Skip to content
Gateway Processors

Gateway Processors: A Complete Guide

What Does a Gateway Processor Do?

When first starting out as an ecommerce business, it can be tricky to know exactly what is needed to make the payment process as easy as possible for customers. This is where a gateway processor comes in. 

A gateway processor is a virtual point-of-sale terminal for online payments and transactions. It collects the customer’s payment information, encrypts it for security, and then sends it to the payment processor. The gateway also communicates whether the payment has been approved or declined.

A payment gateway can also integrate with accounting, CRM, and other software programs needed to connect financial payments to. This is essential for streamlining business operations and increasing revenue.

There are three main types of gateway processors: hosted gateways, self-hosted gateways, and API hosted gateways.

Hosted Gateway Processor

A hosted gateway processor isn’t directly hosted by the business. This means when a customer is making a payment, they are redirected to the page of the service provider after they click “Pay Now.” An example of a hosted gateway is PayPal.

Hosted gateway processors are incredibly secure and simple to set up. They are also PCI compliant (discussed later in this article) and they can quickly detect fraud. Integration to a business website is seamless, making the whole process easy.

The main downfall of a hosted gateway is the lack of control a business has over the payment process. Since the transaction takes place on a separate page, the business can’t control the end-to-end interaction with the customer.

Self-Hosted Gateway Processor

A self-hosted gateway allows customers to enter their payment information on the business website, then transfer the information to a third-party gateway for payment confirmation. An example of a self-hosted gateway process is Shopify Payments.

Self-hosted gateway processors allow faster payment processing and full control of the customer experience to the business. However, there is less access to technical support with a self-hosted gateway. This means a business needs to do their own troubleshooting in the case of an error.

API Hosted Gateway Processor

An API hosted gateway processor also has the ability to let customers enter their information on a business website without being routed to a third-party. The business integrates the gateway processor onto their website, eliminating the need to send data and reducing security risks. 

API hosted gateways are customizable, so a business can truly control the customer experience through the whole process on their website. The biggest downfall is having to be completely responsible for security processes, making it a little harder to be PCI compliant.

Woman using mobile smart phone, online payment, banking and online shopping in the night light colorful background to symbolize Gateway Processors

Is a Payment Gateway Necessary?

Unless a business is running with no online store, it is going to need a payment gateway. The payment gateway helps businesses manage risk, prevent fraud, expand accepted payment methods, and process payments securely and safely.

To fully understand the need of a gateway processor, it is important to understand how a payment transaction works.

There are four parts involved in every payment transaction:

  • The customer
  • The merchant (business receiving the money)
  • The card issuer
  • The receiving bank

During the payment process, the issuing bank and the payment gateway work together to verify the transaction and ensure there are enough funds to complete the transaction. The payment gateway will then inform the receiving bank of the release of funds, and the receiving bank will report back to the gateway of the completed transaction, which notifies the customer.

The best part of a payment gateway is it can be used in a brick-and-mortar store as well as online. This means not only online payments are safe and secure, but so are in-store payments.

While it may seem like a gateway processor is just a payment processor, this isn’t the case. A gateway processor works with a payment processor, but they aren’t the same.

Payment Gateway vs. Payment Processor

As already stated, a payment gateway is a virtual point-of-sale system that makes online payment processing more safe and secure. Meaning, a gateway is not itself a payment processor, it just works with one.

A payment processor is a service from a vendor that allows businesses to accept methods of payment other than checks and cash, such as credit and debit cards. 

Payment processors can also help businesses set up a merchant account and provide the necessary equipment for accepting card payments. However, payment processors aren’t just for an in-store business, they are also necessary for online payments.

There are several different online payment processors available, and sometimes a bank even offers the service. When looking for the right payment processor, this article is a great place to start!

The biggest differences between a payment gateway and a payment processor are:

  • Payment gateway is the software used to complete the transaction, while payment processor is the company that facilitates the transaction.
  • Payment gateway communicates with the payment processor, and the payment processor communicates with the bank.
  • Payment gateway is customer-facing, while the payment processor is more behind-the-scenes.
  • Payment gateway is most commonly used with ecommerce businesses, while payment processors are used with ecommerce and in-store businesses.

