E-commerce – How payment gateways work

Tablet on desk with Payment gateway on the screen

As an e-commerce business owner, payment gateways are the means by which you receive your business’s income. When you understand how they work, it helps you to make the best decisions for your business and for your customers.

What is an e-commerce payment gateway?

A payment gateway authorizes the transfer of funds between buyers and sellers. It allows your e-commerce site to request money from a customer’s bank for products or services that they have purchased. Assuming it is approved, the payment is then securely transferred to your bank.

Why is it important to understand how a payment gateway works?

When setting up a payment gateway on your own eCommerce site, you will need to make several decisions. Two of the most important revolve around the type of merchant account you choose and ensuring that your customers’ payments are secure. We will discuss these in more detail below. Let’s first look at how the process of ordering and paying on a website actually happens.

The payment gateway process flow

Although there will obviously be slight changes to the process on occasion, for example when refunds or charge-backs are involved (and it’s worth educating yourself on those too), most transactions happen like this:

1. At checkout, merchant’s website sends encrypted payment details to payment gateway

  • The customer browses your site on their laptop or phone, places their selection in their shopping cart and then proceeds to checkout.
  • As part of the check-out process, they may be asked to confirm their order and fill in their billing and shipping information.
  • They submit the order by pressing ‘order’ or ‘pay now’.
  • The customer’s web browser encrypts the payment information and this is then sent to your web server. The process is carried out via Secure Socket Layer (SSL) encryption, which requires you as the merchant to have a full SSL certificate.
  • The gateway app on your website then forwards the transaction details, again using SSL encryption, to your payment gateway.
  • At this point the payment gateway takes over.


Source: created by Comalytics

2. Payment gateway sends request to customer’s bank for authorisation

  • The payment gateway sends the encrypted transaction information to the payment processor used by your bank (the “acquiring bank”).
  • The processor then forwards this to the customer’s card association, for example, MasterCard or Visa.
  • The card association routes the transaction to the bank that issued the card to the customer.
  • The customer’s bank receives the request and checks that the funds available to the customer can cover the amount requested.
  • The customer’s bank responds to the payment processor with a code that indicates whether the request is approved or declined (and if it is declined, the reasons why).
  • This response is then sent from the payment processor back to the payment gateway.
  • The payment gateway forwards this response to your website, which in turn interprets it and passes it on both to you as the merchant and to the customer who is checking out.
  • Remarkably, this entire process happens in 2 – 3 seconds.

3. If payment was authorised, the customer’s bank pays the merchant

  • If the customer’s payment is approved, you send the authorisation, via the payment processor again, to your (“the acquiring”) bank, as part of a batch, which gets processed.
  • Your bank deposits all the approved funds either into your merchant account or into the aggregated merchant account belonging to your payment gateway.
  • From that merchant account, the payment is then made into your business bank account.

Important considerations for your payment gateway

As we’ve mentioned, when you set up a payment gateway, you will have some choices to make. Let’s look at two very important aspects of this.

1. The merchant account

A merchant account is a transition account that temporarily holds payments from credit card sales. It is transferred from here into your business account.

The merchant account is designed to protect both the consumer and the credit card companies. So, for example, if a business does not deliver what was ordered, the customer can be refunded from the money held in the merchant account.

Some payment gateway packages require that businesses set up their own merchant accounts and others will offer the option of using the gateway’s aggregated merchant account.

Two factors to consider:

It takes time and effort to set up your own merchant account and you will be paying a set-up fee and monthly fees. Using the payment gateway’s merchant account will save you time and money, but you will probably be paying higher individual transaction fees. You may find it makes sense to use the joint account if you are a small start-up with fewer transactions. As your business grows, consider setting up your own merchant account, but do the calculations to determine the best option for your business.

Cash flow
By definition, there is a delay between when payments go into a merchant account and when you actually receive it in your business account. The delay will vary depending on your choices of payment gateway and merchant account option. Make sure you know exactly what to expect so you can allow for it.

Read more about the fees you have to consider in our blog about How to choose the best e-commerce payment gateway for your business.

2. Security of payment details

There is always some risk involved in making online payments, both for customers and for merchants. The key is to do what you can to help customers feel safe, while taking care of your obligation to protect their details.

There are essentially three issues to look out for and understand whether you or the payment gateway is responsible:

  1. Secure Socket Layer (SSL) – which the merchant is responsible for
  2. Payment Card Industry Data Security Standard (PCI DSS) – which the entity storing customer payment details are responsible for and
  3. 3D Secure – this method is now used by all South African payment gateways and banks, so no obligation on your side. However, do investigate further if you are using international entities.

These three issues are explained in the examples below:

Receiving and sending customer payment details
A SSL ensures that when you send payment details to the payment gateway, they are encrypted and secure. Make sure that your website development company can provide a SSL certificate for your full site – not just your shopping cart. Further, display your SSL badge or logo on your site and specifically at check-out – see the Takealot example below. Assure the customer that their details are safe.

Take-alot secure page

A web page using SSL will display:

  • “https://” instead of “http://” before the website’s address in the browser’s address bar
  • A padlock icon will appear in the address bar of the browser before the address.

Naturalwise secure page

Storing customer payment details
The Payment Card Industry Data Security Standard (PCI DSS) specifies how sensitive customer information needs to be dealt with.

When designing your check-out process, you have several options for where customers enter their banking details. This could happen:

  • Directly on your site: This will give your customer a seamless experience, but you will be liable for the security of their data and will have to comply with PCI DSS; or
  • On a page belonging to a third party, usually your payment gateway: Your payment gateway will have to comply with PCI DSS (which most of them do), but the downside of this option is that your payment page may look very different from your site, which may scare customers off.


  • If you are using a 3rd party page, ensure the check-out pages look as close as possible to the rest of the pages on your website. Ask your Payment Gateway if you can ‘customise’ their payment page in other words. Not all of them offer this option.
  • Ask your website development company to explain i-frame options to you – which will help a lot in creating a seamless experience.

Processing the transaction
All e-commerce transactions are essentially card-not-present payments, and must therefore make use of 3D Secure. This protects the customer from credit card fraud by asking them to submit a one-time PIN or password during checkout. There is not much to do on the merchant’s side, just be aware of this process and ensure your chosen partners use this method as it cuts down drastically on fraud.

The bottom line…

Although the process may at first glance appear quite complex, it’s important to understand exactly how payment gateways work. Do your calculations and due diligence well as you consider your options, so you make the best choices for your business.

Contact us for Payment Gateway integrations or for customer references who are already using excellent Payment Gateways on our platform.

Also, read our other blogs about Payment Gateway:

1. Increase your sales by offering the right e-commerce payment methods,
2. E-commerce payment gateways – what works best?.

Share this content!

Use us to change your game

Get in touch for a free consultation today

Stay informed! Visit the SA Department of Health's website for COVID-19 updates: www.sacoronavirus.co.za