How Payment Gateways Work: Transaction Flow, APIs, and Settlement Explained

QUICK ANSWER - What Is a Payment Gateway?

A payment gateway is a software layer that captures, encrypts, authenticates, and routes card payment data between a customer, a merchant, and the banking network, returning an authorization or decline in under 2 seconds. It is not a checkout form. It is the entire regulated pipeline that makes digital money movement possible.

A custom payment gateway development cost starts at $8,000–$14,000/month for a 2–3 engineer team at Acquaint Softtech. Typical MVP timeline: 8–14 weeks.

01

Data Capture and Encryption

The gateway captures card credentials, Primary Account Number (PAN), expiry date, and CVV at the point of entry, immediately encrypts them using TLS 1.3, and passes them downstream as an encrypted payload. The raw card number must never be stored. This is not a security recommendation; it is a PCI-DSS requirement.

02

Tokenisation

The raw PAN is replaced with a surrogate token, a randomly generated identifier that maps to the original card number only inside the token vault, which is either hosted by the gateway provider (Stripe, Braintree) or by a dedicated tokenization service with HSM (Hardware Security Module) key management. Tokens can be stored safely. PAN cannot.

03

Authentication (3DS2)

The payer's identity is verified via 3-Domain Secure 2.0 (3DS2), which performs a risk-based challenge: low-risk transactions pass through frictionlessly; higher-risk transactions trigger an additional authentication step (OTP, biometric). Required for all EU/UK transactions under SCA (Strong Customer Authentication) regulations.

04

Routing and Authorization

The encrypted, tokenized transaction is routed to the acquiring bank, which forwards it to the card network (Visa, Mastercard). The card network routes it to the issuing bank (the customer's bank). The issuing bank checks the customer's balance and fraud signals, then returns an authorization code or a decline code. Total round-trip: 800ms–1,500ms.

05

Settlement

Authorization and settlement are different events. Authorization reserves the funds, while settlement actually moves the money from the issuing bank through the card network to the acquiring bank, minus interchange fees. This settlement usually happens in a batch process overnight. For businesses managing these complex payment workflows, it is important to hire a project manager to ensure smooth coordination between banking systems, payment gateways, and reconciliation processes. The merchant then receives the net amount, typically within T+1 to T+3, depending on the card network and the acquiring bank relationship.

Step 1:  Customer Enters Card Details

ACTOR: Merchant frontend / Payment gateway hosted fields

The customer enters card number, expiry, and CVV into either a merchant-hosted form or the gateway's hosted fields (e.g. Stripe Elements). Hosted fields are the preferred approach: card data goes directly to the gateway's servers, never touching the merchant's. This alone reduces the PCI-DSS scope from SAQ D to SAQ A.

Step 2: Tokenization and Encryption

ACTOR: Payment gateway

The gateway immediately tokenizes the PAN and encrypts the entire payload using TLS 1.3. A transaction object is created with a unique idempotency key, a critical detail that prevents duplicate charges if a network timeout causes the merchant to retry the request.

Step 3:  3DS2 Risk Assessment

ACTOR: Payment gateway + issuer ACS (Access Control Server)

The gateway sends transaction attributes, amount, device fingerprint, velocity signals, and shipping address to the issuer's ACS. Low-risk transactions (flagged as frictionless) proceed immediately. Higher-risk transactions trigger a challenge step (SMS OTP, biometric). This step takes 200–600ms.

Step 4:  Authorisation Request to Acquirer

ACTOR: Gateway → Acquiring bank

The gateway forwards the authorisation request to the acquiring bank (the merchant's bank) in ISO 8583 or an equivalent message format. The acquirer validates that the merchant's account is in good standing and forwards the request to the card network.

Step 5:  Card Network Routing

ACTOR: Card network (Visa/Mastercard)

The card network (Visa, Mastercard, Amex, etc.) routes the authorization request to the issuing bank (the customer's bank). The network applies its own fraud checks and routing logic, adding 50–150ms to the total latency.

Step 6:  Issuer Authorisation Decision

ACTOR: Issuing bank

The issuing bank checks: available balance, fraud signals (velocity, geography, merchant category), card status (not blocked/expired), and 3DS verification result. It returns an authorization code (approved) or a decline code. Response codes are standardized: 00 = approved; 05 = do not honour; 51 = insufficient funds; 14 = invalid card number. The merchant receives the specific decline code, not the customer.

