Payment Gateways Part 2: How They Work

Posted: October 27, 2011 | Updated: October 27, 2011

The Official Merchant Services Blog continues its series on Payment Gateways. Yesterday’s blog dealt with the basic question of why your business would want a Payment Gateway in the first place. It also looked at the basic setup and costs of a Payment Gateway and some of the differences in the Payment Gateway options that Host Merchant Services offers.

Today’s blog is going to examine how Payment Gateways work.

How Do They Work?

A Payment Gateway is literally a link between a merchant, the client, the client’s credit card provider and the merchant’s bank. The main job of the gateway is to validate your customer’s credit card securely, make sure the funds are available and get you paid. The system is based on the transaction process you see in your standard retail store, where a credit card is swiped. But it does not require a card to be present to be charged.

Some gateways also require a merchant account –– a specific type of bank account that handles your funds received via credit cards. Host Merchant Services provides its merchants with Payment Gateway options as part of the services that come with opening a merchant account through the company.

Host Merchant Services has created an easy to read, step by step graphic on Payment Gateways. You can view that graphic here.

But to briefly walk you through the process:

  1. A customer places an order on a merchant’s website and submits the order through the site.
  2. The website then encrypts the payment information that is to be sent between the browser and the merchant’s webserver. This is done vial Secure Socket Layer (SSL) Encryption.
  3. The merchant then forwards the encrypted transaction details to their payment gateway.
  4. The Payment Gateway forwards the secure transaction information to the payment processor (in this instance, Host Merchant Services).
  5. The processor forwards the information to the card association (be it Visa or MasterCard or Discover).
  6. The credit card issuing bank receives the authorization request and sends a response back to the processor with a response code.
  7. This response gets forwarded to the Payment Gateway.
  8. The Payment Gateway sends the response back to the website where it is interpreted and relayed back to the cardholder and the merchant. This entire process of forwarding the information for a response, and getting the response back takes 2 to 3 seconds typically. Not only will the response of approved or declined be generated but the process also defines why a transaction might fail, and lists the reason.
  9. For an approved transaction, the Merchant then submits all of their approved transactions in a “batch” to the acquiring bank for settlement at the end of its business day. The acquiring bank deposits the total of the approved funds into the merchant’s account. Settlement of “batches” typically takes 2 days with Host Merchant Services.


How Do The Transactions Stay Secure? 

The security of these transactions are important. Security is the key reason Payment Gateways exist, as the entire point of the system is to get sensitive payment information transmitted from a customer’s web browser back and forth to a bank for approval of the purchase. Here are some of the technical details that happen with Payment Gateways to ensure the process remains secure:

  • Since the customer is usually required to enter personal details in the transaction process, the payment gateway is often carried out through HTTPS protocol.
  • To validate the request of the payment page result, signed request is often used – which is the result of the hash function in which the parameters of an application confirmed by a «secret word», known only to the merchant and payment gateway.
  • To validate the request of the payment page result, sometimes IP of the requesting server has to be verified.
  • There is a growing support by acquirers, issuers and subsequently by payment gateways for Virtual Payer Authentication (VPA), implemented as 3-D Secure protocol – branded as Verified by VISA, MasterCard SecureCode and J/Secure by JCB, which adds additional layer of security for online payments. 3-D Secure promises to alleviate some of the problems facing online merchants, like the inherent distance between the seller and the buyer, and the inability of the first to easily confirm the identity of the second.


Up Next

In tomorrow’s entry in this series we will take a look at the costs of a Payment Gateway, specifically the options Host Merchant Services offers and then analyze some of the criteria a merchant needs to consider when choosing a Payment Gateway.

Share This Post

Save Time, Money, & Resources

Categories: E-commerce, HMS News

Get Started

Ready for the ultimate credit card processing experience? Fill out this form!

Contact HMS

Ready for the ultimate credit card processing experience? Ask us your questions here.