Table of contents
A payment gateway is a secure technology platform that allows businesses to accept and process payments from customers using multiple payment options such as credit and debit cards, Electronic Funds Transfer at Point of Sale (EFTPOS), mobile wallets like Google Pay, Samsung Pay and Apple Pay, and more.
Key functions of a payment gateway are:
- Securely transmitting data: Encrypting and sending sensitive card information so transactions are processed safely.
- Fraud protection: Acts as a shield for customers and merchants by detecting and blocking fraudulent activity.
- Enabling online and in-person transactions: Authorising payments through an eCommerce online checkout, POS terminal or mobile device.
An online payment gateway is built into a website, mobile app or in-person point-of-sale (POS) system. A payment gateway in Australia is typically provided for an additional fee to process cards online through an eCommerce site, or in-person at an EFTPOS card terminal.
What are payment gateways?
Payment gateways in Australia connect the key parties in every digital transaction – the merchant, the payment processor and the customer’s bank. They securely send payment details from the customer to the bank for authorisation and then return an approved or declined message to complete the sale.
There are two main types of payment gateways: physical and virtual.
Physical gateways
Physical gateways process in-person card payments, tap-and-go, insert card or swipe transactions made over the counter. Physical gateways are found in EFTPOS terminals or POS systems in cafes, shops or restaurants.
Virtual gateways
Virtual gateways use Application Programming Interfaces (APIs) or web services to securely process card and digital wallet payments through a website or app. Virtual gateways are used in online checkouts, invoicing platforms and mobile apps.
Whether a business uses a virtual or physical gateway in Australia, both gateways work in the same way: to move transaction data safely between banks so businesses can accept payments quickly and securely.
How payment gateways work
The process behind the scenes for virtual or physical gateways works the same way. A payment gateway securely passes information between your business, the customer’s bank and the card network to ensure every transaction is authorised and completed accurately. However, mobile and online payments use digital capture files to package the card information rather than output from a card reader.
Think of the payment gateway as a secure messenger. It carries encrypted payment ‘packages’ between the customer’s bank and your business, ensuring the data arrives safely and the transaction is completed correctly.
Here’s a step-by-step process:
- A customer makes a payment through your EFTPOS terminal, website checkout or mobile app.
- The payment gateway collects the card data, encrypts it and transmits it securely to the merchant’s bank.
- The payment gateway identifies which card network the transaction belongs to, such as VISA, Mastercard, eftpos, or American Express and sends the payment data through that network to begin the authorisation process. (While they might seem the same, it’s important to note that EFTPOS and eftpos are different. EFTPOS is a form of payment at any card machine, while eftpos is an Australian brand that allows businesses to receive payments from an Australian customer’s bank account when they’ve used a debit card at a POS system.)
- The transaction request is sent via the card network to the customer’s bank or issuing bank.
- The issuing bank verifies the transaction, runs fraud detection checks and confirms funds are available in the customer’s account.
- The bank sends an authorisation code back through the same network to your bank and payment gateway, approving or rejecting the transaction.
- The payment gateway communicates the approval or rejection to the POS system or website. If approved, the sale goes through. If declined, the sale fails to complete.
Authorisation vs settlement of transactions
What’s an authorised transaction?
An authorised transaction means that the customer’s bank has put a temporary ‘hold’ on the funds, but the merchant hasn’t actually received payment. The temporary hold allows the bank to confirm that the customer has enough money available and prevents the same funds from being spent twice while the transaction is being settled, which usually takes 1-2 business days.
Customers see this as a ‘pending transaction’ on their statement. Some debit card payments are authorised and settled at the same time, so the transactions immediately show up on the customer’s account.
What’s settlement of a transaction?
At close of business, the merchant’s POS system sends a batch settlement file to finalise all pending payments. There isn’t a single cut-off time to submit the file; cut-off times depend on the bank, settlement scheme, and payment type.
The pending transactions are committed, which means the merchant is now entitled to the funds previously put on hold by the issuing bank. Once the issuing bank releases the funds, they’re deposited into the merchant’s account, depending on the issuing bank’s settlement process.
For example:
- A cafe using Square POS might see a customer’s card transaction approved instantly at the counter (authorisation).
- These funds are then included in the cafe’s end-of-day batch settlement file and deposited into its business account shortly afterwards (settlement).
Payment gateways and security standards
Payment gateways are designed with security features such as encryption and global compliance frameworks to protect businesses and customers from fraud.
Encryption
Payment gateways use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption to protect sensitive data during transactions. If someone tries to intercept this data, they’ll see a jumble of characters that are unreadable. Encryption ensures that cardholder data stays private and can’t be intercepted by fraudsters as it moves between the customer, the bank and the business.
Payment Card Industry Data Security Standard (PCI DSS) compliance
PCI DSS is the global framework designed to protect cardholder information and reduce fraud in payment gateways. Any business that accepts or processes card payments, including at a physical location like a cafe, an eCommerce site or over the phone, must follow PCI DSS requirements.
