A payment gateway facilitates a payment transaction by the transfer of information between a payment portal (such as a website, mobile phone or interactive voice response service) and the front end processor or acquiring bank.
When a customer makes a payment from a payment gateway-enabled merchant, the payment gateway performs a variety of tasks to process the transaction.
- A customer makes a payment on website by pressing the 'Submit' or equivalent button, or perhaps enters their card details using an automatic phone answering service.
- If the payment is via a website, the customer's web browser encrypts the information to be sent between the browser and the merchant's webserver. In between other methods, this may be done via SSL (Secure Socket Layer) encryption. The payment gateway may allow transaction data to be sent directly from the customer's browser to the gateway, bypassing the merchant's systems. This reduces the merchant's Payment Card Industry Data Security Standard (PCI DSS) compliance obligations without redirecting the customer away from the website.
- The merchant then forwards the transaction details to their payment gateway. This is another (SSL) encrypted connection to the payment server hosted by the payment gateway.
- The payment gateway converts the message from XML to ISO 8583 or a variant message format (format understood by EFT Switches) and then forwards the transaction information to the payment processor used by the merchant's acquiring bank.
- The payment processor forwards the transaction information to the card association (i.e.: Visa/ MasterCard/ American Express). If an American Express or Discover Card was used, then the card association also acts as the issuing bank and directly provides a response of approved or declined to the payment gateway. Otherwise [e.g.: MasterCard or Visa card was used], the card association routes the transaction to the correct card issuing bank.
- The credit card issuing bank receives the authorization request, verifies the credit or debit available and then sends a response back to the processor (via the same process as the request for authorization) with a response code (i.e.: approved, denied). In addition to communicating the fate of the authorization request, the response code is also used to define the reason why the transaction failed (i.e.: insufficient funds, or bank link not available). Meanwhile, the credit card issuer holds an authorization associated with that merchant and consumer for the approved amount. This can impact the consumer's ability to spend further ( because it reduces the line of credit available or it puts a hold on a portion of the funds in a debit account).
- The processor forwards the authorization response to the payment gateway
- The payment gateway receives the response, and forwards it on to the website (or whatever interface was used to process the payment) where it is interpreted as a relevant response then relayed back to the merchant and cardholder. This is known as the Authorization or "Auth"
- The entire process typically takes 2–3 seconds.
- The acquiring bank subsequently deposits the total of the approved funds into the merchant's nominated account (the same day or next day). This could be an account with the acquiring bank if the merchant does their banking with the same bank, or an account with another bank.