Summary: Payment gateways play a pivotal role in the online payment ecosystem, and using the wrong gateway to accept payments from your customers can send your entire payment process on a downward spiral. Picking a payment gateway that suits your business deserves more attention and articulation than you think. Learn how and why payment gateways play an integral role in making your cash-registers ring, and how you, as a merchant can help in it. (Psst! We’ve created a neat payment gateway evaluator tool to assist you as well, the link to which you’ll find at the end of the post.)
The world thrives on networks. And networks thrive on connections. And connections thrive because of middlemen.
In The Middleman Economy, Marina Krakovsky makes a case for why this under-appreciated function is more ubiquitous and indispensable than we realize. The internet, for instance, was lauded as the “universal middleman,” by Bill Gates in one of his bestsellers.
One of the middlemen I interviewed, the micro-VC Mike Maples, Jr., put it well when he pointed out that in our highly connected world, “things and entities that accelerate connections are going to be more valuable.” This is why Maples is bullish on so many Internet businesses, having made early investments in Twitter, Lyft, and TaskRabbit, among others. “That’s what a middleman does,” Maples says: “They connect nodes in a network to increase the value of the network.”
And in this post, we’ll be focusing on one particular middleman in the online payment industry, who has been tirelessly working behind the scenes to connect the buyer and the seller and facilitate transactions between them.
Online transactions demand security. Reliability. Dependability. And a payment gateway takes it upon itself to provide you with all that.
Let’s see how it pulls it off, and what your role, as a merchant (business owner) is, in the online payment network.
Payment gateways and the payment network – AKA the basics:
From a bird’s-eye view, in an online transaction, a customer sends money from their bank account to the online payment ecosystem, which then passes on the money to the seller’s bank account.
And the online payment ecosystem can be divided into three major clusters:
- Logic providers – Consider them as the sub-middlemen between you (the seller) and the payment gateway, linking both of you via API. They come in at different points of your billing logic, like sending payment notifications, handling checkout pages, managing your subscriptions, functioning as your virtual vault, etc.
- Payment gateways – These function as the main middlemen in the network and work with your merchant account (Tl;dr – a special bank account that a merchant will need to accept card payments) to enable you to charge your customers.
- Hybrids (or Payment Service Providers)– As the name implies, hybrids are a blend of logic providers and payment gateways, and make your billing job that much simpler. Think Stripe or PayPal. However, the catch here is that if you’re going to go with a hybrid, you might lose out on the flexibility to pick your payment gateway(s) or merchant account(s).
(Heads-up: Hybrids are new black, and it won’t take too long for them to take over the payment gateway scene. So we’ll be looking from the hybrids context for the rest of the post, for the sake of clarity. We’ll also be predominantly focussing on card payments while talking about the online payment process, as it is the most widely-used and most elaborate process of them all.)
Role of a payment gateway – AKA the job description:
In order to elucidate the role of middlemen, Krakovsky breaks down their six prominent roles, which fits the payment gateway context like a glove:
The Bridge: Reduces “physical, social, or temporal” distance.
Think of Uber. Or eBay. Or Kickstarter. They solely exist to bridge the passenger with the taxi, the seller with the buyer, and the maker with the investor.
A payment gateway falls bang in the middle of the payment processing system. It connects the buyer’s bank, the seller’s bank, the acquiring bank, and the issuing bank (bear with me on the jargons for now. By the end of this post, you’ll have befriended them all), irrespective of their physical, social, or temporal distance.
The Certifier: Ensures quality.
A headhunter is solely responsible for the quality of the candidates that she brings forth to the hiring table. Her reputation is on the line, and one bad apple can jeopardize her career. She has to vet each and every application thoroughly and must see to it that she only sends the best ones to the client.
Once a customer enters their card details, the payment gateway authenticates the card information, looks out for loose ends (if any), and gives a thumbs-up for the rest of the proceedings. In addition to this, a gateway also screens customer orders using an arsenal of anti-fraud tools, to well, prevent fraudulent activities.
The Enforcer: Ensures that all the participants work together as a team and derive value from the process.
An event planner’s job doesn’t end with connecting the clients with the vendors and service providers. She takes it upon herself to make sure that the clients receive the best service, that the vendors stick to their deadlines, and that the event takes place as smooth as silk.