Some businesses end up using a mix of payment processing systems from several different companies. They might use a payment terminal from one vendor, payment gateways from another and a POS system from a third vendor.
Even if your payment technology partners are PCI DSS compliant, your business still needs to ensure that:
- Payment systems are connected securely
- Customer data is stored and handled safely
- Access is restricted to authorised staff only
Choosing an integrated solution like Square, where the payment gateway, POS and processing tools are built to the same compliance standards, makes meeting PCI DSS compliance requirements easier and reduces your business’s overall risk.
Payment gateways in Australia
A payment gateway in Australia helps ensure that every debit or credit card payment is processed securely and efficiently. It forms a vital link between businesses, customers and banks to authorise the right transactions and prevent fraud.
If you want to accept debit or credit card payments online or in-person, or use eftpos, you need a reliable and secure payment gateway that meets industry standards without complicating your technology.
How gateways connect with Australian banks
Payment gateways connect your business to Australia’s major banks and card networks by securely transmitting data to verify payments and deposit funds into your account.
Businesses using payment gateways in Australia must meet strict security standards:
- Be PCI DSS compliant to protect cardholders’ data.
- Comply with the Australian Securities and Investments Commission’s (ASIC) ePayments Code that governs electronic payment facilities and protects consumers from financial losses.
- Have data encryption and fraud monitoring systems that align with Australian banking regulations.
If you’re using a third-party payment gateway, confirm that your payment provider and POS system meet all these requirements. As a business, you’re responsible for meeting compliance requirements for your payment methods.
Why you don’t need a payment gateway with Square
Square is an end-to-end payment processor, which means that Square hardware and software handle every step of the transaction on one platform without needing to connect to an external provider.
Square captures your customers’ payment information at the point of sale (no manual tracking of payments needed), works directly with card payment gateways to securely send those payments to the right place, and deposits the funds into your bank account, usually by the next business day.
End-to-end payment processing
The Square integrated system captures payment information at the point of sale and sends it securely to the correct card provider and bank; you don’t need to track and balance payments manually or install a third-party payment gateway.
Whether you take in-person payments via Square Reader or Square Register, or online payments through Square Online, every transaction goes through one connected platform, eliminating the need for separate gateways and third-party providers. It means fewer moving parts, less risk of data breaches and faster access to your money. You have peace of mind that every transaction is handled securely from start to finish.
Built-in compliance and security
All Square software and hardware are fully PCI DSS compliant, which means your business automatically meets key security standards for accepting card payments in Australia.
When you process payments through Square, your customers’ card information never touches an independent device or local server. Payment data is encrypted from the moment you collect the card information, transmitted securely through Square’s network, and processed by the financial institutions that work with Square to clear payments without the need for a separate payment gateway or multiple payment tools.
No separate merchant account
Traditional payment processors often require merchants to open their own merchant account, a process that involves paperwork, approval delays and extra fees. When you use Square, we become the merchant of record. We take on the responsibility (and fees) for maintaining a merchant account so you don’t have to. All card payments are sent to our shared merchant account, then securely forwarded to your business bank account. We handle the compliance, settlement and related costs so you can focus on running your business.
Square vs traditional payment gateways
Transparent pricing for payment gateways
Square offers a simplified payment flow and pricing for your business based strictly on transaction fees:
- 1.6% transaction fee for every tap, insert or swipe.
- 2.2% transaction fee for every transaction where the card is not physically present, such as Square Online purchases or manually keyed-in transactions.
There are no monthly charges and no additional fees. Our flat rates also include PCI compliance fees and interchange and chargeback fees.
| Feature | Traditional payment gateway process | Square |
|---|---|---|
| Setup cost | Initial setup fees, merchant account fees, payment gateway fees, and PCI compliance fees. | Free account sign-up and activation. |
| What’s included | Merchant account and online payment gateway setup to process card payments. | Square’s all-in-one platform has payment APIs, POS tools, a built-in payment gateway and security features, and a merchant account. |
| PCI DSS Compliance | Businesses must check and maintain separate PCI DSS compliance requirements. | Square software and hardware are fully integrated and PCI DSS compliant. |
| Fee transparency | Multiple, sometimes hidden fees that add up to a significant business expense. | A flat transaction fee based on transaction type. |
Choosing the right payment gateway
Before you sign up with a payment gateway service provider, take time to understand how it fits within your existing payment systems and what it’ll really cost. Start by checking for hidden fees or extra charges, such as setup fees, compliance costs, or integration expenses.
If you use a virtual payment gateway for your eCommerce site and a physical payment gateway, like an EFTPOS terminal, for in-person payments, both systems should feed into your point-of-sale (POS) software to simplify your bookkeeping. An integrated system saves time and makes daily reconciliation simpler. Non-integrated solutions increase your business’s risk of data breaches and some types of fraud.
Whether you’re opening a new location for your business, expanding your online store, or accepting credit and debit card payments for the first time, understanding associated fees protects your profitability and keeps your payment system running smoothly.
Payment gateway FAQs
What’s the difference between a virtual terminal and a payment gateway?
