Table of contents
Making and receiving payments in-person and online has become so easy you’d be forgiven for thinking the process behind it was more simple than it is.
In reality, the $65 billion worth of retail transactions that take place in Canada every month are backed by a combination of payment technology providers, banks, and government policies that make transactions fast, easy and secure for consumers and businesses.
On the frontline of this multi-billion dollar retail industry is the payment gateway – an important piece of technology that gets you paid faster and keeps your customers’ data secure.
But what is a payment gateway and how do they work? This article breaks down everything you need to know about how to pick the right one for your business.
What is a payment gateway?
A payment gateway acts as a secure bridge between a customer, business, and banks to facilitate online and in-person financial transactions.
Payment gateways allow merchants to accept credit card payments by connecting payment processors (the service charging the card) and merchant account providers (the service providing your payment systems). Gateways are payment services — typically provided for an additional fee — that process credit cards online through an e-commerce site or in-person through a credit card terminal.
The technology behind payment gateways has evolved from processing card payments for in-store purchases to also supporting modern contactless payment methods like Interac Tap-and-Go, mobile wallets and QR codes. This makes payment gateways vital for all types of payments, and in all places where your business operates—from a farmer’s market to big box stores to online stores.
Importance of payment gateways for online transactions
Payment gateways let you accept credit card payments (in person or online) by securely transferring money between your merchant account and a payment processor through a credit card terminal or processor.
In order to process credit card payments, you’ll need a virtual terminal — sometimes referred to as a web POS or cloud POS. A virtual terminal is software that lets you take payments from any device (e.g., desktop, phone, or tablet) running it, which turns the device into a point-of-sale terminal. For example, Square’s free virtual terminal software is accessible via your Dashboard and capable of accepting payments right away, with no setup or engineering resources required. Virtual terminals are ideal for businesses that don’t need an online store but do need to accept remote payments through phone, mail, or fax.
Picking the right payment gateway is about more than simply accepting payments. Canadian consumers can be reluctant to adopt new payment methods beyond the trusted debit or credit card, with security and data privacy a top-of-mind concern. Choosing a reputable and secure payment gateway, like Square, is a strategic move that helps you build trust with your customers and expand the ways you can accept payments.
How do payment gateways work?
Credit card payment gateways act as conduits, passing credit card transaction information from the merchant to the relevant banks via the appropriate credit card network through one of the following mechanisms:
- Credit card terminals in brick-and-mortar stores (think of this as a physical payment gateway)
- Payment services and APIs for websites and mobile applications (think of this as a virtual payment gateway)
The transaction flow is the same whether you’re using a physical or virtual payment gateway, but mobile and online payments use digital capture files to package the credit card information rather than output from a credit card reader:
- The buyer makes a credit card payment through the merchant’s credit card reader or e-commerce site.
- The credit card payment gateway:
- Pushes the transaction information to the acquiring bank (the merchant bank or acquirer).
- Determines which credit card network (Visa, Mastercard, or American Express) issued the buyer’s card.
- Routes the transaction information to the correct payment switch.
- The payment switch routes the request to the bank that issued the buyer’s credit card (the issuing bank) and pushes the transaction information onto the correct credit card network.
- The issuing bank applies fraud detection procedures to determine the legitimacy of the transaction and confirms the buyer has sufficient credit in their account to accommodate the purchase.
- The issuing bank approves (or rejects) the transaction and sends this information back through the credit card network to the merchant bank and the payment gateway.
You can think of the payment gateway as a train passing between stations, where the conductor talks with the station master at each stop.
Your end-to-end payment workflow
| Payment Gateway | Payment Processors | Acquirers | Merchant Account |
|---|---|---|---|
| The technology that moves money between your business’s bank account (merchant account) and your client’s credit card bank | The bank or entity that processes your payments | The banks or financial institutions that manage your merchant account | Essentially a bank account for your business |
A merchant account is what establishes a business relationship between you and your merchant services provider (e.g., the bank account for your business). With traditional credit card processing services, you cannot take payments until after you apply and are approved for a merchant account. A payment processor is the bank that actually processes the payment request. When customers pay with a credit card, payment gateways connect merchant accounts with payment processors by transferring credit card information between the bank that issued the credit card and the bank account for your business.
Relationship between a payment gateway and a payment switch
The payment switch is part of the payment gateway and is responsible for making sure incoming payment requests (transactions) are directed to the right place. When the gateway receives a payment request, the transaction is routed to the payment switch (this process is called “transaction switching”), then the switch routes the transaction to the correct issuing bank for approval.
How do payment gateways enhance security?
Payment gateways enhance security for consumers and merchants by using a combination of holding periods for transactions to be processed, and security features that protect and encrypt cardholder data.
Holding periods for transactions
Credit card payments are authorized (through the credit card payment gateway) by the issuing bank at the point of sale. An authorized transaction means that the bank has put a hold on the funds but the merchant hasn’t actually received payment.