The payment gateway sees to it that the customer enters valid payment-related information, that the issuing bank authorizes the transaction after verifying the customer’s credit/debit limit, that the acquiring bank transfers the right amount to the seller’s bank account. It assures the customer and the business that the right amount of money is moved from the right place to the right place at the right time.
The Risk Bearer: Minimizes uncertainties and well, risks.
Insurance companies charge their customers for bearing and minimizing risk. And they manage the risk by spreading out investments into diversified portfolios.
Security is one of the core components of payment gateways, which encrypt and tokenize sensitive information like credit card numbers, use HTTPS protocol to communicate data, and comply with security standards like the Payment Card Data Security Standard (PCI DSS – we’ll be going through this in detail a bit later).
The Concierge: Minimizes hassles.
You can either choose to take the difficult route of researching and coming up with your own itinerary for your vacation to a foreign country, or hire a travel agent who can set it up for you in no time, thanks to their domain expertise.
Payment gateways make online payments a breeze for both the buyer as well as the seller even if they’re on the opposite sides of the world, by reducing (if not eliminating) security risks and manual intervention, and bringing the processing time of online transactions down to a few seconds. Thanks to payment gateways, the seller will be able to find the funds in his account in just a couple of business days, with little to no effort from her side.
The Insulator: Keeps two parties apart and thereby improves their interactions.
By bringing themselves in between the two concerned parties, lawyers improve the quality of communication between them, enable strategic interactions, and help them in reaching a consensus faster.
You might be having the most sophisticated billing logic and an impeccable checkout experience in place for your customers. And in spite of all that, you will invariably reach a point where you’ll have no other option but to bring in a payment gateway in between you and your customer to complete a transaction. Why? Because it’s a much wiser trade-off to make, instead of spending your resources to meet the requirements of PCI DSS compliance (again, put a pin on this one. We’ve another section to talk about this). Think about it: would you rather toil on ensuring that your servers never get to touch your customers’ card details and storing your payment data, or just send the details over to a gateway that will securely handle them for you so that you can focus on perfecting your core product?
Summing it up, a payment gateway plays a predominant role in three activities:
- Authorize – Validate a customer’s card details, and give a thumbs-up for the rest of the proceedings
- Clear – Transfer the money from the customer’s bank account to the merchant’s bank account
- Report – Record the transactions, and share them with the parties concerned
Let’s see how this plays out in detail.
A day in the life of a payment gateway – AKA how stuff works:
For a conventional online transaction to come through, you’ll need the following participants to work together (Warning – Jargon Alert! But fear not, I’ve tried my best to save you from acute jargon overdose):
- Customer – The one who believes that a product deserves its price tag (in most cases, at least) and is willing to part with their hard-earned dough to get their hands on it.
- Business/merchant/you – The one who makes and sells the product that deserves its price tag (again, in most cases)
- Online store/website – The place that showcases the merchant’s products, and the interface that the customer interacts with
- Merchant’s bank account – The final destination of the customer’s payment
- Acquiring bank/Acquirer – The bank that provides a merchant account to the merchant and processes card payments on behalf of the merchant
- Issuing bank/Issuer – The bank that provides the payment card to the customer and makes the payment to the acquiring bank on behalf of the customer, in the case of card payments
- Customer’s bank account – The bank that makes the payment on behalf of the customer, in the case of non-card payments
- Payment Gateway – The conduit between the customer and the merchant, and their corresponding banks.
Now that we’ve met the characters, moving on to the typical sequence of events:
- The customer clicks the “Buy” button after picking the product(s) that they liked, in the online store, in their browser.
- The customer’s browser encrypts the transaction data for the sake of security and sends it across to the online store’s server.
- The online store’s server receives this message, neatly packs the transaction data and the customer’s IP address together, and slaps on a Digital Certificate (think of this as simply an attachment that verifies the identity of the merchant/sender as well as that of the payment gateway/recipient). This neat message package is now called a “Digital Order”, which is also encrypted before getting forwarded to the payment gateway. (In some payment providers like Stripe and Braintree, the information is directly shipped from the customer’s browser to the payment gateway. The merchant’s servers are completely taken out of the picture, which also relaxes the merchant’s data security compliance obligations.)
- The payment gateway authenticates the online store with the help of the Digital Certificate, and once that comes through, throws up a screen with the available payment methods, to the customer.
