What is a Payment Gateway & How it Works [Step by step guide]

When you Google — Payment Gateways, there are at least 20-30 articles. But, the problem with these articles has been in the details department. Most of the articles only cover the basic flow of how a payment gateway works. 

There is a lack of articles that cover the intrinsic and detailed aspects of a payment gateway. 

Therefore, we have written this article to cover payment gateways in detail. It elaborately explains how a payment gateway works, the various components and how the best PG performs.

So without further ado, let’s get started.

What is a Payment Gateway?

A payment gateway is a merchant service or platform that provides any online retailer — eCommerce, SaaS businesses, online aggregators, and more — that authorizes payments via myriads of options like cards (debit and credit), digital wallets, UPI and more. 

Traditionally payment gateways in India were provided by banks in the early 90s. But, since the late 90s, private 3rd party corporations have entered the foray. Today, most organizations rely on these third-party providers to collect payments from their customers and disperse payments to vendors and employees. 

A traditional payment gateway works with these entities as shown below –

Participants in a transaction Role 
Issuer – Financial Institution that issues cards (Visa/MasterCard) to customers —  account holders or cardholders.Manages cardholder participation and activation in Verified by Visa, or SecureCode by MasterCard; validates cardholder at the time of each online purchase; provides digitally signed response to the merchant for each authenticated transaction. Issuers also have responsibility for the authentication experience of their cardholders. 
Cardholder – The account holder of the debit or credit card.Uses the card to pay for purchases over the internet or other PoS. The cardholder activates the card once for 2-factor authentication like 3-D secure, Verified by Visa or SecureCode by MasterCard. 
Acquirer – The Financial institution (banking accounts, payfacs)  that contracts with merchants for acceptance of debit and credit payment cards.
Registers merchants for card networks (Visa and MasterCard) and ensures that merchants originating online transactions are operating under a merchant agreement with the acquirer in accordance with the rules and technical requirements for the card network program. 
Merchant – Offers merchandise, software or service at a website, mobile app or so, and accepts payments from a cardholder who makes purchases over the internet.Operates software to support a 3-D secure program like Verified by Visa and SecureCode by MasterCard. This software is referred to as Merchant Plug-In (MPI).
The Merchant might develop their own solution or obtain a system from 3rd party payment facilitators like Cashfree to accept payments from its customers. 
Card Networks – Card infrastructure providers like Visa and MasterCardVerifies issuer’s authentication results. Routes authorization requests to issuers and sends responses to acquirers for return to merchants. 

As said, this is a traditional structure of a payment gateway. Different parties having their own set of rules and regulations to oversee that each and every transaction undergoes securely and conveniently, in seconds. 

How is a payment made using Payment Gateway in India?

Before we look into how a payment gateway works, we need to acquaint ourselves with the various software entities involved in a card-based transaction/purchase on an online retailer.

Payment Gateway Architecture–The Different Software Components


The section covers the basic flow which has three overall steps. And, uses three different parties to ensure that payment goes through within a few minutes in a completely secure and seamless fashion.

The payment gateway works under the 3D secure authentication protocol, which has 3 components. 

3D secure is an XML-based protocol designed by Visa, that adds an additional security layer for online card transactions. This protocol has been adopted by other leading global card networks like MasterCard, American Express, and more. 

The ‘D’ in 3D-Secure stands for ‘domain’, and there are 3 of them — the acquiring domain, the issuing domain and the interoperability domain that links the former two, together.