Customers see this as a “pending” transaction on their credit card statement. At some later point, typically at the end of the day, the merchant must reconcile payments, add in tips (if needed), and manually send a batch capture, or “clearing” file, for all the pending credit card transactions.
At this point the pending transactions are committed, which means the merchant is now entitled to the funds previously put on hold by the issuing bank. The funds are then credited to the merchant’s bank and made available once they post in the merchant account.
Security features and standards
Modern payment gateways have multiple layers of protection to protect sensitive data while transactions are processed.
The most important security measure is encryption, which transforms customer payment data into an unreadable format as it’s shared from the customer to the business and then onto banks. This protects against the loss or theft of sensitive customer data while it’s in flight between payment points.
Beyond basic encryption, payment gateways like Square also come with advanced fraud detection and prevention measures that check for suspicious patterns like two payments taking place in different countries within a few minutes of each other, verify the cardholder’s billing address and validates the Card Verification Value (CVV) – the three- or four-digit security code on the card.
PCI compliance
All merchants who process credit card information must be compliant with Payment Card Industry Data Security Standard (PCI DSS). This is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Having a PCI-compliant payment gateway is only one part of that requirement. Fortunately, if you use Square for payment processing, PCI compliance is easy because we provide all the pieces in your payment workflow and protect cardholder data from the moment it’s recorded at the point of sale to the time we deliver funds to your merchant account.
Types of payment gateways (and how they differ)
There are two main types of payment gateways to consider as a merchant: hosted and self-hosted. Each has its own benefits and drawbacks, depending on your business and the level of customization needed.
Hosted payment gateways
A hosted payment gateway is a secure, third-party service that processes online transactions by redirecting customers to an external payment page. When a customer proceeds to checkout, they are seamlessly directed to the gateway’s secure platform to enter their payment details, such as credit card information. This ensures that sensitive data is handled by the gateway, reducing the merchant’s responsibility for PCI compliance and enhancing security.
Self-hosted and third-party gateways
Self-hosted payment gateways allow merchants to process payments directly on their own website, giving them full control over the checkout experience. Customers enter their payment details on the merchant’s site, and the data is then transmitted securely to the payment processor. While a self-hosted credit card payment gateway offers a seamless user experience, it requires the merchant to handle PCI compliance and ensure robust security measures.
On the other hand, third-party payment gateways redirect customers to an external platform to complete their payment. This offloads the responsibility of securing sensitive data to the gateway provider, simplifying compliance and reducing risk for the merchant.
While hosted payment gateways are popular for their ease of integration, robust security features, and ability to support multiple payment methods, self-hosted gateways offer customization.
Factors to consider when choosing the right payment gateway
Encryption
Payment gateways encrypt data using SSL before sending it through the credit card network to protect the buyer’s sensitive account information. That means the buyer’s credit card information is coded in a way that makes it difficult for fraudsters to access it as the data is shuttled between the different players in the payment chain.
PCI compliance
PCI compliance is a security checklist created by the Payment Card Industry Security Standards Council (PCI SSC) to help reduce fraud. All organizations that process credit and debit card payments, and all merchants that accept card payments, are responsible for their own PCI compliance.
For a variety of reasons, merchants often end up cobbling together a payment processing system from a number of different companies. They might use a payment terminal from one vendor, payment gateways from another, and a point-of-sale system from a third.
While each individual product or service might be PCI compliant, it doesn’t guarantee that the merchant, as the entity accepting card payments, is PCI compliant. That’s because PCI compliance pertains to the entire payment landscape, which includes how merchants process payments, how merchants connect those systems, and how merchants manage their customers’ data.
When comparing payment gateway options, look for a provider that offers an end-to-end payment ecosystem, where all hardware, software, and data handling are PCI compliant by design. This integrated approach, as offered by Square, can greatly reduce the complexity and risk associated with managing compliance across multiple online and offline systems.
Cost
Payment gateway providers are not transparent about their credit card machine prices. Each payment may have different fees associated with it, and it’s not always clear why those fees are (or aren’t) applied to a given transaction.
In addition to a per-transaction percentage, many credit card payment gateway and payment processing providers charge all or some of the following:
- Monthly account fees
- Membership fees
- PCI-compliance fees
- Initial setup fees
- Batch fees
- Refund/chargeback fees
- Higher prices for cards like American Express
Why don’t you need a payment gateway with Square?
You don’t need a payment gateway with Square because Square’s hardware and services create an end-to-end payment processing system: We capture your customers’ payment information at the point of sale (no manual reconciling), work directly with credit card payment gateways to securely route those payments to the right place, and deposit the funds into your bank account in one to two business days.
Square hardware is PCI-DSS certified and end-to-end encrypted. As an end-to-end payment processor, our systems are fully integrated, which means we make PCI compliance easy for you. When you use Square as a payment gateway, using Square hardware, your customers’ card information never touches an independent device. It’s encrypted from the moment you collect the card information, and our systems securely transmit your customers’ payment information through the payment chain and to the acquirer without the need for a separate payment gateway.
