Understanding secure payment gateways

Checkout Process: eCommerce Guide

A secure payment gateway is the online equivalent of a physical credit or debit card machine. It plays an essential role in the checkout process by establishing a secure connection between your eCommerce website, your merchant account and the issuer of the card that the customer has used to make their payment.

It is responsible for authorising the payment and transferring the money from the customer’s account into your own. It also performs any additional security steps that the card issuer may require, such as Visa’s 3-D Secure system which verifies the card user’s identity by asking them to enter a password.

When a customer clicks to confirm their purchase the secure payment gateway communicates the encrypted payment details between the different financial parties involved in the transaction over a secure Internet connection.

Once it has permission to take the funds, the payment gateway provider will effectively take the money from the customer’s account and deposit it in your merchant account. In most circumstances, authorisation of payment simply depends on whether the customer has sufficient funds in or credit available on their account.

The payment gateway provider then also takes its charge for processing the transaction.

Although it performs a series of complex steps behind the scenes, all the customer generally sees is a simple message asking them to wait until the process is complete, followed by another message confirming whether or not the transaction was successful.

Once the payment gateway has processed the payment, your own system takes over again and completes the order by sending out an order confirmation email and initiating the new order process in your back office.

Types of authorisation


In not every case does the payment gateway take the funds as soon as it has authorised the payment. For example, the merchant may wish to check that they are able to fulfil the order before they go ahead and take the money.

For this reason authorisation of an online card payment can be one of three different types, depending on the nature of the payment or the set-up that suits the merchant best.

  • Authorisation and capture: The most common type of card authorisation, where the payment is both authorised and collected simultaneously.
  • Authorisation only: The payment is authorised, the customer’s available credit is reduced by the payment amount and the money is set aside for you for a specified period of time. Once you are in a position to fulfil the order you would then complete the transaction by capturing the payment.
  • Recurring payment authority: This authorises you to take payment on an ongoing basis. It is an alternative to direct debit as a way to collect regular payments for subscription-based products and services.

PCI compliance


Essentially every vendor that accepts card payments online must abide by a set of international guidelines known as the Payment Card Industry Data Security Standard – more commonly referred to as the PCI standards.

They are designed to protect consumers from credit card fraud and cover a comprehensive range of security issues, such as data encryption, system vulnerability, user authentication, firewalls and antivirus protection.

Under the guidelines, you are required to scan your payment processes for PCI compliance on a regular basis, reporting and fixing any identified potential security threats.

All aspects of your eCommerce operation that are involved in the processes of taking payments must meet the PCI standards, including your secure payment gateways and website hosting provider.

Your own specific requirements for PCI compliance depend on the size of your business, the type of cards you accept, such as MasterCard and Visa, and the way in which your site is integrated with your payment gateway.

What you need to consider


You need to research your choice of secure payment gateway carefully as there are significant differences between them. Each offers a different payment structure, which may or may not be economical to your own eCommerce business, as well as different features and levels of customer support.

There are fundamentally two different types of secure payment gateway available on the market:

Proprietary bank payment gateway: These are run by the major banks and include RBS WorldPayHSBC Secure ePayments and Barclays ePDQ. Most tie you in to their own merchant bank, although this does make things slightly simpler as there are fewer parties involved in taking payments.

Standalone payment gateway: These aren’t tied to any specific bank, thereby allowing you the flexibility to choose any merchant bank you like. And with some you do not need a merchant bank at all. Standalone gateways that are widely used in the UK include SagePay(formerly known as Protx), NetbanxPayPal and Google Checkout.

With standalone payment gateways, the level of customer service is broadly considered to be much better than you expect to find with a bank. However, bank-based gateway providers may sometimes be able to offer you better terms, depending on your own relationship with the bank.

Rapid Web is fully compliant with all the latest Payment Card Industry standards and regularly scans all of the payment services it provides for PCI compliance.