Payment gateways enable merchants to accept credit card payments online and in their physical store, but finding a provider that’s both convenient and minimizes the risk of hackers accessing your customer’s sensitive banking information can feel overwhelming.
With so many options, which payment gateway provider is the best fit for your retail business?
In this article, we’re going to teach you how in-store and online payment gateways work, payment gateway security standards and how to pick a payment gateway provider that offers merchants and consumers maximum convenience and minimal risk.
- What is a payment gateway?
- Types of payment gateways
- Payment processors vs. payment gateways
- How does a payment gateway work?
- Payment gateway security standards
- Types of payment gateway fees
- How to pick a payment gateway provider
Let’s get started!
Get started with Lightspeed
Accept credit card payments in-store and online without third-party processors. Lightspeed is your end-to-end retail solution.
What is a payment gateway?
A payment gateway is a technology that a merchant uses to accept debit or credit card purchases from its customers. Payment gateways include the physical card-reading devices and payment terminals found in-store as well as the payment processing portals used for online transactions.
How payment gateways are evolving
The landscape of payments is constantly changing and companies have to adapt to newer technologies such as cryptocurrencies and digital wallets. Buyers now have more ways to pay than ever before.
Brick-and-mortar payment gateways have started accepting payments through digital payment distribution services like Apple Pay, GooglePay and Samsung Pay thanks to near field communication (NFC) technology. This technology allows customers to make contactless payments.
Emerging technologies include cryptocurrency gateways, which facilitate crypto payments between customers and merchants. These gateways help legitimize crypto payments in the eyes of merchants because many aren’t comfortable with accepting this type of payment, which is typically anonymous and decentralized. With a gateway, merchants can feel more at ease because there’s a third party facilitating the transaction.
Types of payment gateways
There are four types of payment gateways: hosted, self-hosted, local bank integration and API hosted. Let’s take a quick look at each of them:
1. Hosted payment gateway
This is a third-party gateway that redirects the customer from the merchant’s website checkout to the payment provider’s page to input their payment information there. After that, they are directed back to the merchant’s page to finish the transaction. PayPal is a popular hosted payment gateway.
Hosted payment gateways are popular partly because they are very secure. However, they provide limited flexibility in terms of checkout. Merchants don’t have any control over the customer’s experience—and some customers don’t like being taken to external pages during checkout.
2. Self-hosted payment gateway
With a self-hosted payment gateway, merchants control the checkout process from start to finish. Customers input their payment details directly on the merchant’s site rather than being redirected to a third-party page, as with a hosted gateway. The merchant then collects and encrypts their credit card information and sends it to the gateway.
With these types of payment gateways, your site is automatically PCI compliant (Lightspeed Payments is one option).
These payment gateways provide flexibility because merchants can control the customer’s experience. It’s more user-friendly for them to remain on the merchant website for checkout, and is overall faster.
This is a great option for growing businesses, and for those with a high volume of transactions. Integrated payment gateways are always more user-friendly—not to mention they simplify workflows and back-end processes to save merchants time.
3. Local bank integration gateway
A local bank integration gateway also redirects the customer, this time to a bank’s website, where they input their payment details and information. Then they are redirected back to the merchant’s site.
This payment gateway is simple to set up, but it isn’t as commonly used because the checkout experience tends to be low quality. Not only do merchants have no control over the checkout process, this gateway isn’t suitable for businesses looking to scale.
4. API-hosted gateway
An application planning interface gives merchants total control over the payment process. A customizable interface allows merchants to process payments and control front-end workflows to create a specific checkout experience. The drawback? Merchants are responsible for securing customer data, and ensuring that they are PCI compliant—that can be tough to maintain for busy merchants.
Payment gateways vs. payment processors
A payment processor (like PayPal) facilitates a transaction, whereas a payment gateway (like Payflow) either approves or declines transactions between a merchant and their customers.
Payment gateways capture and verify customers’ credit card information and then send it to the payment processor if they pass the verification process.
Plus, every online transaction (card-not-present) requires both a payment processor and a payment gateway. The case isn’t the same for in-person (card-present) transactions: those require a payment processor, but a payment gateway isn’t always necessary. However, most brick-and-mortar businesses use a payment gateway.
How does a payment gateway work?
A payment gateway helps authorize and process transactions between retail merchants and their customers, online and in-store.
Payment gateways encrypt sensitive information (like the credit card number) related to payment. It guarantees that the information is transferred securely between the customer and the merchant. Here’s a breakdown of how payment gateways work:
- Step 1: A customer either places an order online or completes a transaction at a merchant’s physical store.
- Step 2: The payment gateway then securely transfers the transaction information to the acquiring bank (either the merchant bank or the acquirer).
- Step 3: The payment gateway determines which credit card provider (Visa, Mastercard, American Express, etc) issued the buyer’s card.
- Step 4: The payment gateway routes transaction information (credit card and banking information, the transaction amount, etc) to the correct payment switch.