Similarly, you don’t need a separate merchant account or a special relationship with a bank. Traditional payment processors require merchants to open their own merchant account (a special bank account that might come with a lot of paperwork and its own fees), but when you use Square as a payment gateway, Square becomes the merchant of record. We take on the responsibility (and fees) for maintaining a merchant account so you don’t have to. All card payments are sent to our shared merchant account, then securely forwarded to your business bank account.
| Solution | The Traditional Payment Gateway Process | Square |
|---|---|---|
| What it costs | Variable: Potentially hundreds of dollars in initial setup fees, merchant account fees, payment gateway fees, and PCI-compliance fees | Account sign-up: free. Payment activation: free. Payment processing: flat transaction fee based on transaction type. |
| What’s included | The ability to process payments on your site after signing up for a merchant account | Secure payment APIs for e-commerce and in-person sales with a built-in payment gateway and merchant account. PCI compliant software, quick account setup in minutes (sign up here). |
Transparent pricing
Even better, a simplified payment flow means simplified pricing based strictly on transaction fees:
- 2.65% for all in-person payments where a customer taps, dips (chip cards), or swipes a credit card.
- 0.75% + 7¢ for all in-person Interac debit transactions.
- 3.4% + 15¢ for in-person payments where the card number is entered manually.
- 2.9% + 30¢ for online payments with the e-commerce API, Square Online, and Square Invoices.
Fast payments
Square merchants typically receive their funds in one to two business days but can get access to their money faster for a fee. We offer four transfer options:
- Standard Transfers: Funds are deposited in your linked bank account within one to two business days. This is the default and is a free service.
- Instant Transfers: For a 1.5% fee, you can transfer funds instantly to a linked debit card, 24/7, including weekends and holidays.
- Manual Transfers: You can choose when to manually transfer your funds from your Square balance to your bank account. These funds will arrive the next business day at no additional cost.
- Custom Close of Day: This free option allows you to set a specific time for your daily sales to be sent as a single transfer at the end of the business day. The funds will arrive in your bank account the next business day.
The future of payment gateways
The payment gateway industry is evolving rapidly, driven by trends that include:
- The rise of omnichannel payments, which enable seamless transactions across online, in-store, and mobile platforms.
- Buy Now, Pay Later (BNPL) options that offer flexible payment plans to attract customers.
Enhanced security measures, such as tokenization and biometric authentication, are becoming standard to combat fraud and build trust in these settings. Additionally, payment processors are increasingly leveraging AI and machine learning to optimize payment processes, detect anomalies, and personalize user experiences. Meanwhile, cryptocurrency payments are becoming more common.
Government-led innovation in Canada
The future of payments in Canada is being shaped by a combination of government regulation, technological innovation, and consumer-driven changes — like the growing adoption of contactless payment methods like QR codes and digital wallets.
The new Retail Payment Activities Act (RPAA) will increase regulation on new payment apps and platforms, ensuring they are held to the same standard as traditional banks, which are highly regulated in Canada. This is aimed at giving consumers greater peace of mind and businesses the confidence to choose from a wider selection of payment gateways and processors.
Payments Canada’s Real-Time Rail (RTR) system will also serve to enable instant, 24/7 payments. The RTR will mean funds from transactions will appear in merchant accounts almost instantly, instead of after a one or two-day waiting period like what happens today.
Payment gateway FAQs
How important is a payment gateway for my business?
A payment gateway is essential for any business that accepts card payments either in-person or online. They securely authorize and process transactions between the customer and your bank.
What is the difference between payment gateways and payment processors?
A payment gateway is a secure tunnel that sends payment information from your website or POS terminal to a payment processor. The payment processor then handles the transaction by communicating with the card networks and your bank.
Is it possible to use multiple payment gateways?
Yes, businesses can use multiple payment gateways to support different payment methods, currencies, or to serve as a backup in case one system fails.
But, with a modern, integrated solution like Square, you don’t actually need a separate payment gateway. Square’s hardware and software are designed as an end-to-end payment processing system. This means that we securely capture and transmit payment information to the appropriate card networks without the need for a separate gateway.
How do I choose the best payment gateway for my business?
The best way to choose a payment gateway is by considering its security features, fees, compatibility with your existing systems, ease of integration, and customer support.
Square makes that decision a lot easier. For security, Square offers end-to-end encryption and PCI compliance, so you can protect your customer’s data across all online and brick-and-mortar transactions. Square’s pricing is also flat rate and transparent, meaning you won’t be hit with surprise fees for things like interchange or chargebacks. You also don’t need to worry about stitching together payment platforms with Square. Its all-in-one system bundles the payment processors, gateway, and merchant account into one platform, making it easy to manage and access anywhere and any time.
Do I need a merchant account for my payment gateway?
Traditionally, businesses did need a merchant account for a payment gateway to function but modern all-in-one solutions like Square bundle the payment gateway, processor, and merchant account into a single service, eliminating the need to set up a separate merchant account.
