involved in online payment processing? 

Well, it goes something like this. 

The section covers the basic flow which has three steps. 

A payment gateway uses 4 different parties to ensure that payment goes in a completely secure and seamless fashion. 

And that too- in a matter of minutes!

The payment gateway works under the 3D secure authentication protocol, which has 3 components. 

But what is a 3D secure payment gateway?

3D Secure which is an XML-based protocol that adds an additional security layer for online card transactions. 

Visa designed this protocol which other leading global card networks like MasterCard, American Express, and more have also adopted.

The ‘D’ in 3D-Secure stands for ‘domain.’ 

Naturally, there are 3 of them — the acquiring domain, the issuing domain and the interoperability domain.

The interoperability domain links the former two together.

Here is their function in a 3D-Secure payment gateway.

Issuer Domain – Access Control Server (ACS) 

The issuing domain is where the issuing bank operates. 

They issue cards to cardholders, who use them to buy products and services online.

The bank deploys a server known as the access control server (ACS). ACS helps to receive 3D secure messages, process the messages and authenticate the card user and the transaction.

Interoperability Domain – Directory Server (DS)

The interoperability domain consists of the Directory Server deployed by the card network. 

It can be considered the foundation holding the entire 3D-secure mechanism together.

The directory server acts as a ‘directory’ for the acquiring and issuing banks to transact money with each other. 

As the name suggests the directory serves as a mapping server where acquiring banks send a message to the card network’s DS. 

It holds the ‘directory’ of all the BIN ranges of the corresponding issuing banks. The Directory Server will receive the message from the MPI and check the card number against the BIN range directory. 

Thereafter, it forwards that message to the correct issuing bank. The issuing bank would then proceed with authenticating the card user.

The Acquiring Domain – Merchant Plug-In (MPI) 

The acquiring domain is where the payment gateway and acquiring banks sit. 

They initiate the transaction, which they wish to be authenticated. 

In order to do so, entities in acquiring space need to deploy a ‘merchant plug-in‘, also known as ‘MPI‘.

Payment Switch 

You can think of Payment Switch as an independent entity that facilitates communication between all these players. 

The payment gateway uses a switch exclusively to communicate with various stakeholders during a payment procedure. 

It is expected to be highly reliant, has great performance, and is versatile, as it has to process a variety of payments gazillion times a day. 

The payment switch:

• Facilitates the processing of real payments between providers and accepts the payment request
• Understands which providers it needs to process with
• Formats the message for that provider and sends it to them 
• Gets a response 
• Changes the response to a generic format and sends the response back to the caller

Now that we covered these steps, let’s check out how they interact to make online payment processing possible!

How Payment Gateway Works? Detailed Version For Experts

Step 1: Card Authentication

The first step in a transaction is to authenticate the cardholder’s account number and see if it is a part of the issuer’s card which is in the range of the 3D secure platform.

The merchant server plug-in (MPI) communicates with the card network to confirm if the card is valid.

Moreover, it checks if the card is a part of the 3D-secure platform (secret code, or one-time passwords). 

These are the following steps when it comes to card authentication.

Steps of Card Authentication

Message Type	Description
Verification Request (VEReq)	The merchant server plug-in (MPI) sends a Verification Request message to the card network’s directory server (DS) The DS forwards it to the appropriate issuer bank’s ACS to determine whether the card is valid and enrolled in the 3D secure program or not.
Verification response (VERes)	The card network directory returns a Verification Request to the MPI, indicating whether the card is valid or not as well as enrolled in the 3D-Secure Program.  These messages are: Y = Authentication Available – Cardholder is enrolled, Activation During Shopping is supported, or proof of attempted authentication is available. The merchant uses the URL of the issuer ACS included in VERes to create the Payer Authentication Request. N = Cardholder Not Participating – Cardholder is not enrolled. U = Unable to Authenticate or Card Not Eligible for Attempts (such as a Commercial or anonymous Prepaid card).
Error Messages	This message is shared by the card network’s directory server when the merchant is unable to provide the appropriate credentials. These errors can be – 50 – Acquirer is not participating in the 3D secure program51 – Merchant not participating52 – Password is missing53 – Incorrect Password54 – Incorrect Common Name Value in the client certificate

Step 2: Payer Authorization

After verifying that the card is legit and can participate in the 3D-Secure program, then the actual process of payer authentication takes place for each online purchase.

