Works
Services
Custom software engineering
Mobile software development
Digital quality assurance
UI/UX design
MVP development
Product discovery
Managed IT services
Software integration
Application modernization
Cloud & DevOps services
See all our services
Expertise
SaaS app development
AI Development
Digital transformation
Technologies
IT services for manufacturing
Marketplace
B2B Marketplace
B2C Marketplace
P2P Marketplace
ESG services
Find more about our expertise
Industries
Transportation & logistics
Manufacturing
Facility management
E-learning
Booking & reservation
Human capital
Fintech
Construction
See all our industries
CompanyBlog
Oleksiy Popovych, Marketing Manager at ApikoPetro Liashshynskyi, AI and ML Developer and Consultant at Apiko
Oleksii Popovych & Petro Liashchynskyi
Jan 7, 2025

Payment Gateway Integration: A Comprehensive Guide

Payment Gateway Integration: A Comprehensive Guide

Most online businesses – websites, apps, and marketplaces – need to accept electronic payments from customers. To make transactions secure and comply with regulations, businesses use payment gateways – digital tools for authorizing and processing various types of payments. 

This article explains how to integrate a payment gateway into your website. We discuss the main types of payment gateways, how to choose the right one for your business, and the process of payment gateway integration. 

Let’s get started.

What is a payment gateway?

A payment gateway is a technological tool that allows online businesses to accept and process financial transactions using different payment methods. Payment gateways securely connect the merchant’s website or app with the customer’s bank, which then checks, approves, or rejects an electronic transaction. Essentially, it's an equivalent of a payment terminal used in brick-and-mortar shops. 

The operation of a payment gateway is nearly invisible to the customer. In just a few seconds, from the moment the card details are entered to the transaction's approval, the gateway carries out several essential tasks: 

  • Data encryption. After the customer enters their card data and places the order, the payment gateway encrypts it and converts it to an appropriate message format (ISO 8583 or other). This protects data while it is being transmitted between the person’s device, payment processor’s servers, and financial institutions.  

  • Fraud detection. Before a payment is processed, payment gateways use fraud-detection algorithms, address verification systems, and card verification value checks to detect and prevent fraudulent transactions. 

  • Authorization and notification. The payment gateway sends transaction information to the payment processor for authorization. After receiving information about the success or failure of the transaction, it informs the business's app or website about the result. 

Payment gateways should be distinguished from payment processors – service providers that handle the backend mechanics of payment transactions. 

  • A payment processor is responsible for actually moving funds between the accounts. 

  • A payment gateway only transmits payment information from the app/website to the processor for transaction authorization. It also notifies the merchant about the success/failure of the transaction. 

 

payment gateway architecture

This graph of typical payment processing architecture shows that a payment gateway acts as a secure “gateway” for payment information between your website/app and the payment processor/banks. 

In practice, you need both a payment gateway and a payment processor for online transactions. Some companies, like PayPal and Stripe, provide both payment gateway and payment processing services. However, you can also use different payment gateway and payment processing providers depending on your needs. 

Types of payment gateway integrations

Payment gateway integrations differ in three primary ways:

  1. The required degree of PCI DSS compliance. PCI DSS is a global security standard for companies that handle credit card data. If your business collects credit card data, you may have to meet 300+ security controls of PCI DSS, including regular validation via vulnerability scanning services and third-party audits. Some types of payment gateways help to avoid stricter PCI DSS requirements by allowing card data to be sent directly to the payment processor, without storing any data on the local servers. 

  2. Usability. Some types of payment gateways facilitate a better user experience. For example, they can allow the user to complete the transaction within the app or website instead of redirecting to the payment gateway’s page. 

  3. Complexity and cost of implementation. Simpler types of payment gateways are affordable and can be implemented in several hours. On the other hand, complex custom solutions can require several months of development and implementation. 

We will compare payment gateway implementations according to these three key criteria. 

Hosted payment page

A hosted payment page simply redirects customers from the merchant’s website to the payment page hosted by the payment gateway. 