- Once the customer picks a payment method, the payment gateway transmits the details to either the acquiring bank (if it’s a card payment method) or the merchant’s bank (if it’s an alternative payment method).
- The acquiring bank/merchant’s bank passes on this information to the issuing bank (for card payment method) or the customer’s bank (for alternative payment methods).
- The issuing bank goes over the customer’s credit or debit limit and the payment method’s validity, and either approves or rejects the transaction, with a response code (in case the payment is declined, this code will also state the reason behind the failure). It passes this message to the payment gateway via the acquiring bank.
- The payment gateway communicates the response to the customer and the merchant. This response is called “Authorization” or “Auth”.
And the best part? this entire process (from 1 to 8) takes up to 2-3 seconds at the most.
The final step (in the case of card payments) is for the issuing bank to “Clear” the Auth and settle the funds with the acquiring bank (in the case of physical goods, this step takes place after the merchant ships the order, i.e., fulfills the transaction).
Usually, at the end of the day, the merchant submits that day’s batch of all the approved Auths to the acquiring bank, which then requests the issuing bank for batch settlement. Once it receives the funds from the issuing bank, the acquiring bank, in turn, transfers the amount to the merchant’s bank account.
This period (from Authorization to settlement) is called the settlement time and is usually completed in anywhere from 2 to 4 business days.
Importance of a payment gateway – AKA why you should care:
You just need three reasons to get convinced. (Not-so-relevant plug: Behold the third three-pointer in this post. Sorry, I just had to note that down. Because, patterns.)
1. Enforcement – A payment gateway ensures that payment processing is secure and brings down the frequency as well as the severity of credit card frauds, with the help of these:
- Secure Socket Layer (SSL) – It’s a protocol that essentially encrypts payment and card data. It’s mandatory for all online transactions to follow this protocol.
- Payment Card Industry Data Security Standards (PCI DSS) – It lists down the various rules/guidelines (which also includes data encryption) that you have to comply with, in order to secure payment processing information. Having said that, you needn’t be PCI compliant if you employ a PCI level 1 compliant payment gateway to process payments instead.
- Tokenization – I think we’ve pretty much established the fact that you should never, I mean NEVER store your customer’s card information in your server. They have to be tokenized by a payment gateway before getting stored in the centralized server, or in other words, replace data with randomly generated strings of characters, called tokens. These tokens are then sent to your system, which you can use as a substitute for the card’s details in future transactions.
- 3-D Secure – This is an additional security protocol layer for credit and debit card transactions, where the customer is required to create a password for every card they use for every online transaction. They go by different names for different card services (Verified by Visa for Visa, Mastercard SecureCode for MasterCard, J/Secure for JCB International, and American Express SafeKey for American Express).
- Anti-fraud tools – Collectively referred to as “fraud scrub”, these are a set of tools like AVS (Address Verification System) checks, IP checks, geolocation, etc, to confirm that the customers are actually who they claim to be, that a payment gateway employs to scan and monitor every online transaction that goes through it.
2. Ease – The present-day payment gateways can be set up in less than a day, and maintaining it demands minimal effort from your side. Most users have already interacted with payment gateways in their previous online shopping experiences, and so you needn’t put in the effort to get them familiar with how it works. In addition to that, most present-day payment gateways support multiple currencies and offer multiple payment methods, which takes of a huge load off your shoulders to meet your individual customer needs.
3. Experience – Building on the previous sentence, by catering to the payment preferences of your global customers, you end up upping their satisfaction, and in turn your conversion rates. A survey conducted by YouGov discovered that about 50% online shoppers said that they would abandon their checkout process if their preferred payment method isn’t available. And that’s a lot of money left on the table.
There. If you can see a halo around “Payment Gateway” at this point, then we’re on the same page and can move on to the next (and final) section.
Now, no two payment gateways are the same, and each one comes with their own set of pros and cons. Which will vary depending on the type of your business and your location.
There are plenty of gateways in the sea, and no one gateway fits all.
How to choose the best payment gateway for your business – AKA how to make your job easier:
Picking your payment gateway won’t be an ordeal by fire, if you know what factors to look for, and how to look for them.
As a good starting point, use this quick list of criteria (also, divided into three groups, wink wink, nudge nudge!) to evaluate payment gateways.
- Ease of setup and cancellation process – Does the payment gateway need you to have a merchant account or does it offer a combined merchant account and payment gateway (the hybrids)? Will it lock you (and your customer data) up for a specific time period before letting you go, if you choose to switch to a different gateway?