Now, remember that this is payer authorization as opposed to the card authentication in the previous step. 

It can be confusing as the players remain the same even though the function changes. 

Instead of the Verification Request and Response (like in the first step), the MPI sends a Payer Authentication Request/Response (PAReq/PARes)

Here, the merchant plug-in sends PAReq/PARes to the Access Control Server to initiate the actual authentication. 

At this point, the cardholders’ CVV will be verified.

The Access Control Server (ACS) will perform authentication and, if successful, generate an Accountholder Authentication Value (AAV).

It is returned to the merchant within the PARes message. 

ACS providers should provide AAV values for all payment attempts to the Issuer.

There can be various authentication results by the Issuer’s ACS. For instance:

Possible Authentication-Results:

Authentication determined by Issuer’s ACS	Transaction Status value
Authentication Successful The issuer has authenticated the transaction successfully by entering the right CVV and other identification parameters	Y
Authentication could not be performed The issuer ACS is not able to complete the authentication request – possible reasons include the:  Card type is excluded from attempts (such as a Commercial Card or an anonymous Prepaid Card)  ACS not able to handle authentication request message  ACS is not able to establish an SSL session with the cardholder browser  System failure that prevents proper processing of the authentication request  Merchants may proceed with the above purchases as non-authenticated and retain liability if the cardholder later disputes making the purchase. These are non-Verified by Visa electronic commerce transactions. When the PARes have a U and an Invalid Request Code of 55, this indicates that the Account Identifier in the PAReq did not match the value returned by the ACS in the VERes. Merchants must view this as an invalid transaction.	N
Authentication could not be performed The issuer ACS is not able to complete the authentication request – possible reasons include the:  Card type is excluded from attempts (such as a Commercial Card or an anonymous Prepaid Card)  ACS is not able to handle authentication request message  ACS is not able to establish an SSL session with the cardholder browser  System failure that prevents proper processing of the authentication request  Merchants may proceed with the above purchases as non-authenticated and retain liability if the cardholder later disputes making the purchase. These are non-Verified by Visa electronic commerce transactions. When the PARes have a U and an Invalid Request Code of 55, this indicates that the Account Identifier in the PAReq did not match the value returned by the ACS in the VERes. Merchants must view this as an invalid transaction.	U

So, once these steps are finalized, the payment authorization takes place. 

The merchant sends a request to get access to funds from the acquirer. Then, the acquirer submits the request to the Issuing bank. 

The issuer reviews the request and decides if enough funds exist to cover the purchase of the customer. 

If they do, thus, the authorization is made, and the funds are deducted. In the case of a debit card or credit line is adjusted for the amount of the sale.

At this time, a transaction code is shared with the MPI, which then is analyzed for successful or unsuccessful authorization. 

If the authorization is successful, the merchant can move to the last payment step –capturing funds.

Step-3: Capture

Credit and Debit card capture is the last part of a transaction via a payment gateway. It’s when the authorized money is transferred from the customer’s account to a merchant’s account. 

It takes place after a payment undergoes successful authorization. 

Essentially, the transaction amount doesn’t reach the merchant account until the capturing of funds.

Post the authorization:

1. The card network tells the MPI and also the issuer that the card is authorized
2. Thereafter, the payment can take place. So, the funds are transferred from the customer’s account to the merchant’s account
3. The authorization bit deducts the credit line or account balance. Hence, the money is ready to be dispatched to the merchant’s account

There is a given time frame set between authorization and capture. Usually in the standard procedure:

• Debit card settlements can take 3-4 days. 
• For credit cards, the usual cycle is between 4-28 days. 

However, leading payment systems for eCommerce providers like Cashfree Payments only take between T+1 days.

Transactional Capture happens in 2-ways: 

1. Automatically:  This is the most common scenario. It’s when the merchant’s acquiring bank automatically sends the credit/debit card capture on behalf of the merchant.

This negates the condition that the merchant has to manually put in a request for fund capture. So, the funds are immediately captured after the authorization takes place.

