Payment Gateway

The payment gateway is often described as the digital equivalent of a physical card terminal — but modern gateways do considerably more than simply transmit card data.

Gateway Functions

Data capture and encryption: The gateway’s client-side components (JavaScript SDK, mobile SDK, hosted fields) capture card data in the browser or app and immediately encrypt it before transmission. This keeps raw card data off merchant servers — a critical PCI DSS scope reduction.

Authorization routing: The gateway routes the encrypted authorization request to the appropriate acquirer or card network. In multi-acquirer setups (orchestration), the gateway handles routing logic.

3DS2 authentication: Modern gateways embed 3DS2 authentication flows, handling the device fingerprinting, ACS communication, and challenge presentation within the checkout flow.

Response handling: The gateway returns the authorization response (approved, declined, refer to issuer) to the merchant’s system, typically via webhook.

Token issuance: Upon successful authorization, the gateway can issue a token (replacing the PAN) for storage and future use in recurring payments or one-click checkout.

Hosted vs. Embedded Gateways

Hosted payment pages (HPP): The merchant redirects to a payment page hosted by the PSP (e.g., PayPal checkout, Stripe Checkout). Maximum security and minimum PCI scope; minimal customization of checkout UI.

Embedded/iframe gateways: The PSP’s payment form is embedded within the merchant’s checkout via iframe. PAN never touches merchant servers; partial UI customization possible.

JavaScript SDK (e.g., Stripe.js, Adyen Web): The merchant’s checkout hosts payment fields that appear to be on the merchant’s page but are actually served in isolated iframes by the PSP. Best user experience and full UI control; still qualifies for simplified PCI SAQ A.

Direct API integration: The merchant collects card data and transmits it directly to the PSP API. Full control; requires PCI DSS Level 1 or 2 compliance and is generally not recommended for merchants who can avoid it.

Gateway vs. PSP vs. Acquirer

• A payment gateway handles data capture and routing — it does not hold funds.
• A PSP bundles gateway functionality with acquiring relationships and settlement.
• An acquirer maintains the banking license and merchant account, settling funds.

Most merchants interact with a PSP that bundles all three functions. Large merchants often separate these: a specialized gateway (like Spreedly for orchestration), multiple direct acquirer relationships, and a vault provider for token storage.