- Cost/pricing – What are their the setup fees, registration fees, refund fees, processing fees, chargeback fees, and cancellation fees? Does it have per-transaction fees or monthly usage charges? Does it charge you extra when you convert currencies for foreign customers? Does it have a limit fee (with a limit on the transaction value or the number of monthly transactions)?
- Hosted vs. integrated – Does it redirect your customers from your website to its own platform to collect payment details (aka a hosted payment gateway – broken customer experience, but zero security compliance requirements from your side)? Or will your customers never have to leave your website to type in payment info and to place orders (integrated payment gateway – better customer experience, but more security compliance burden on you)?
- Support – Does it offer support whenever you need it and in the way that you want it? Does the support team have the same working hours as you? How responsive are they? Do they offer support only via emails? Does customer support come at an extra charge?
- Data portability – Does it provide open portability of data? If you switch to a different gateway, will the data also move along with you, without any friction or sky-high fees?
- Transactions success rate – What is the average success and failure rates of transactions that were transferred to the gateway from your website? How many customers dropped out even before reaching the gateway (this is a no man’s land and most gateways don’t include this data in their success-failure rates, and so it’s your task to figure out a way to track it)
- Settlement time/payout policy – For how does it hold onto your funds and what percentage of your funds does it hold onto? How long does it take to settle funds in your bank account (after deducting all the fees/charges)?
- Reliability/uptime – How frequently does it experience downtime? Can its uptime record ensure that your customers will be able to make uninterrupted purchases 24x7x365?
- Security/Fraud prevention capabilities – Is it PCI DSS level 1 compliant? Does it offer built-in tokenization and encryption capabilities? What are the real-time fraud-detection tools that it uses to screen transactions and protect you from fraud?
- Recurring payments (if you run a subscription business) – Does it have the capability to store your customers’ card details and enable you to automatically charge them on a recurring basis? If yes, what are the additional charges to avail this service?
- Checkout process/experience – How seamless is the checkout experience? Does it allow you to personalize the UI (User Interface) to align with your brand? Is the UI optimized for high conversion rates?
- Payment types – What are the various payment methods does it support, to accept payments from your customers – credit/debit cards, direct debit, internet banking (in this case, also look at the different banks that it supports), digital wallets, and so on? Does it support the local cards and payment methods that are popular in the countries that you’re going after?
- Currencies – Does it support multi-currency payments? If yes, what currencies does it support? Is there an additional fee to accept multi-currency payments or payments from other countries? Does it support Dynamic Currency Conversion or DCC (where the amount is converted to the customer’s native currency on the checkout page alone)? Do you need to have a separate merchant account to accept payments from a specific country?
- Integrations – Does it seamlessly integrate with your existing/preferred shopping cart, billing system, and accounting system. How easy is the integration process (solid plugins, elegant API, etc. to bring down your development and integration time as low as possible)?
- Reporting – What are the reports that it provides (from basic ones such as daily transaction reports to specialized ones like settlement report, payment modes report, unsettled/failed transactions report, etc.)? Does it enable you to create custom reports? Do you have to pay extra to receive those reports?
(Note: Apart from these, it does help to verify, as early as possible, if you run a high-risk business or sell a high-risk product, as it will affect your chances of receiving support from most payment gateways.)
Conclusion – AKA let’s get to work:
The shortest distance between two points is not a straight line—it’s a middleman. And the more middlemen, the shorter.
“Good middlemen,” Marina Krakovsky says, “enlarge the size of the pie, making all parties better off.”
And it all starts with discovering and joining hands with the middlemen that are right for you and your business.
As a fellow startup in the trenches, we know how difficult a task it is to compare, weigh up, and pick out the payment gateway that will best suit your business.
That’s why we decided to do all the heavy lifting, and have come up with, drum rolls please, this nifty payment gateway comparison tool to help you evaluate payment gateways specific to your country.
May your metaphorical cash-registers ring loud and long!
List of articles for further reading:
- How a recurring billing system is different from a payment gateway
- Why it makes perfect sense to offer alternative payment methods
- Advantages of using multiple payment gateways
- Payment gateways supported by Chargebee
- Scaling SaaS billing: how to plan for the insanity
- Getting started with subscription billing and management software