2. Delayed: The merchant requests the ability to control when the funds are transferred to his or her account. 

If the merchant/merchant’s acquiring bank doesn’t send the request under the authorization period, the authorization expires and capture fails. 

For example, this is most common for Paypal, where the money is released only after the customer receives their goods or services.

Thus, this was the complete breakdown of what a payment gateway in eCommerce is and how it works. 

But we bet you still have some queries. 

So, let us help you in the FAQ section. 

FAQs about What is Payment Gateway?

What is the payment gateway in eCommerce responsible for?

Here are all the responsibilities of a payment gateway –

• Manages the merchant’s switch configurations – Defines a sub-merchant ID for each merchant payment configuration. Moreover, it communicates with the payment switch using this ID to validate transactions.
  
• Merchant’s transaction roles – Defines limitations for merchant’s transactions. For instance, the minimum and maximum amount a merchant can transact from a card in a day, restrict transactions from credit cards issued from a particular region, etc.
  
• Manages the merchant’s 3D secure configurations – As discussed above, the payment gateway communicates with the card network with the help of a payment switch.
  
  It checks if there is 3DS enrollment of the cardholder. Then the related MPI will lookup in Card’s directory services and the returns response to the payment gateway.
  
• Process Payments – Makes a request to the payment switch to process payments and receives results and returns to the customer.
  
• Sends payment records – Receipts and confirmations to merchants and customers.
  
• Encryption and Security – Ensuring that there is no data leakage as financial data is extremely sensitive.

What are the different types of payment gateway?

Payment gateways can be clustered under two main categories –

On the basis of Provider:

• Bank Payment gateways 
• Third-party payment gateways like Cashfree Payments

On the basis of Payment flow:

• Hosted Payment Gateway: It redirects the customer to the payment gateway’s page for entering payment details. It also allows easy integration where the payment gateway provider handles the PCI DSS compliance. 

• Self-Hosted Payment Gateway: The customer remains on the payment page hosted by the merchant and enters information. Therefore, it offers higher control over the customer payment experience.

• Off-Website Payment Gateway: Payment instruments like QR codes, payment links and Excel sheet payments. 

Read more about types of payment gateway here.

What are payment gateway charges?

Payment gateway charges differ from one provider to another. 

The pricing of your payment gateway can fluctuate depending on:

1. The type of payment mode
2. The pricing of your provider
3. The type of settlement (instant or standard) 
4. The payment instruments used (off or on website options)

What is payment gateway integration?

Your need to integrate your website or app with your payment gateway to accept payments. 

Now, most leading providers offer detailed integration guides and SDKs. Moreover, they offer integration instructions in all major languages.

Your payment gateway integration will depend on your type of integration (seamless or normal checkout) as well as your OS. 

Here are some links you might find useful.

Web Integration

• Standard Checkout
• Seamless Basic 
• Seamless Pro

Mobile Integration

• Android SDK
• iOS SDK
• React Native SDK Version 2.0.0
• React Native SDK Version 2.1.0
• Flutter SDK
• Cordova SDK
• Android Support SDK: Xamarin
• Xamarin AndroidX SDK
• iOS SDK: Xamarin
• Xamarin Forms SDK

Plugins

• Shopify
• WooCommerce
• Magento
• PrestaShop
• WHMCS
• CS-Cart
• OpenCart
• WordPress
• StoreHippo

What is Payment Gateway vs Payment Processor vs Merchant Account?

• A payment gateway encrypts/tokenizes the payment details. It also communicates the payment info between acquiring bank and the merchant
• A payment processor communicates the payment details and responses between card networks and Issuing and Acquiring banks
• The merchant account is a business bank account. Therefore, the merchant receives the settlement from the acquiring bank here

Related Read: Payment Gateway vs Merchant Account and Payment Gateway vs Payment Processor

Conclusion

So this is how a payment gateway works, there are multiple people, and parties involved in a payment that takes just a few seconds to go through. If you have any further queries regarding Payment Gateways, please do share them in the comment section below. 

Also, check out Cashfree’s payment gateway. It’s one of India’s premier payment gateway solutions. It accepts over 120+ payment modes such as cards, UPI, digital wallets and more.

Related Post

• Open Banking API
• Payment Success Page
• Payment Gateway Test Case
• Banking As a Service
• E-wallet Types