A payment gateway is the final step of the sales process on an ecommerce website. It’s the form in which a customer will input their credit card information in order to complete a purchase. Technically speaking, a payment gateway is a piece of software that is connected to a server somewhere. This software has to be extremely secure as it transmits payment information back to the server, which then communicates with banks to facilitate transactions.
What is a payment gateway?
The payment process usually occurs as follows:
How does it work?
- A customer places an order by clicking ‘checkout’, ‘submit order’ or something along those lines.
- They then proceed to the payment stage where they will have to input credit card information into a form. The payment form can either be embedded on the original website, or the customer will be redirected to an external form hosted by the payment gateway provider. This form will be protected by SSL (secure socket layer) encryption.
- Wherever the form is hosted, the payment information (which includes credit card details, amount of transaction etc) will be sent to the payment gateway provider, again, encrypted with SSL.
- The payment gateway then forwards the transaction information to whichever payment processor is used by the merchant’s bank.
- The payment processor then forwards the transaction information to whichever bank issued the customer’s credit card.
- The bank then responds to the payment processor with a transaction approval or rejection.
- The payment processor forwards this result to the payment gateway, who in turn, forwards it to the website merchant and cardholder.
- This process usually takes only 2-3 seconds and results in the ‘transaction approved’ message being displayed.
- The merchant then fulfills the order and the banks handle the actual transfer of funds which can take 2-3 working days.
How to set up a payment gateway
Step 1: Before you can set up a payment gateway, you’ll need to set up a business merchant account with your bank. This is the account that all the payments will be transferred into. If you are already a retailer, you should such an account already.
Step 2: This step can be completed at the same time as Step 1. While you’re talking to your bank, ask them for a ‘merchant facility’. This will allow a payment gateway to connect directly to your bank account and deposit funds into your account from orders processed through your website.
Step 3: Speak with your payment gateway provider to set up an account and link your bank accounts with their software. You may want to take this opportunity to ask any questions you might have about implementing their software into your website.
Step 4: Now that all the accounts are set up, you can integrate the payment gateway into your ecommerce website. Obviously this can take some technical knowledge, so should be done by an experienced developer to ensure everything is secure and will work properly.
Are payment gateways secure?Major credit card companies (Visa, Mastercard, Amex etc) have set certain requirements for organisations that handle their payments. These requirements are known as the ‘Payment Card Industry Data Security Standard, or PCI DSS.
There are 12 requirements in total:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software on all systems commonly affected by malware.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Most major payment gateways on popular websites are kept safe and secure. Websites hosting their own payment gateways however, may not have to comply with all the requirements. Laws will vary by country as well. United States federal law does not require organisations to comply with PCI DSS, for example. If you are processing your own payments, the security of the transaction is your responsibility and you may be liable for any breaches. Think about what your customers want/need when deciding how to set up payment processing for your website.
Many payment gateways also provide tools to automatically screen orders for fraud and calculate tax in real time prior to the authorisation request being sent to the processor. They use various methods to achieve this such as geolocation, velocity pattern analysis, blacklist checks, delivery address verification, etc.
DPS evolved from CSD, the software development company which produced and certified several leading processing solutions including the OCV Server (which was subsequently licensed to Ingenico), ANZ and St George banks in Australia, and PC Eftpos (the first integrated Windows POS / EFT-POS solution). In 2000 the PC EFTPOS technology was spun off in a multimillion-dollar deal to the ANZ bank and DPS replaced the legacy OCV Server with a next generation, zero hardware solution: Payment Express.
Direct Payment Solutions (DPS)
Payment Express is a leader in payment technology and offers a range of secure solutions to businesses with their PCI DSS compliant services. They are certified with Visa, MasterCard, American Express, JCB, Discover and Diners. Payment Express is one of the largest integrated EFTPOS and ecommerce switching providers in the Asia-Pacific region, and are certified in over 10 regions, with multiple banks.
Zeald has a long-standing relationship with Payment Express and is also a Payment Express Premium Partner, enabling us to provide our clients favourable rates, high levels of service, and plans tailored to suit a range of payment gateway needs.
If you need help setting up a payment gateway on your website, or have any other questions about ecommerce websites, please request an audit from our Google Certified experts.