When looking for a gateway processor and a payment processor, it is important to make sure they are PCI compliant and used in such a manner. 

credit card inserted into a credit card reader. Gateway processing concept

What is Required to Be PCI Compliant?

PCI compliance, or payment card industry compliance, consists of twelve standards of security that businesses need to ensure they follow when accepting, storing, processing, and transmitting card payment data.

While PCI compliance is not a requirement by law, it is essential in gaining and maintaining the trust of customers. This means ensuring all credit card and debit card data is encrypted and backed up to significantly reduce the risk of hackers getting customer information.

Compliance requirements change based on the size of a business and the number of transactions processed each year. However, each business should follow the same twelve ways to protect their customer information.

1. Establish a firewall. This will restrict the traffic that flows through the network of a business. 

2. Change passwords and security settings supplied by vendors. This ensures the only people that have access to the information in the business are those authorized.

3. Protect cardholder data that is stored. This includes having a policy in place for disposing old data, limiting what the business stores, and avoiding storing certain types of information.

4. Encrypt any data transmitted across public networks. For example, businesses shouldn’t send customer account information over email, text, or team messaging software.

5. Use antivirus software that is regularly updated. Businesses should always make sure their antivirus software is up-to-date and actually running properly.

6. Develop and integrate security practices. This could be a practice the business follows, a security software, or both!

7. Keep credit card information on a need-to-know basis. Defining roles in the business and clearly stating who has access to information is an important step in creating these boundaries.

8. Assign different user IDs to each employee. Instead of using one universal login, it is essential each employee has their own login to distribute permissions properly.

9. Restrict physical access to data information. Use cameras in areas that hold physical information to keep track of employees entering and exiting the area.

10. Keep track of employees with access to customer information. Set up and monitor an audit trail with time and date stamps.

11. Test processes and systems on a regular basis. Perform tests for vulnerability and wireless access points quarterly to keep the systems and processes running smoothly.

12. Create and implement a policy on the security of information. Write, publish, and enforce a policy once a year, at least, that explains rules and personal responsibilities.

In order for a business to become PCI compliant, they must meet all of the above listed requirements, complete an assessment showing what the security and processes are, and perform a scan of the full payment processing network. The payment processing network includes both the gateway processor and the payment processor.

Choosing the Right Gateway Processor

When choosing something for a business that is going to be used daily by customers, it is important that the business chooses the best gateway processor for their needs. There are multiple factors that need to be taken into consideration when choosing the right gateway processor.


Cost is essential in all parts of business. It is important to make sure the cost of the gateway processor chosen by a business is within the budget allowed. This includes not only the cost of the processor itself, but the transaction fees, set up fees, and other fees that might be involved. 

For example, most gateway processors will require a fee to be set up by the company selling it. Some gateway processors will charge a fee per transaction, while some may charge a flat monthly fee. Check out all these fees before deciding which is the right path to take.

Card Type Supported

It is important for a business to make sure the gateway processor they choose accepts multiple card types. The most common cards are Visa and Mastercard, but it is important to consider a processor that accepts Discover, Amex, and other cards as well.

Holding Time

While payments are generally approved as soon as a customer places their order, the funds can be held for a few days by the gateway processor before finally ending up in the business account.

It is common for gateway processors to hold funds anywhere between one and seven business days before releasing them. If it is important for a business to have access to funds quickly, check the holding time before purchasing.


The most important thing to check when looking into gateway processors is the security. It is important for the business to make sure the processor is PCI compliant, or easy to make PCI compliant, for maximum safety of customer information.


Businesses should also check that the gateway processor they buy is easily integrated with other software’s, such as accounting or invoicing software’s, that they currently use. 

pink phone coin ball and qr code on plain pink background to represent Gateway Processors


Starting an ecommerce business comes with a lot of new information, especially when trying to do right by the business. One of the most important things to consider when opening an ecommerce business is a gateway processor for payments.

A gateway processor will enhance the security and safety of customer information that is being entered during the payment process. A gateway processor works closely with a payment processor, so it is important to make sure both can be integrated together.

For more information on gateway processors for ecommerce businesses, check out this article!