Step 7:  Settlement (T+1 to T+3)

ACTOR: Card network + Acquiring bank + Merchant bank

Authorization is not a settlement. Settlement happens in a batch process, typically overnight. The card network calculates net positions across all transactions for the day, the issuing bank transfers funds to the card network, the card network transfers to the acquiring bank, and the acquiring bank deposits the net amount (transaction amount minus interchange fee, gateway fee, and processor markup) into the merchant's account. For businesses scaling complex payment infrastructure, leveraging expert guidance, such as virtual CTO services, can help design efficient settlement workflows and optimize transaction cost management.

API Category

What It Does

Key Parameters

Critical Detail

Payment Intents API

Creates and manages a payment transaction object. Handles the full lifecycle: creation → 3DS challenge → confirmation → capture.

amount (integer, smallest unit), currency, payment_method, confirm, capture_method

Amount must be an integer. $12.50 = 1250 (pence/cents). Never float.

Payment Methods API

Tokenizes and stores card details. Returns a payment method ID that replaces the raw card number for future charges.

card object, billing_details, customer (for saved cards)

Payment method IDs are one-time use unless attached to a customer object for reuse.

Webhooks API

Sends real-time event notifications to the merchant's server. Critical for handling async events: payment succeeded, payment failed, dispute created.

endpoint_url, event_types, signing_secret

All webhooks must be signature-verified (HMAC-SHA256) before processing. Unverified webhooks are a security vulnerability.

Refunds API

Initiates full or partial refunds on completed charges. Refunds are separate transactions; the original charge is not reversed.

charge_id, amount (optional, omit for full refund), reason

Refunds to debit cards typically arrive in 5–10 business days. Credit cards: 5–7 days. Instant refunds require a separate feature flag.

Disputes API

Manages chargeback workflow. Retrieves dispute details, submits evidence, and tracks status.

dispute_id, evidence object (shipping, customer communication, etc.), submission deadline

The evidence submission deadline is typically 7–21 days from dispute creation. Missing the deadline = automatic loss.

Dimension

Integrate (Stripe/Razorpay/Adyen)

Hybrid (PSP + Custom Logic)

Build Custom Gateway

Transaction volume

Any volume, PSPs scale automatically

Medium to high (>$500K/month GMV)

Very high (>$50M/month GMV), where PSP fees are uneconomic

Time to production

2–6 weeks for basic integration

8–16 weeks

6–18+ months

PCI-DSS scope

SAQ A (lowest) with hosted fields

SAQ A if using hosted fields; SAQ D if custom card capture

Level 1, full QSA audit required ($15K–$50K/year)

Monthly cost

PSP fees: 1.4%–2.9% + $0.20–$0.30 per transaction

PSP fees + team cost ($8K–$18K/month)

Full infrastructure + team ($35K–$65K/month)

Fraud control

PSP's fraud engine (Stripe Radar, etc.)

Custom rules on top of PSP signals

Full custom ML model, complete control

Merchant customisation

Limited to PSP's product surface

Moderate, custom orchestration on PSP infrastructure

Complete — any routing logic, any acquiring bank, any currency

Best for

Startups, SaaS products, marketplaces under $10M GMV/year

Growing marketplaces, B2B platforms needing custom flows

Payment service providers are building their own gateway product

Feature

Category

Must Exist at Launch?

If Missing...

Tokenisation (PAN replacement)

Security / PCI-DSS

YES - mandatory

Storing raw card numbers: immediate PCI-DSS violation. $5K–$100K fine per incident.

TLS 1.3 encryption in transit

Security / PCI-DSS

YES - mandatory

All payment data is exposed in transit. PCI-DSS Req 4 violation.

Idempotency keys on all mutations

Data integrity

YES - strongly required

Duplicate charges on network retries. Customer disputes, refund costs, and trust damage.

Webhook signature verification

Security

YES - strongly required

Fraudulent 'payment succeeded' events can trigger order fulfilment without payment.

3DS2 authentication

Compliance (EU/UK/India)

YES for EU/UK transactions

SCA non-compliance. Liability for disputed transactions shifts entirely to the merchant.

Fraud scoring (basic)

Risk

YES - pre-launch required

No fraud control on live transactions. First-week fraud losses can exceed the gateway build cost.

Settlement reconciliation

Finance / Operations

YES - at launch

Manual reconciliation does not scale past ~50 transactions/day. Accounting errors accumulate.

Decline code handling (all codes)

UX / Operations

YES - at launch

Generic 'payment failed' gives users no recovery path. Cart abandonment rate increases significantly.

Multi-currency support

Product

Only if international

Required if accepting payments in multiple currencies — otherwise defer to add currency in sprint 2+

Saved payment methods

UX / Conversion

No - can be Sprint 2

Increases conversion rates by 15%–30%, but not a compliance requirement for the initial launch.

Subscription billing

Product

Only if required

Required for SaaS products; not required for one-time checkout flows.