- Step 5: The payment switch then sends the transaction request to the issuing bank and sends the transaction information to the credit card’s network.
- Step 6: The issuing bank runs the transaction through its fraud detection procedure to see whether or not the transaction is legitimate. They also confirm whether or not the buyer has enough available credit to make the purchase.
- Step 7: The issuing bank either approves or declines the transaction, and sends that information back through the credit card network to the merchant bank and payment gateway.
Payment gateway security standards
There are several security standards that payment gateways must adhere to, most notably around data encryption and PCI compliance.
Data encryption
Payment gateways encrypt data using a secure sockets layer (SSL) to protect the buyer’s sensitive banking information prior to sending the transaction through the credit card’s network. This encryption assures that the buyer’s credit card information is coded, making it difficult for malicious agents, fraudsters and hackers to access it while it’s transferred between different agents throughout the payment process.
PCI compliance
PCI compliance is a set of security standards created by the Payment Card Industry Data Security Standard (PCI DSS) to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment to protect both the consumer and the merchant.
PCI compliance is very important for a business—there’s no operating without it. You’re working with extremely sensitive data, and need to keep customer protection at top of mind at all times.
In many cases, retail merchants build their payment processing systems using solutions from several different companies. They may use one company’s payment terminals, payment gateways from another and a point of sale system yet another.
While each of those three solutions may individually be PCI compliant, that doesn’t guarantee that, when all three are used in tandem, the merchant is PCI compliant. That’s because PCI compliance also includes how merchants connect all of their payment processing systems together and how they manage their customers’ data.
So how can you ensure that your business is 100% PCI compliant?
- Ensure that your point of sale system and credit card terminals are up to date—they must meet current security standards
- Use an internet router that is encrypted and password-protected
- Train your employees about PCI compliance
- Install privacy software and firewalls on your network
- Don’t store cardholder data
Above all, the easiest way to ensure you’re 100% PCI compliant is to work with a payment gateway or processor that handles PCI compliance for you. These companies are up to date on security standards, meaning you don’t have to worry about not meeting security requirements—it’s all done for you.
Types of payment gateway fees
It’s always important for merchants to do their research on pricing before jumping into a contract with a payment gateway or processor.
It’s not always straightforward—here are some fees to know about when you’re about to work with a payment gateway:
- Transaction fees: Most payment gateways charge transaction fees, usually ranging from 1.5%-$3.5% plus a fixed fee (typically between $0.10-$0.50). Knowing your average monthly transaction volume can help determine whether a gateway’s transaction fees are feasible for you.
- Monthly fees: You can find gateways that don’t charge monthly fees, but some do charge a fixed fee every month. It can range from $10-$50.
- Chargeback fees: When a customer initiates a chargeback, the acquiring bank charges your business (if the chargeback is deemed to be legitimate).
- Interchange fees: These fees are set by card networks like Visa and Mastercard. Every time customers make a purchase with their debit or credit card, merchants must pay a small fee.
Your payment gateway should be up-front about any potential fees.
How to pick a payment gateway provider
When you use different providers for payment processing, payment gateways and ringing up sales, there’s more room for bad actors to take advantage of potential vulnerabilities.
Lightspeed helps retailers avoid this problem by providing retailers with an all-in-one point of sale system and payment platform, effectively eliminating the third-parties. We capture your customer’s payment information at the point of sale (no manual reconciling necessary) and work directly with credit card payment gateways to safely and securely deposit those payments into your bank account.
Rather than need to do your due diligence to see whether or not your third-party payment provider and payment gateway integrates with your retail point of sale system and online store, Lightspeed’s PCI-compliant integrated payment processing does it all the heavy lifting for you.
Additionally, traditional third-party payment processors require retail merchants to open up their own merchant account (a unique bank account that may come with a lot of paperwork and associated fees), but with Lightspeed, Lightspeed becomes the merchant of record. We take full responsibility for maintaining a merchant account so you don’t have to. What that means is that all card payments are sent first to our shared merchant account, then safely forwarded to your business bank account.
Scale your business with integrated payments
Before you sign up with a third-party payment processing or gateway provider, do your homework. Find out if there are any hidden fees and make sure how their solution fits in with your retail point of sale system. For example, if you’re using an online payment gateway for your online store and a physical payment gateway for your physical store, you want both third-party systems to send transaction data to your point of sale system to simplify your bookkeeping.
Whether you’re growing your retail business, opening a new location or just exploring credit card payments for the first time, you’ll benefit from having a crystal clear understanding of the different combinations of payment processors, merchant accounts, point of sale systems and payment gateway providers before you sign on the dotted line.
Integrated payment gateways give merchants the most freedom and flexibility—automated payments, a seamless checkout experience and fast transactions are crucial for a business to run smoothly.
With Lightspeed’s POS and Payments solution, merchants can drive efficiency across their entire business, all in one unified platform.
News you care about. Tips you can use.
Everything your business needs to grow, delivered straight to your inbox.