A virtual terminal is software that enables a business to accept remote payments without a physical card reader. With Square virtual terminal, businesses can use their computer to process payments in person or over the phone. It’s ideal for businesses that want to accept remote payments like phone orders, mail orders or bookings, without needing to set up an online store.
A payment gateway is a secure technology platform that links your business, the customer’s bank and your payment processor. It connects your POS system or online checkout to the merchant account, authorising and routing each card transaction securely to the correct bank or network.
How much do payment gateways cost?
The cost of using a payment gateway varies depending on your provider, the number of transactions, and the type of payments your business accepts. However, fees can sometimes feel unclear or confusing, which makes it difficult to compare options.
Most payment gateways will charge a per-transaction fee, which is usually a small percentage of each sale. According to the Reserve Bank of Australia, small businesses often pay higher fees because of less bargaining power and high bank margins. Debit or eftpos costs small businesses earning less than $1 million 0.85-2% while credit cards cost 1-2% in fees.
Other ongoing or one-off costs can include:
- Monthly account fees
- Membership fees
- PCI compliance fees
- Initial setup fees
- Batch or settlement fees
- Refund or chargeback fees
- Higher rates for premium or international cards like American Express
Square charges a flat-rate pricing model without monthly or hidden charges. This can be a more economical option, especially for small businesses.
What’s the relationship between merchant accounts, payment processors, and payment gateways?
- Payment gateway: The technology that captures and transmits payment information between your POS system or online checkout, your business’s bank account (merchant account) and your customer’s bank account. An online payment gateway acts as a digital ‘bridge’ that encrypts and routes transaction data.
- Payment processors: The financial institution or entity that moves the funds between your customer’s bank (issuing bank) and your merchant account (the acquiring bank). It authorises and settles each transaction, ensuring money flows correctly and securely.
- Acquirers: The banks or financial institutions that hold and manage your merchant account, which is a special type of business bank account.
- Merchant account: A special type of business bank account that holds funds temporarily from card transactions before they’re deposited into your main business account. A merchant account establishes a business relationship between you and your merchant services provider (e.g., the bank account for your business). You can’t take card payments until after you apply and are approved for a merchant account, unless you use a payment provider like Square.
What’s the difference between a payment gateway and a payment switch?
The payment switch is part of the payment gateway. It ensures incoming payment requests (transactions) are directed to the right network or bank for approval. When the gateway receives a payment request, the transaction is routed to the payment switch (this process is called ‘transaction switching’), and then the switch routes the transaction to the correct issuing bank for approval.
If I already have a payment gateway provider, do I still need to worry about PCI DSS compliance?
Yes. All Australian businesses that accept debit or credit card payments are required to meet PCI DSS standards across their payment service. Using a PCI DSS-compliant payment gateway is only part of the process. You’re still responsible for confirming that your entire payment provider’s systems also meet the standards. Even if your payment gateway is compliant, you must verify that your payment processor or service provider follows the same security and data protection requirements.
How to check and maintain PCI DSS compliance for your provider:
- Ask for proof of compliance, such as a current PCI DSS Attestation of Compliance (AOC) or certification from a recognised Qualified Security Assessor (QSA).
- Confirm card data is encrypted and handled properly
- Review their security policies and documentation
- Integrate only approved systems
- Secure your systems using password protection, update software regularly and train staff to handle customer data safely
- Choose an end-to-end payment provider like Square
Square’s software and hardware are PCI DSS compliant, making it easy for you to meet compliance standards for taking cards and processing payments in your business.
What’s an example of a payment gateway?
- PayPal: Allows customers to pay using their PayPal balance, a linked debit or credit card, or a linked bank account.
- Stripe: Provides customisable APIs that integrate with websites, apps and subscription platforms.
- Square: Offers an end-to-end payment solution by combining hardware, POS software and built-in payment-processing that’s PCI DSS compliant. Square works for in-person EFTPOS payments and online transactions and offers transparent flat-rate pricing.
Can I use a payment gateway without a website?
Yes, you can accept payments even if you don’t have a website. Online payment gateways work just as well with other payment tools. Any device that’s connected to the internet, such as your tablet, iPad or phone, can be used to accept payments:
- POS systems: Accept in-person card payments through an EFTPOS terminal that connects to your payment gateway or processor.
- Virtual terminals: Key in a customer’s card details from your computer to take payments over the phone or by mail order.
- Digital invoicing tools: Send professional invoices with built-in payment links that allow customers to pay securely online.
Are payment gateways safe?
Yes, payment gateways are designed to be highly secure, using multiple layers of protection to keep sensitive business and customer data safe from theft and fraud by:
- Encrypting data using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols before being sent through the card network. Information is scrambled into unreadable code, not accessible by unauthorised parties.
- Real-time fraud monitoring and advanced identity verification tools that pick up on suspicious activity before a transaction is approved.
- PCI DSS compliance means cardholder data is transmitted and stored as per strict global security rules.
Square payment processing software and hardware are safe, using encryption, account protection, and PCI DSS compliance. We protect your customers’ data from the point of capture to the time the funds are delivered to your merchant’s account.
