Every time a customer taps a card or clicks Pay, an invisible piece of technology decides whether the sale goes through. That technology is the payment gateway. It captures the customer’s card details at checkout and sends them to the processor for authorization.
Choose the wrong one and a business loses sales to false declines, fraud, and fees that quietly eat into margins.
Below, we break down how payment gateways work, the different types, what they cost in 2026, how they compare to processors and merchant accounts, and how to pick the right one for your business.
Key Takeaways:
- A payment gateway captures and encrypts a customer’s card data at checkout and sends it to the processor for authorization.
- The gateway, the processor, and the merchant account are three different things, and most modern providers like Stripe and Square bundle all three into one product.
- Five main types of gateways exist: hosted, integrated (API), self-hosted, platform-built, and mobile or in-app, each with different tradeoffs in setup, cost, and control.
- Pricing comes in two models: flat rate (around 2.6% to 2.9% plus a fixed fee) and interchange-plus, which gets cheaper at higher volumes.
- The right gateway depends on three things: where the business sells, monthly transaction volume, and the tech stack already in place.
What Is a Payment Gateway?
A payment gateway is the technology that securely captures a customer’s payment details at checkout, encrypts them, and sends them to the payment processor for authorization. It allows a business to accept credit cards, debit cards, and digital wallets online, in a mobile app, or with a card reader in a store.
Think of it as the virtual version of a card terminal. In a physical store, a card reader collects the card data and passes it to the processor. Online, the payment gateway does the same job. It sits between the checkout page and the payment processor, and its only role is to securely transmit payment data.
A payment gateway does not move money. It only carries information. The actual transfer of funds happens through the payment processor and the banks behind it. This distinction matters because most small business owners confuse the two, and the wrong choice on either side can cost real money in fees and failed transactions.
Every business that accepts card payments needs a payment gateway. That includes ecommerce stores, mobile apps, in-person retailers, restaurants, subscription services, and any business that takes payments by phone or invoice.
How Does a Payment Gateway Work?
A payment gateway moves payment data through five to six steps that make up the credit card processing flow, from the moment a customer clicks “pay” to the moment money lands in the merchant’s account. Authorization happens in two or three seconds. Settlement takes one to three business days.
Step 1: Capture the Payment Information
The customer enters their card number, expiration date, and CVV into the checkout form. The gateway collects this data through a secure form field or hosted page. Modern gateways use iframes or tokenized fields so that the raw card data never touches the merchant’s servers. This reduces the merchant’s PCI compliance burden.
Step 2: Encrypt and Tokenize the Data
The gateway encrypts the card data using TLS, the same protocol that protects banking websites. Many gateways also replace the real card number with a token, a randomly generated string that has no value if stolen. Network tokenization, now supported by Visa, Mastercard, and Amex, has become a standard feature in 2026 because it cuts fraud rates and improves approval rates.
Step 3: Transmit the Data to the Processor
Encrypted or tokenized data leaves the merchant’s site and is sent to the payment processor via the gateway’s servers. The processor is the company that actually communicates with the card networks. Some platforms, such as Stripe and Square, combine the gateway and processor into one service. The two functions remain distinct even when bundled.
Learn more about how credit card processing works and save your business money with this free eGuide.
Step 4: Request Authorization from the Issuing Bank
The processor sends the transaction details through the card network to the customer’s bank, called the issuing bank. The issuing bank checks three things: whether the card is valid, whether the customer has enough funds or credit, and whether the transaction looks fraudulent. It then returns an approval or decline code.
Step 5: Return the Response to the Merchant
The decision travels back through the same chain: issuing bank, card network, processor, gateway, and merchant. If approved, the checkout page confirms the order. If declined, the customer is prompted to try another card or payment method.
Step 6: Settle the Funds
Authorization is not the same as payment. The merchant’s bank, called the acquiring bank, requests the approved amount from the issuing bank in a daily batch. The card networks transfer the funds, and the acquiring bank deposits the net amount into the merchant’s account within 1 to 3 business days. Fees from the processor, gateway, and card networks come out before the merchant sees the deposit.
The Short Version
A payment gateway encrypts a customer’s card data, sends it to the processor for approval from the customer’s bank, and helps settle the funds into the merchant’s account a day or two later.
