In this guide, we explain how payment gateways work, how they relate to PCI compliance, and how you can safely process credit cards with Square without signing up for a separate payment gateway.
Table of Contents
- Five Frequently Asked Questions about Payment Gateways
- Payment gateways: A closer look
- How payment gateways work
- Examples of payment gateways
- Payment gateways and security standards
- Why you don’t need a payment gateway
Payment gateways allow merchants to accept credit card payments by connecting payment processors (the service charging the card) and merchant account providers (the service providing your payment systems). Gateways are payment services — typically provided for an additional fee — that process credit cards online through an e-commerce site or in-person through a credit card terminal.
Five Frequently Asked Questions about Payment Gateways
What’s the difference between a virtual terminal and a payment gateway?
Payment gateways let you accept credit card payments (in person or online) by transferring money between your merchant account and a payment processor.
A virtual terminal — sometimes referred to as a web POS or cloud POS — is software that lets you take payments from any device (e.g., desktop, phone or tablet) running it, which turns the device into a point-of-sale terminal. For example, Square’s virtual terminal is accessible via your Dashboard and capable of accepting payments right away, with no setup or engineering resources required. Virtual terminals are ideal for businesses that don’t need an online store but do need to accept remote payments through phone, mail or fax.
How much do payment gateways cost?
Payment gateway providers are not always transparent about their pricing. Each payment may have different fees associated with it and it’s not always clear why those fees are (or aren’t) applied to a given transaction.
In addition to a per-transaction percentage, many payment gateway and payment processing providers charge all or some of the following:
- monthly account fees
- membership fees
- PCI-compliance fees
- initial setup fees
- batch fees
- refund/chargeback fees
- higher prices for cards that use their own networks such as American Express
What’s the relationship between merchant accounts, payment processors and payment gateways?
Payment Gateway | Payment Processors | Acquirers | Merchant Account |
The technology that moves money between your business’s bank account (merchant account) and your client’s credit card bank | The bank or entity that processes your payments | The banks or financial institutions that manage your merchant account | |
Essentially a bank account for your business |
A merchant account is what establishes a business relationship between you and your merchant services provider (e.g., the bank account for your business). With traditional credit card processing services, you cannot take payments until after you apply and are approved for a merchant account. A payment processor is the bank that actually processes the payment request. When customers pay with a credit card, payment gateways connect merchant accounts with payment processors by transferring credit card information between the bank that issued the credit card and the bank account for your business.
What’s the difference between a payment gateway and a payment switch?
The payment switch is part of the payment gateway and is responsible for making sure incoming payment requests (transactions) are directed to the right place. When the gateway receives a payment request, the transaction is routed to the payment switch (this process is called “transaction switching”), then the switch routes the transaction to the correct issuing bank for approval.
If I already have a payment gateway provider do I still need to worry about PCI compliance?
Yes. All merchants who process credit card information must be PCI compliant, and having a PCI-compliant gateway is only one part of that requirement. Fortunately, if you use Square as your payment processing system, PCI compliance is made easy because we provide all the pieces in your payment workflow and protect cardholder data from the moment it’s recorded at the point of sale to the time we deliver funds to your merchant account.
Payment gateways: A closer look
Payment gateways act as conduits, passing credit card transaction information from the merchant to the relevant banks via the appropriate credit card network through one of the following mechanisms:
credit card terminals in brick-and-mortar stores (think of this as a physical payment gateway)
payment services and APIs for websites and mobile applications (think of this as a virtual payment gateway)
How payment gateways work
The transaction flow is the same whether you’re using a physical or virtual payment gateway, but mobile and online payments use digital capture files to package the credit card information rather than output from a credit card reader:
1) The buyer makes a credit card payment through the merchant’s credit card reader or e-commerce site
2) The payment gateway:
- pushes the transaction information to the acquiring bank (the merchant bank or acquirer)
- determines which credit card network (Visa, MasterCard or American Express) issued the buyer’s card
- routes the transaction information to the correct payment switch
3) The payment switch routes the request to the bank that issued the buyer’s credit card (the issuing bank) and pushes the transaction information onto the correct credit card network
4) The issuing bank applies fraud detection procedures to determine the legitimacy of the transaction and confirms the buyer has sufficient credit in their account to accommodate the purchase
5) The issuing bank approves (or rejects) the transaction and sends this information back through the credit card network to the merchant bank and the payment gateway
You can think of the payment gateway as a train passing between stations, where the conductor talks with the station master at each stop.
Credit card payments are authorised (through the payment gateway) by the issuing bank at the point of sale. An authorised transaction means that the bank has put a hold on the funds but the merchant hasn’t actually received payment. Customers see this as a “pending” transaction on their credit card statement. At some later point, typically at the end of the day, the merchant must reconcile payments, add in tips (if needed) and manually send a batch capture, or “clearing” file, for all the pending credit card transactions. At this point, the pending transactions are committed, which means the merchant is now entitled to the funds previously put on hold by the issuing bank. The funds are then credited to the merchant’s bank and made available once they post in the merchant account.
Examples of payment gateways
There are numerous payment gateways available to UK businesses, each with its own fee structure, transaction fees and checkout integrations. Let’s take a look at some of the most popular:
Worldpay
Worldpay is a merchant acquirer and one of the UK’s favourite payment gateways, with a reported 77% of its users based in the UK. It offers free transactions up to a limit of £350 - £850 depending on your plan and its monthly fees range from 0 to £19.95. Furthermore its transaction fee is 1.3% plus 10-20p depending on the size of the transaction.