Here are their function in a 3D-Secure payment gateway — 

  • Issuer Domain – Access Control Server (ACS) — The issuing domain is where the issuing bank operates. They issue cards to cardholders, who then use the cards to make a purchase via online services. The issuing bank deploys a server known as the access control server (ACS). It’s used to receive 3D secure messages, process the messages and authenticate the card user and the transaction.
  • Interoperability Domain – Directory Server (DS) — The interoperability domain consists of the Directory Server that’s deployed by the card network. It can be considered the foundation holding the entire 3D-secure mechanism together. The directory server is used as a ‘directory’ for the acquiring bank and issuing bank to transact money between each other. As the name suggests the directory serves as a mapping server where acquiring banks sends a message to the card network’s DS. It holds the “directory” of all the BIN ranges of the corresponding issuing banks. The Directory Server will receive the message from the MPI and check the card number against the BIN range directory. After which, it forwards that message onto the correct issuing bank. The issuing bank would then proceed with authenticating the card user.
  • The Acquiring Domain – Merchant Plug-In (MPI) — The acquiring domain is where the payment gateway and acquiring banks sit. They initiate the transaction, which they wish to be authenticated. In order to do so, entities in acquiring space need to deploy a “merchant plug-in”, also known as “MPI”.
  • Payment Switch – Payment Switch could be thought of as an independent entity that facilitates communication between various entities in a payment process, the ones mentioned above. The payment gateway uses a switch exclusively to communicate with various stakeholders during a payment procedure. It is expected to be highly reliant, have great performance, and versatile, as it has to process a variety of payments gazillion times a day. It facilitates the processing of real payments between providers and accepts the request for payment. Payment switch also understands which providers it needs to process with, formats the message for that provider and sends it to them, gets a response, changes the response to a generic format and sends the response back to the caller.

Step 1: Card Authentication

The first step in a transaction is to authenticate the cardholder’s account number and see if it is a part of the issuer’s card which is in the range of the 3D secure platform.

The merchant server software communicates with the card network to confirm if the card is valid and a part of the 3D-secure platform (secret code, or one-time passwords). These are the following steps when it comes to card authentication –

Message TypeDescription
Verification Request (VEReq)The merchant server plug-in (MPI) sends a VEReq message to the card network’s directory server which forwards it to the appropriate issuer ACS to determine whether the card is valid and enrolled in the 3D secure program or not. 
Verification response (VERes)The card network directory returns a VERes message to the MPI, indicating whether the card is valid or not as well as enrolled in the 3D-Secure Program. 
These messages are — 
Y = Authentication Available – Cardholder is enrolled, Activation During Shopping is supported, or proof of attempted authentication available. The merchant uses the URL of issuer ACS included in VERes to create the Payer Authentication Request.
N = Cardholder Not Participating – Cardholder is not enrolled.
U = Unable to Authenticate or Card Not Eligible for Attempts (such as a Commercial or anonymous Prepaid card).
Error Messages This message is shared by the card network’s directory server when the merchant is unable to provide the appropriate credentials.

These errors can be –
50 – Acquirer is not participating in the 3D secure program
51 – Merchant not participating
52 – Password is missing
53 – Incorrect Password
54 – Incorrect Common Name Value in the client certificate

Step 2: Payer Authorization

After verifying the card is legit and can participate in the 3D-Secure program, the actual process of payer authentication takes place for each online purchase.

Here, the Payer Authentication Request/Response (PAReq/PARes) are sent from the merchant plug-in to the Access Control Server to initiate the actual authentication. At this point in the process, cardholders’ CVV will be verified.

The Access Control Server (ACS) will perform authentication and, if successful, generate an Accountholder Authentication Value (AAV). It is returned to the merchant within the PARes message. For successfully authenticated transactions and Attempts, this AAV must be sent by the merchant to the acquirer and forwarded to the issuer as part of the authorization request. ACS providers should provide AAV values for all attempts (PARes = A) when the cardholder is not enrolled or declines activation in addition to the fully authenticated (PARes = Y) transaction status.

There can be various authentication results as following by the Issuer’s ACS –

Authentication determined by Issuer’s ACSTransaction status value
Authentication Successful
The issuer has authenticated the transaction successfully by entering the right CVV and other identification parameters
Authentication Failed
The cardholder’s password (or other authentication information) failed validation, thus, the issuer is not able to authenticate the cardholder.

The following are reasons for authentication failure:
Cardholder fails to correctly enter the authentication information within the issuer-defined number of entries (possible indication of the fraudulent user).

Cardholder “cancels” authentication page.