Payment Gateway vs. Payment Processor vs. Merchant Account
Most articles treat the gateway and the processor as two things. There are actually three: the gateway, the processor, and the merchant account. Confusing them is the most common mistake small business owners make when they sign up for payment services.
What a Payment Gateway Does
The gateway captures and encrypts the customer’s card data, then transmits it to the processor. It is the digital equivalent of a card reader. It does not approve transactions or move money.
What a Payment Processor Does
The processor is the company that takes the gateway’s encrypted data and routes it through the card networks (Visa, Mastercard, Amex, Discover) to the customer’s bank for approval. It also handles the actual fund transfer after authorization and manages chargebacks, refunds, and fraud screening. Examples of payment processors include Stripe, Worldpay, TSYS, and Fiserv.
Payment processors giving you trouble?
We won’t. KORONA POS is not a payment processor. That means we’ll always find the best payment provider for your business’s needs.
What a Merchant Account Is
A merchant account is a special business bank account that holds funds from card transactions before the money settles into the merchant’s regular operating account. Without one, a business cannot accept card payments. Traditional merchant accounts are issued by acquiring banks like Wells Fargo Merchant Services, Chase Payment Solutions, and Bank of America Merchant Services.
Quick Comparison
| Component | What It Does | Who Provides It | How It Charges |
|---|---|---|---|
| Payment Gateway | Captures and encrypts card data, then sends it to the processor | Stripe, Authorize.net, Braintree, NMI | A fee per transaction, sometimes a small monthly fee |
| Payment Processor | Routes the transaction, gets approval, and moves the money | Stripe, Worldpay, TSYS, Fiserv, Helcim, and others | A percentage plus a fixed fee per transaction |
| Merchant Account | Holds card funds before they reach your business bank account | Acquiring banks or payment facilitators like Stripe and Square | Monthly account fees, or none with a facilitator |
Why Most Small Businesses Get All Three Bundled
Stripe, Square, and PayPal are not just gateways. They are payment facilitators, which means they bundle the gateway, the processor, and the merchant account into one product. The business signs up once and gets all three services under a single contract.
This is why most modern small businesses never think about whether they have a merchant account. They use Stripe or Square, and the merchant account is provided behind the scenes through the facilitator’s master account.
The tradeoff is cost and control. Facilitators are easy to set up but charge flat rates that get expensive at higher volumes. A traditional merchant account paired with an interchange-plus processor usually costs less once a business processes more than $25,000 to $50,000 per month, but it takes longer to set up and requires underwriting.
For a deeper look, see our full guide on payment gateway vs. payment processor.
Types of Payment Gateways
Not all payment gateways work the same way. The biggest differences come down to where the customer enters their card data, how much control the merchant keeps over the checkout, and how much PCI compliance the merchant has to handle. There are five main types in use today.
Hosted Gateway (Redirect)
A hosted gateway redirects the customer from the merchant’s checkout to the gateway provider’s payment page. The customer enters their card details on the provider’s site, not the merchant’s. After payment, the customer is sent back to the merchant.
This is the easiest type to set up and the safest from a compliance standpoint, because the card data never touches the merchant’s servers. The downside is that the redirect breaks the checkout flow and can hurt conversion rates.
Best for: small businesses and merchants who want the smallest PCI scope. Examples: PayPal Standard, Stripe Checkout.
Integrated or API-Based Gateway (Direct)
An integrated gateway connects directly to the merchant’s website through an API. The customer enters their card data on the merchant’s checkout page, but the gateway’s secure fields (usually iframes) capture it and send it directly to the gateway’s servers. The raw card data never touches the merchant’s backend.
The checkout experience stays on the merchant’s domain, which protects the brand and improves conversion rates. The tradeoff is more development work and a heavier compliance burden than hosted gateways.
Best for: ecommerce stores with developers, SaaS companies, and any merchant who wants full control over the checkout. Examples: Stripe Elements, Braintree, Adyen.
Self-Hosted Gateway (On-Site)
A self-hosted gateway is fully built and maintained by the merchant. Card data is collected on the merchant’s site and processed on the merchant’s own servers before it reaches the card network. This option gives the most control, but it also puts the full PCI DSS Level 1 compliance burden on the merchant.
Best for: large enterprises with dedicated security and engineering teams. Examples: large banks, airlines, and Fortune 500 retailers.
