What Exactly Are Payment Gateways & How Do They Work?

A payment gateway is the technology that moves money from a customer’s card to a merchant’s account in the seconds between clicking “pay” and receiving an order confirmation. For UK and EEA businesses, getting that process right means more than picking a reputable provider: it means working with infrastructure built to meet PSD2 requirements, Strong Customer Authentication mandates, and FCA oversight standards that US-focused guides routinely ignore.

This guide explains exactly how payment gateways work, what separates a gateway from a processor, how to evaluate your options as a UK or EEA merchant, and what to look for when your business operates in a specialised industry.

How a payment gateway processes a transaction step by step

When a customer clicks “pay,” the following happens in sequence:

1. Collection. The gateway encrypts the customer’s card details immediately using TLS protocols and tokenises them, replacing raw card data with a unique reference string the merchant never sees.
2. Authentication. The transaction passes through Strong Customer Authentication (SCA), mandatory under PSD2 for UK and EEA merchants. In practice, this triggers a 3D Secure V2 challenge via the customer’s bank.
3. Authorisation. The gateway forwards an authorisation request through the payment processor to the relevant card network and on to the customer’s issuing bank, which checks card validity, available funds, and fraud flags before returning an approval or decline.
4. Settlement. Approval holds the funds but does not move them. Settlement runs separately, usually once per business day, with funds reaching the merchant’s acquiring bank within one to three business days.
5. Reconciliation. The gateway retains a full transaction record for reconciliation. For merchants running subscriptions, the tokenised card reference stored at Step 1 enables future charges without the customer re-entering their details.

Types of payment gateways

Payment gateways come in several configurations. The right choice depends on your technical resources, how much control you want over the checkout experience, and the compliance obligations that apply to your industry.

• Hosted. The customer is redirected to a third-party payment page, then returned to your site once payment is confirmed. The provider’s servers handle all card data, significantly reducing your PCI DSS compliance burden. The trade-off is limited control over checkout branding and flow.
• Self-hosted. The payment page lives on your own domain, giving you full control over the customer experience. Your servers handle cardholder data directly, which brings a heavier PCI DSS compliance obligation and requires dedicated technical resource to manage it properly.
• Integrated. Payment processing is embedded directly into your site via a pre-built plugin or module. The customer never leaves your site, but card data is transmitted to the provider’s servers rather than your own. Well-supported by WooCommerce and PrestaShop.
• API. Merchants get direct programmatic access to the payment infrastructure, enabling fully customised checkout flows. The most flexible option, but also the most technically demanding. Suited to merchants with in-house development capability.
• Mobile. Optimised for transactions on smartphones and tablets, with native support for Apple Pay and Google Pay. Reduces checkout friction for merchants with a predominantly mobile customer base, and supports the SCA-compliant authentication flows that card schemes require.

Payment gateways vs. payment processors

The two terms are often used interchangeably, but they describe distinct functions in the transaction chain.

Payment gateway	Payment processor
The front-end layer that captures, encrypts, and authenticates payment data at checkout.	The back-end layer that routes authorisation requests between card networks and issuing banks.
Communicates with the payment processor once authentication is complete.	Handles settlement, fund movement, and chargeback management.
What the customer interacts with, directly or indirectly, at the point of payment.	Invisible to the customer; operates entirely behind the scenes.

In practice, the distinction matters most when you are evaluating how to structure your payment stack. Some merchants source a gateway and a processor separately, integrating them via API. This approach offers flexibility but adds integration complexity and splits accountability when something goes wrong.

How to choose a payment gateway for your UK or EEA business

Not every payment gateway is built for the UK and EEA market. Many providers are architected for US merchants and retrofitted for European compliance, which creates gaps that only become visible after onboarding. Evaluating providers against these five criteria before committing will surface those gaps early.

Regulatory status

Check whether the provider holds a valid Payment Institution authorisation from the FCA (for UK operations) or an equivalent national competent authority within the EEA. This is verifiable directly on the FCA register. An authorised provider operates under defined capital adequacy, client money safeguarding, and conduct requirements. One that does not is carrying regulatory risk that transfers to you.

Geographic coverage

Confirm whether the provider offers local acquiring in the EEA countries where you actually process volume. Routing all transactions through a single UK acquirer increases cross-border decline rates and adds currency conversion costs. Local acquiring in your key markets meaningfully improves approval rates.

Payment method support

UK and EEA customers expect card payments, Apple Pay, Google Pay, and increasingly open banking payment options. Confirm which methods are natively supported rather than bolted on through third-party integrations, and verify that the gateway handles SCA-compliant authentication flows for all of them.

Security standards

The provider should hold PCI DSS Level 1 certification and support 3D Secure V2 for SCA compliance. These are not differentiators; they are baseline requirements for operating in the UK and EEA. Any provider that cannot confirm both should be disqualified.

Settlement timing

Understand exactly when settled funds reach your account and under what conditions reserves or holds apply. Settlement timing affects cash flow directly, and reserve arrangements that are not disclosed upfront are one of the most common sources of friction between merchants and their payment providers.

» FCA-regulated, EEA local acquiring, transparent pricing from day one. Talk to us about your payment setup

How can Fibonatix help my e-commerce business?

Fibonatix specialises in providing tailored payment solutions for e-commerce businesses of all sizes, including SMBs, cannabis businesses, micro-merchants, and property trading companies.  Ready to streamline your e-commerce payment process and enhance your customer experience? Contact Fibonatix today to learn more about our customised payment solutions and how we can help grow your business.

Disclaimer: Fibonatix is a UK-based, FCA-regulated payment service provider (FRN 768776) specialising in merchant accounts for B2C businesses globally, but B2B exclusively to the UK and EEA. Verify our regulatory status on the FCA Financial Services Register.

FAQs

How does a payment gateway process a transaction?

A payment gateway captures and encrypts a customer’s card details at checkout, authenticates the transaction through 3D Secure V2, and forwards an authorisation request to the customer’s issuing bank via the payment processor and card network. The bank approves or declines the transaction in under two seconds. Approved funds are held and then settled into the merchant’s account, typically within one to three business days.

What is the difference between a payment gateway and a payment processor?

A payment gateway handles the front-end: capturing, encrypting, and authenticating payment data at checkout. A payment processor handles the back-end: routing authorisation requests between card networks and issuing banks, and managing settlement. Many payment service providers bundle both functions, which simplifies integration and consolidates support into a single relationship.

How do payment gateways work for CBD or restricted industries?

The technical process is identical to any other e-commerce transaction. The difference lies in underwriting: card schemes and acquiring banks apply stricter eligibility criteria to certain industry categories, which means not every gateway provider will accept applications from these merchants. Those that do typically conduct more thorough due diligence during onboarding and may apply different pricing structures.

What is Strong Customer Authentication and how does it affect payment gateways?

Strong Customer Authentication (SCA) is a requirement under PSD2, enforced across the UK and EEA, that obliges merchants to verify a customer’s identity using at least two independent factors before completing a transaction. In practice, this is handled through 3D Secure V2, which your payment gateway triggers automatically during the authentication step. Transactions that bypass SCA where it is required risk being declined by the issuing bank. Certain exemptions apply, including low-value transactions and merchant-initiated payments such as subscription renewals.