Merchants are not permitted to submit these transactions for authorization processing. 
Authentication could not be performed

The issuer ACS is not able to complete the authentication request – possible reasons include: 

Card type is excluded from attempts (such as a Commercial Card or an anonymous Prepaid Card) 

ACS not able to handle authentication request message 

ACS is not able to establish an SSL session with cardholder browser 

System failure that prevents proper processing of the authentication request 

Merchants may proceed with the above purchases as non-authenticated and retain liability if the cardholder later disputes making the purchase. These are non-Verified by Visa electronic commerce transactions.

When the PARes has a U and an Invalid Request Code of 55, this indicates that the Account Identifier in the PAReq did not match the value returned by the ACS in the VERes. Merchants must view this as an invalid transaction.

Once these steps are finalized, the payment authorization takes place. The merchant sends a request to the acquirer, also known as the payment aggregator, for example, Cashfree. The acquirer now submits the request to the credit card issuing party – account holder’s bank. 

The issuer reviews the request and decides if enough funds exist to cover the purchase of the customer. If they do, the authorization is made, the funds are deducted, in case of a debit card or credit line is adjusted for the amount of the sale.

At this time, a transaction code is shared with the MPI, which then is analyzed for successful or unsuccessful authorization. If the authorization is successful, the merchant can now move to the last step of the payment –capture.

Step-3: Capture

Credit and Debit card capture is the last part of a transaction via a payment gateway. It takes place after a payment undergoes successful authorization. It’s when the authorized money is transferred from the customer’s account to a merchant’s account. So, in short, the transaction amount doesn’t reach the merchant account until the funds are captured.

Post the authorization the card network tells the MPI and the issuer that the card is authorized. After which, the transaction can take place, and the funds can be transferred from the customer’s account to the merchant’s account.

AS discussed above, the authorization bit deducts the credit line or account balance, so the money is ready to be dispatched to the merchant’s account.

There is a given time-frame set between an authorization and capture, with leading payment solutions providers like Cashfree, the settlement for debit cards can take between T+1 days, and usually in the standard procedure, debit cards take 3-4 days for the capture process to be completed. For credit cards, the usual cycle is between 4-28 days. 

Transactional capture happens in 2-ways: 

  1. Automatically – This is the most common scenario. It’s when the credit/debit card capture is automatically sent by the merchant’s acquiring bank on behalf of the merchant. This negates the condition that the merchant has to manually put in a request for fund capture, and the funds are immediately captured after the authorization takes place.
  2. Delayed –  The merchant requests the ability to control when the funds are transferred to his or her account. If the request isn’t sent under the authorization period, the authorization expires and capture fails. This is most common for Paypal, where the money is released only after the customer receives their goods or services.

What are Payment Gateway Responsible for?

here are some additional responsibilities the befall a payment gateway, and might not be limited to — 

  • Manages the merchant’s switch configurations – Defines a sub-merchant ID for each merchant payment configuration. And, communicates with the payment switch using this ID to validate transactions.
  • Merchant’s transaction roles – defines limitations for merchant’s transactions. e.g the minimum and maximum amount a merchant can transact from a card in a day, restrict transactions from credit cards issued from a particular region, etc.
  • Manages the merchant’s 3D secure configurations – As discussed above, the payment gateway communicates with the card-network with the help of payment switch. It checks if the cardholder is enrolled for the 3DS, then the related MPI will then lookup in Card’s directory services and the returns response to the payment gateway.
  • Process Payments – makes a request to the payment switch to process payments and receives results and returns to the customer.
  • Sends payment records – Receipts and confirmation to merchant and customers
  • Encryption and Security – Ensuring that no data is leaked as financial data is extremely sensitive.


So this is how a payment gateway works, there are multiple people, and parties involved in a payment that takes just a few seconds to go through. If you have any further queries regarding Payment Gateways, please do share them in the comment section below. 

Also, do checkout Cashfree’s payment gateway. It’s one of India’s premier payment gateway solutions. It accepts over 120+ payment modes such as cards, UPI, digital wallets and more.