Platform-Built Gateway
A platform-built gateway is bundled directly into an ecommerce or POS platform. The merchant turns it on in their dashboard and starts taking payments without any separate signup or integration.
The setup is the fastest of any option, but the merchant is locked into the platform’s pricing and cannot negotiate rates. Examples: Shopify Payments, Square Online, BigCommerce Payments.
Best for: small and growing merchants who already use the host platform and want one less vendor.
Mobile and In-App Gateway
A mobile gateway is built for in-app purchases, mobile payments, and tap-to-pay transactions. It supports Apple Pay, Google Pay, and SDK integrations inside mobile apps. Tokenization is built in by default.
Best for: businesses whose customers pay primarily through mobile apps, rideshare and delivery platforms, and any merchant focused on mobile commerce. Examples: Braintree SDK, Stripe Mobile SDK, Apple Pay, Google Pay.
Side-by-Side Comparison
| Type | Setup Effort | Checkout UX | PCI Burden | Customization | Best For |
|---|---|---|---|---|---|
| Hosted | Very low | Redirect breaks flow | Lowest | Low | Small businesses |
| Integrated (API) | Medium | Stays on merchant site | Medium | High | Stores with developers |
| Self-Hosted | Very high | Stays on merchant site | Highest | Total | Enterprises only |
| Platform-Built | Lowest | Stays on merchant site | Lowest | Limited | Shopify and Square users |
| Mobile / In-App | Medium | Inside the app | Low – Medium | Medium | Apps and mobile wallets |
Key Features to Look For in a Payment Gateway
The right gateway depends on what a business sells and where it sells it, but several features have become essential in 2026. These are the ones that affect security, approval rates, and total cost.
PCI DSS 4.0 Compliance
Every gateway must be PCI DSS compliant, but the standard updated to version 4.0 in 2024, with full enforcement starting in 2025. Version 4.0 requires stronger authentication, continuous monitoring, and more frequent vulnerability testing. Confirm that the provider is certified to PCI DSS 4.0, not just “PCI compliant” in general.
Network Tokenization
Network tokens are issued by the card networks (Visa Token Service, Mastercard MDES, American Express Token Service) and replace the real card number with a permanent token tied to the cardholder. They improve approval rates by 2 to 5 percent, lower fraud, and stay valid even when the underlying card is replaced. Any gateway used for recurring or subscription payments should support them.
3D Secure 2.x Support
3D Secure 2 (3DS2) shifts fraud liability from the merchant to the issuing bank when the bank approves a transaction. Unlike the older 3DS1, the 2.x version runs in the background most of the time and only prompts the customer for verification when a transaction looks risky. This protects revenue without breaking conversion.
AI Fraud Scoring
Modern gateways use machine learning models that score each transaction against hundreds of variables in milliseconds. Stripe Radar, Adyen RevenueProtect, and PayPal Fraud Protection are examples. A gateway without a smart fraud engine in 2026 is a serious liability.
Multi-Currency and Local Payment Methods
A gateway that supports multiple currencies and local payment methods (iDEAL, SEPA, Bancontact, Alipay, Pix) opens up international sales without forcing the customer through a foreign card conversion. For any merchant selling outside their home country, this is critical.
Recurring Billing and Subscription Support
Subscription businesses need a gateway with built-in recurring billing, smart retry logic for failed payments, and support for account updater services. Without these, churn from involuntary payment failure can hit 5 to 10 percent of monthly revenue.
Settlement Speed
Standard settlement is one to three business days. Some gateways offer next-business-day or even instant settlement via faster payment rails like FedNow and RTP. Faster settlement protects cash flow, especially for small businesses with thin margins.
How Much Does a Payment Gateway Cost?
Payment gateway pricing falls into two main models: flat-rate and interchange-plus. Most small businesses pay between 2.6% and 2.9% plus a fixed fee of $0.10 to $0.30 per transaction, with additional monthly or hidden fees depending on the provider.
Flat-Rate Pricing
Flat-rate providers charge the same percentage on every transaction, regardless of card type. Stripe, Square, and PayPal use this model. It is predictable and easy to understand, but it becomes the most expensive option once monthly volume crosses roughly $25,000.
Interchange-Plus Pricing
Interchange-plus separates the actual cost charged by Visa or Mastercard (the interchange fee) from the processor’s markup. The merchant pays interchange plus a fixed margin, such as 0.4% plus $0.10. This model is transparent and almost always cheaper at higher volumes. Helcim, Stax, and Adyen use it.