Instant payouts (to sellers)

Marketplace feature

No - add post-MVP

Required for mature marketplaces; needs additional regulatory setup (disbursement rails).

Layer

Technology

Why for Payments

Alternative

API Layer (transaction processing)

Node.js or Python

Non-blocking I/O handles thousands of concurrent transaction requests without thread overhead. FastAPI adds automatic OpenAPI docs for team velocity.

Go (Gin), marginally faster, steeper learning curve. Java (Spring Boot) is better for core banking, but slower iteration.

Background processing (settlement, notifications)

Python or Node.js

Async task queues handle settlement batch processing, webhook delivery retries, and fraud score batch updates without blocking the transaction API.

Apache Kafka for very high-volume (>1M transactions/day) event streaming.

Primary database (financial ledger)

PostgreSQL

ACID compliance required. Row-level locking for concurrent balance updates. JSON columns for metadata. Native support for financial audit patterns.

MySQL (acceptable). MongoDB (not suitable, no ACID across multi-document transactions for financial data).

Cache and rate limiting

Redis

Session tokens, rate limiting on payment endpoints (prevent card testing attacks), and idempotency key storage (TTL-based deduplication).

Memcached (simpler but lacks TTL precision needed for idempotency deduplication).

Fraud scoring (ML layer)

Python

Real-time feature scoring in <50ms using pre-trained gradient boosting models. Feature store feeds real-time transaction signals.

Stripe Radar (sufficient for most products, only build custom at >$10M GMV/month).

Frontend / Merchant Dashboard

React JS + TypeScript

Component reuse across transaction views, reconciliation dashboards, dispute management. Type safety catches currency handling bugs at compile time.

Vue.js (comparable). Avoid vanilla JS for financial dashboards; type safety is critical.

Mobile payments

React Native

Single codebase for iOS and Android. Biometric payment confirmation (Face ID/fingerprint). Secure enclave integration for card tokenization on the device.

Flutter (comparable cross-platform capability).

Infrastructure

AWS

PCI-DSS compliant managed services. WAF (Web Application Firewall) for API endpoint protection. RDS PostgreSQL with automated failover.

GCP (comparable). On-premise data centre for jurisdictions requiring data localization (India RBI, China regulations).

Key management

AWS KMS or on-premise HSM

Encryption key rotation, HSM-backed storage for cardholder data encryption keys. Required for SAQ D and Level 1 PCI-DSS.

Azure Key Vault. On-premise Thales/nShield HSM for maximum control.

Tier 1 - Stripe/PSP Integration Layer

Integrating Stripe, Razorpay, or Adyen into an existing product. Custom merchant dashboard, reconciliation, webhook handling, and fraud rule configuration. No custom card storage.

Team:   2–3 engineers (1 backend, 1 frontend, 0.5 DevOps)

Monthly Team Cost:   $8,000–$14,000/month (Acquaint Softtech)

Equivalent In-House:   $22,000–$35,000/month

Annual Saving:   $168,000–$252,000 vs in-house

MVP Timeline:   6–10 weeks

PCI-DSS Scope:   SAQ A (self-assessment, ~$0 audit cost)

PSP Fees:   1.4%–2.9% + $0.20–$0.30 per transaction (Stripe UK/EU rates)

Tier 2 - Custom Payment Gateway Layer on PSP Infrastructure

Custom orchestration layer on top of a PSP. Multiple acquiring bank routing, custom fraud rules, split payments, marketplace payouts, white-label checkout.

Team:   4–5 engineers (backend, frontend, fraud ML, DevOps, QA)

Monthly Team Cost:   $18,000–$28,000/month

Equivalent In-House:   $48,000–$65,000/month

Annual Saving:   $360,000–$444,000 vs in-house

MVP Timeline:   12–18 weeks

PCI-DSS Scope:   SAQ A or SAQ C - depends on card data flow

One-Time Costs:   Security pen test: $8K–$20K; Legal review: $5K–$15K

Tier 3 - Full Custom Payment Gateway (PSP Product)

Building a payment gateway product for other merchants. Custom card vaulting, direct acquiring bank connection, multi-currency, full fraud engine, and scheme registration.

Team:   7–10 engineers + project manager + security specialist

Monthly Team Cost:   $35,000–$55,000/month

Equivalent In-House:   $95,000–$150,000/month

Annual Saving:   $720,000–$1,140,000 vs in-house

MVP Timeline:   24–40 weeks

PCI-DSS Scope:   Level 1 - QSA audit required: $15,000–$50,000/year

One-Time Costs:   HSM hardware/cloud: $10K–$30K; Legal/licensing: $20K–$100K+