PCI DSS compliance. With a hosted payment page, merchants don’t have to handle sensitive payment details at all. This places minimal compliance burden on the merchant since sensitive data is handled by the gateway.

User experience. Since the gateway manages the entire payment flow, the merchant does not have many opportunities to customize the payment page. Also, redirection can somewhat disrupt the customer experience and make it less smooth; however, customers may also trust well-known pages like PayPal more. 

Ease and cost of implementation. Hosted payment page is the easiest to implement with minimal technical work, which makes it an affordable choice for small businesses.

Embedded payment form

Embedded payment form is a secure payment form that is embedded into the merchant’s website, but is hosted by the payment gateway. 

PCI DSS compliance. In this case, sensitive payment data is entered and processed within the gateway’s environment, not the merchant’s. This means that compliance burden is minimal – just like with a hosted payment page. The merchant only needs to ensure basic security (e.g. using HTTPS). 

User experience. Because there is no redirection, a payment form provides a smoother user experience compared to the hosted payment page. 

Ease and cost of implementation. Compared to a simple hosted page, a payment form takes more time and technical expertise to implement. However, it is still easier compared to all other methods. 

Integrated payments (API integration)

This type of payment gateway integration uses the gateway’s APIs to collect and process payments directly within the merchant's app or site. The merchant still uses an external gateway provider, but the data “passes” the merchant’s servers before being sent to the payment processor. 

PCI DSS compliance. Since the data passes the merchant’s servers, this method requires moderate to high compliance requirements. This may include vulnerability scanning with ASV and installing a firewall to protect the data. 

User experience. This method provides a fully branded and highly customizable user experience. 

Ease and cost of implementation. The method requires significant development effort and costs. You will also need to invest into ongoing maintenance and updates. 

Custom self-hosted gateway

A custom self-hosted gateway is entirely designed, built, and maintained by the business. Without using external services, the gateway collects, processes, and transmits data to the payment processor or acquiring bank. 

PCI DSS compliance. A custom gateway is subject to the strictest PCI DSS requirements for payment gateway integration. This includes but is not limited to role-based access control, vulnerability management programs, intrusion detection systems, firewalls, and regular security audits. 

User experience. Full control over the payment flow and backend architecture, and unlimited customization. 

Ease and cost of implementation. Very complex and difficult to implement. You need a highly qualified team and months of work to develop a payment gateway from scratch. Aside from high payment gateway development costs, you also have to allocate substantial funds towards maintenance. This makes custom gateways suitable only for businesses that have very specific needs or handle very large transaction volumes (e.g. real estate). 

types of payment gateway integration

How to choose a payment gateway provider

Choosing a payment gateway provider is a responsible decision. Here are some of the factors you need to take into consideration. 

Supported payment methods and options

Decide which payment methods and options you want to offer to your customers. The most popular payment methods today are card and mobile payments, but it all depends on the nature of your business. 

All payment gateway providers support Visa and Mastercard payments, but not all support American Express. The same goes for digital wallets and mobile payments – almost all providers support Apple and Google Pay, but not all support processors like AliPay or Klarna.  

Also, be particularly attentive if you want to let your customers use local payment methods (e.g. a local bank), or enable them to pay in crypto. 

When it comes to payment options, consider if you need support for: 

  • Recurring billing
  • Split payments
  • Mass payout
  • Payment in installments, etc. 

Pricing

Payment gateway providers usually charge in three ways – a percentage of the transaction amount (e.g., 2.9%) plus a flat fee (e.g., $0.30); a monthly fee, or both. International transactions might incur additional cross-border fees. You may also need to pay a setup fee. 

Investigate the pricing plans of each provider you consider. While some providers (like Stripe) offer a relatively straightforward flat transaction rate, others (like PayPal) have a more complicated pricing structure, with additional fees for international payments, micropayments, recurring billing, etc. 

Countries and currencies

If you plan to operate the business internationally and receive international payments, take a look at which countries and currencies each provider supports. For example, Stripe supports 135 currencies and 46 countries; PayPal – 202 countries and 25 countries, and Adyen – 45 countries and 36 currencies. 