Typical Fee Ranges (2026)
| Provider | Online Rate | In-Person Rate | Monthly Fee |
|---|---|---|---|
| Stripe | 2.9% + $0.30 | 2.7% + $0.05 | $0 |
| PayPal | 2.99% + $0.49 Card payments | 2.29% + $0.09 | $0 |
| Square |
Free Plan
3.3% + $0.30
Plus Plan
2.9% + $0.30
|
2.6% + $0.10 | $0 – $149 By plan tier |
| Authorize.net | 2.9% + $0.30 | 2.9% + $0.30 | $25 |
| Adyen | Interchange + 0.6% + $0.13 | Interchange + 0.6% + $0.13 | $0 Volume minimums apply |
| Helcim | Interchange + 0.5% + $0.25 | Interchange + 0.4% + $0.08 | $0 |
Pricing as of early 2026. Confirm current rates directly with each provider before signing.
Hidden Costs to Watch For
Headline rates rarely tell the whole story. The common extra fees include:
- Chargeback fees of $15 to $25 per dispute
- PCI compliance fees of $5 to $15 per month with some processors
- International or currency conversion fees of 1% to 2% above the base rate
- Monthly gateway access fees
- Statement and batch fees
- Early termination fees on annual contracts
A “low” 2.6% headline rate can land at an effective 3.2% once these are added.
Popular Payment Gateways
Several gateways consistently rank as the most used options. Each has a different sweet spot.
Stripe
Stripe is the developer-first gateway, built around a flexible API that handles cards, subscriptions, marketplaces, and international payments in over 135 currencies. It powers most SaaS billing and ecommerce on platforms like Shopify, WooCommerce, and Squarespace.
Best for: ecommerce stores, SaaS companies, and any business with a technical team.
PayPal
PayPal is the gateway with the broadest consumer recognition. Over 400 million active accounts give it a checkout trust advantage that few competitors can match. The fee structure is less transparent than Stripe’s, and rates can be higher for certain transaction types.
Best for: small ecommerce stores, freelancers, and businesses where customer trust at checkout matters more than fee optimization.
Square
Square is built around in-person retail and small business simplicity. It offers free POS software, a free card reader, no monthly fee on the basic plan, and deposits in one business day. Flat-rate pricing becomes costly above about $20,000 in monthly volume.
Best for: brick and mortar retail, food service, and businesses that need both in-person and online payments.
Authorize.net
A gateway owned by Visa, founded in 1996, and trusted by over 430,000 merchants. It works with most US merchant accounts and supports recurring billing, e-checks, and advanced fraud detection.
Best for: established US businesses with a merchant account who want a stable, mature gateway.
Adyen
Adyen is the enterprise option, with unified commerce across online, in-store, and mobile channels. It supports over 250 payment methods and is used by Uber, Spotify, and Microsoft. Pricing is interchange-plus with volume minimums.
Best for: merchants with high transaction volume, global brands, and businesses that need one gateway across all channels.
Helcim
Helcim is the transparency choice. It uses interchange-plus pricing with no monthly fee, no contract, and tiered volume discounts that reduce the markup as a business grows.
Best for: merchants processing more than $5,000 per month who want full pricing transparency.
How to Choose the Right Payment Gateway
The right payment gateway depends on three things: where the business sells, the monthly transaction volume, and the technology stack already in place. The answers determine the gateway type, pricing model, and the shortlist of providers to consider.
Where Do You Sell?
- Online only: A hosted or integrated gateway like Stripe, PayPal, or Authorize.net is the default.
- In-person only: A POS platform that includes a gateway (Square, Clover, KORONA POS with a chosen processor) gives the cleanest setup.
- Both online and in-person: Choose a gateway that handles both in one dashboard, such as Square, Stripe, or Adyen.
- Global: Adyen, Stripe, or Airwallex for multi-currency and local payment methods.
What Is Your Monthly Volume?
- Under $25,000 per month: Flat rate pricing (Stripe, Square, PayPal) is simpler. The small extra cost is not worth the setup complexity of an interchange-plus plan.
- $25,000 to $250,000: Interchange-plus starts to pay off. Helcim or a traditional merchant account, paired with a separate gateway, becomes worth the work.