It offers a choice of hosted, self-hosted or API-based checkout integrations.
Braintree
Braintree is a self-hosted payment facilitator based in the USA. What makes it appealing to UK businesses is its simple and modest fee structure. Braintree charges no recurring monthly fees and its transaction fees are priced at 1.9%+20p. Unfortunately, Braintree does not offer any free transactions and only offers self-hosted integrations.
Cardstream
A lesser-known independent payment gateway, Cardstream bills itself as ‘a global connector of payments, offering 360° comprehensive solutions’. This includes an end-to-end white label payment gateway with terms that may be appealing to business users with high volumes of low-value transactions.
While its monthly fees are relatively high at £18, users incur no charge for payments up to £350, and payments above this threshold are charged at 9.9p. It also offers a choice of self-hosted or API checkout integration.
Opayo
Previously known as SagePay, Opayo is one of the UK’s best known merchant acquirers, offering payment gateways as well as other payment processing services.
While its monthly fees are fairly high at £32, transaction fees are only 0.9% with no charge for transactions of up to £500 depending on your plan. It also features a choice of hosted, self-hosted or API-based integrations.
Payment gateways and security standards
Companies need to assure their customers that all payments are securely made and compliant with the relevant regulatory bodies. So, how do payment gateways meet the necessary security standards?
Encryption
Gateways typically encrypt data using SSL before sending it through the credit card network to protect the buyer’s sensitive account information. That means the buyer’s credit card information is coded in a way that makes it difficult for fraudsters to access it as the data is shuttled between the different players in the payment chain.
PCI compliance
PCI compliance is a security checklist created by the Payment Card Industry Data Security Standard (PCI DSS) to help reduce fraud. All organisations that process credit and debit card payments, and all merchants that accept card payments, are responsible for their own PCI compliance.
For a variety of reasons, merchants often end up cobbling together a payment processing system from a number of different companies. They might use a payment terminal from one vendor, payment gateways from another, and a point-of-sale system from a third.
While each individual product or service might be PCI compliant, it doesn’t guarantee that the merchant, as the entity accepting card payments, is PCI compliant. That’s because PCI compliance pertains to the entire payment landscape, which includes how merchants process payments, how merchants connect those systems and how merchants manage their customers’ data.
To learn more, see our guide to PCI compliance.
Why you don’t need a payment gateway with Square
You don’t need a payment gateway with Square because Square’s hardware and services create an end-to-end payment processing system: We capture your customers’ payment information at the point of sale (no manual reconciling), work directly with credit card payment gateways to securely route those payments to the right place, and deposit the funds into your bank account in one to two business days.
Square software is also PCI compliant. As an end-to-end payment processor, our systems are fully integrated, which means we make PCI compliance easy for you. When you process payments through Square, using Square hardware, your customers’ card information never touches an independent device. It’s encrypted from the moment you collect the card information, and our systems securely transmit your customers’ payment information through the payment chain and to the acquirer without the need for a separate payment gateway.
Similarly, you don’t need a separate merchant account or a special relationship with a bank. Traditional payment processors require merchants to open their own merchant account (a special bank account that might come with a lot of paperwork and its own fees), but when you use Square, Square becomes the merchant of record. We take on the responsibility (and fees) for maintaining a merchant account so you don’t have to. All card payments are sent to our shared merchant account, then securely forwarded to your business bank account.
Solution | The Traditional Payment Gateway Process | Square | |||
What it costs | Variable: Potentially hundreds of pounds in initial setup fees, merchant account fees, payment gateway fees and PCI-compliance fees | Account sign-up: free. Payment activation: free. Payment processing: flat transaction fee based on transaction type. | What’s included | The ability to process payments on your site after signing up for a merchant account | Secure payment APIs for e-commerce and in-person sales with a built-in payment gateway and merchant account. PCI compliant software, quick account setup in minutes (sign up here). |
Transparent pricing
Even better, a simplified payment flow means fair and transparent pricing based strictly on transaction fees:
- 1.75% for each tapped contactless or. Chip + PIN transaction
- 2.5% for payments manually keyed-in to the Point of Sale App, Square Invoices, and Virtual Terminal
- 1.4% + 25p for transactions with UK cards and 2.5% + 25p for transactions with non-UK cards for our online payment products, including Square eCommerce API, Online Store, Checkout Links and purchases of Digital Gift Cards.
There are no monthly charges and no additional fees. Our rates include everything from PCI-compliance fees to interchange and chargeback fees.
Conclusion
Before you sign up with a payment gateway, be sure to do your homework and find out if there are any hidden fees or costs and make sure you understand how it fits into your existing solutions. For example, if you have an online payment gateway for e-commerce and a physical payment gateway for in-person payments, you want both systems to feed into your POS to simplify bookkeeping. And if your gateway solutions aren’t integrated with the rest of your payment landscape, you want to make sure they maintain PCI compliance or you could be on the hook for some kinds of fraud.
If you’re growing your business, launching a new location or taking credit card payments for the first time, it’s important to have a clear understanding of what different combinations of payment gateways, payment processors and merchant accounts cost before you sign anything.
Get Started with Square.
Accept credit card payments without a payment gateway.
Sign up with Square