Security and reputation

Unless you opt for a custom gateway, your gateway provider will be responsible for a significant share of security measures. Two aspects are of paramount importance here:

PCI compliance. Each payment gateway must be compliant with PCI-DSS itself. But, on top of that, you should research the amount of compliance burden you will be sharing with the provider. Ideally, the solution should take as much load as possible off your shoulders, within the limits of the implementation type. 

Security measures. All major and reputable providers will sufficiently secure your data to prevent breaches. What you need to check is whether the provider complies with regional regulations, such as GDPR and PSD2 if you’re dealing with EU customers. 

Customization and mobile experience

Many payment gateway providers offer opportunities to customize the design of the checkout process to match your brand identity and aesthetics. Customizing font, color, spacing, and other design features will help you provide a better experience for your customers. 

Also, some gateway providers offer pre-built UI components for mobile apps, with features like one-click digital wallet payment buttons, auto-filling, etc. Using tried-and-tested UI components from a major provider will significantly reduce the load on your design team and speed up the implementation process. 

Ease of implementation

Some payment gateway services are more developer-friendly than others. Opting for a developer-friendly service will facilitate quick and smooth implementation and help to provide fast maintenance. Your software developer partner can offer recommendations in this respect. Generally, developers will appreciate a provider that offers: 

  • Comprehensive and well-documented API with libraries for popular languages (Python, Ruby, JavaScript, PHP, etc). 
  • Sandbox environment for testing transactions and workflows. 
  • Unified API for multiple payment methods
  • Webhooks for real-time handling of responses. 

how to choose a payment gateway provider

How to integrate a payment gateway: a case study

After you have chosen your provider and consulted with your software development team, you can start the payment gateway implementation process. Depending on the provider and the type of solution, the specific process will vary. 

Apiko has integrated payment gateways for multiple clients. For Syntho, an electronic music production education platform, we integrated Stripe Payment Element to manage recurring subscription payments. 

Originally, we opted for Stripe, since it allows the client to use a large number of payment methods and provides a wide selection of tools for implementation. 

However, ​​in Syntho, until spring 2024, the user could only pay for the services by card. In addition, the architecture of the used solution had several disadvantages:

  1. All secure data about the user's card passed through the application and was stored, which created security dangers.

  2. If additional confirmation is required through the bank application to charge funds, or there were insufficient funds in the account, such a payment was considered to be failed and closed. This resulted in a loss of customers. 

  3. If the user connected a new card, this data should have been saved again in the application. This created issues with user experience. 

Apiko was originally requested to switch the payment architecture to a new algorithm due to the necessity of PayPal integration. Alongside PayPal, Syntho also requested Apple Pay integration and Google Pay integration. 

To avoid security issues, Apiko integrated Stripe’s customizable Payment Element, which stores all data on Stripe’s servers. You can find the detailed guide onthe implementation of this solution here

The successful implementation of the Payment Element led to significant benefits for Syntho: 

  1. Card data is not passing through the application and is not stored in the database. This means that Syntho is not responsible for PCI DSS compliance anymore. 

  2. If there are not enough funds on the card or additional confirmation is required, the solution waits 12 hours for confirmation or the arrival of funds. This leads to a smaller number of issues with payments and a smaller number of lost customers. 

  3. Since the data is stored exclusively in Stripe, Syntho pays smaller fees when using Stripe. 

  4. When withdrawing funds from the user's account, Stripe sends a webhook to the backend and repeats it in case of failure. This ensures that the transaction is successful and the user is provided with app services, even if the user’s internet connection is unstable. 

Overall, the integration was completely successful and allowed Syntho to simplify compliance and deliver an improved user experience. 

Conclusion

Payment gateways are an essential and useful tool for guaranteeing safety and security of online transactions. Depending on the type of gateway, payment gateway integration can be a process that lasts a single day or several months.

At Apiko, we have provided payment integration services of different levels of complexity to web and mobile businesses. If you’re not yet sure which gateway provider or type of payment gateway will suit your business needs, don’t hesitate to reach out! As an independent software engineering services provider, we focus exclusively on our customers’ needs and preferences.