- Above $250,000: Enterprise gateways like Adyen, with custom-negotiated rates and dedicated support.
What Is Your Tech Stack?
If a business already runs on Shopify, WooCommerce, or BigCommerce, the platform’s native gateway is the fastest option. It saves integration time, and the rates are usually competitive. If the business has developers and wants control over the checkout, Stripe Elements or Braintree gives the most flexibility without the full PCI burden of building a gateway from scratch.
Common Payment Gateway Problems
Even the best gateways have weak points. Knowing them in advance helps a merchant choose providers that handle the worst risks.
Security Breaches and Fraud
Online card fraud continues to climb, and the gateway is the layer most exposed to it. Before signing with a provider, confirm it uses end-to-end encryption (E2EE), point-to-point encryption (P2PE) for in-person terminals, address verification (AVS), card verification value (CVV) checks, and an active machine learning fraud engine. A gateway that does not name these on its security page is not worth using.
False Declines
Legitimate transactions are wrongly declined more often than actual fraud is caught. False declines cost US merchants an estimated $443 billion in lost revenue in 2021, according to LexisNexis Risk Solutions. Network tokenization and 3DS2 are the strongest tools to bring the rate down.
International Payment Friction
Cross-border transactions have higher decline rates, higher fees, and slower settlement. Many gateways force a currency conversion at rates that include a markup, which can cost 1% to 2% on every international sale. Adyen, Stripe, and Airwallex handle this better than providers limited to the US.
Chargebacks
A single chargeback usually costs $15 to $25 in fees, plus the lost product, plus the original transaction fee. Visa and Mastercard penalize merchants with chargeback ratios above roughly 1 percent. Choose a gateway with built-in dispute management.
Processor Lock-In
Many POS systems force the merchant to use a specific payment processor at fixed rates, often locked in by early termination fees in the contract. If rates rise or service fails, the only option is to replace the entire POS. POS platforms that work with any processor avoid this trap.
KORONA POS and Payment Gateway Flexibility
Processor lock-in is exactly what KORONA POS is built to avoid. The system works with any major processor (TSYS, Worldpay, EVO, First Data, and more), which means a merchant can negotiate rates independently and switch processors without changing the POS.
That gives the merchant real leverage on fees and removes the risk of being trapped when a processor raises rates.
Start a free trial or schedule a demo to see how it works.
Speak with a product specialist and learn how KORONA POS can power your business.
Frequently Asked Questions
Is a payment gateway the same as a payment processor?
No. The gateway captures and encrypts the card data and sends it to the processor. The processor routes the data through the card networks and banks to approve the transaction and move the funds. Some companies, like Stripe and Square, perform both functions.
Do I need a payment gateway for in-person sales?
Yes. Modern card readers and POS terminals use a gateway behind the scenes to encrypt and transmit card data. The merchant does not see it, but every chip, tap, and swipe transaction passes through one.
Is Stripe a payment gateway or a processor?
Stripe is both. It functions as a payment gateway, a payment processor, and a payment facilitator, which is why most small businesses can use Stripe as a single solution without setting up a separate merchant account.
Is PayPal a payment gateway?
PayPal is a payment gateway and a payment facilitator. It provides the gateway, the processor, and the merchant account in one bundled service. It also operates as a digital wallet, which is a separate product.
What is the safest payment gateway?
There is no single safest gateway. The safest providers are PCI DSS 4.0 certified, support network tokenization, run 3D Secure 2 by default, and offer machine learning fraud scoring. Stripe, Adyen, and Braintree consistently meet all four standards.
Do payment gateways work internationally?
Yes, but with significant differences. Adyen, Stripe, and Airwallex support over 100 countries and local payment methods like iDEAL, Pix, and Alipay. Gateways focused on the US, like Authorize.net, work best for domestic transactions and charge higher fees for international cards.
How do payment gateways make money?
Gateways earn revenue through transaction fees (usually $0.05 to $0.30 per transaction), monthly access fees ($0 to $25), and, sometimes, a percentage of the transaction value. Bundled providers like Stripe combine the gateway fee with their processor fee into a single rate.
Can I switch payment gateways without losing customer data?
Yes, but with care. Saved card information cannot be transferred without a formal data migration agreed to by both gateways and approved by the card networks. Stripe, Braintree, and Adyen all offer assisted card data migration.
