How to take payments online: A UK and EEA merchant guide

For UK and EEA merchants, friction at the online checkout has a direct line to revenue. A two-second delay, an unfamiliar payment method, or a 3D Secure step that times out all cost conversions on transactions you would otherwise have won.

The infrastructure decisions behind that checkout shape both how many customers complete a purchase and how exposed your business is to fraud, chargebacks, and regulatory issues. Which payment methods to accept, which gateway to use, what merchant account model to sit on, how to handle Strong Customer Authentication: these choices define checkout performance for years.

This guide covers what UK and EEA merchants need to take payments online effectively. It walks through the payment methods worth accepting, the infrastructure that sits behind them, the step-by-step process from setup to live transactions, and the regulatory and security framework that governs the whole thing.

Why online payments matter for UK and EEA merchants

For UK and EEA merchants, a substantial portion of revenue now flows through digital checkouts. The infrastructure behind that flow—payment gateways, merchant accounts, fraud rules, authentication steps—directly determines how much of that revenue reaches your bank account. The rest leaks out through failed authorisations, abandoned carts, chargebacks, and fraud.

Customer payment preferences now drive acceptance decisions, not merchant convenience. That means cards (Visa, Mastercard, Amex), mobile wallets (Apple Pay, Google Pay), and increasingly Open Banking and account-to-account methods. Merchants that limit acceptance to a single channel leave conversions on the table.

Three regulatory pillars shape the UK and EEA payments environment:

• The FCA's authorisation regime for UK payment service providers, and the equivalent national competent authority regimes across EEA member states.
• The Payment Services Regulations (the UK equivalent of PSD2) in the UK, and PSD2 itself in the EEA.
• Strong Customer Authentication (SCA) requirements, which govern how merchants verify the cardholder at checkout.

Each of these sets requirements on what you can do, how you do it, and what records you keep. Together, they shape every infrastructure decision covered in the rest of this guide.

Online payment methods UK and EEA merchants should accept

Most UK and EEA buyers default to cards or mobile wallets, but the methods worth supporting depend on average order value, customer profile, and the cost trade-offs you're willing to absorb. The table below covers the main options and where each one earns its place.

The right mix depends on your sector. For most established UK and EEA merchants, cards plus Apple Pay and Google Pay form the baseline. Open Banking, SEPA Instant, and Faster Payments earn their place when you're processing higher-value transactions where card scheme fees materially affect margin. Recurring cards are essential for any subscription model, and BNPL is worth testing in retail categories where it has consistently lifted conversion.

Payment infrastructure: Gateways, merchant accounts, and tools

Accepting payments online requires two pieces of infrastructure working together: a payment gateway and a merchant account. Beyond that, channel-specific tools let you take payments in scenarios the standard online checkout doesn't cover: by phone, by link, in person, or on a recurring schedule.

What a payment gateway does

A payment gateway is the software layer that captures payment details at checkout, encrypts them, and routes the transaction through the card schemes for authorisation. It handles 3D Secure prompts, tokenisation for stored credentials, and the technical integration with your website or app. Choice of gateway determines which payment methods you can accept, how the checkout looks and behaves, and which markets you can serve.

What a merchant account does

A merchant account is the bank account that receives the funds once a transaction is authorised and settled. Two main models exist: aggregator accounts, where multiple merchants share a single account held by the provider (faster to set up, less flexibility), and dedicated merchant accounts, where each merchant holds their own (more flexibility, more underwriting).

Specialist categories such as CBD, online trading, dating services, and adult physical goods typically require a dedicated merchant account, since aggregators rarely underwrite those verticals.

Tools for taking payments outside the online checkout

The infrastructure above covers the standard online checkout, but most established merchants need additional ways to take payments outside of it:

• Pay by Link: Sends customers a secure payment URL via email, SMS, or messaging app. Suited to remote sales, deposits, and invoice payments.
• Virtual Terminal: Lets staff key in card details manually for phone or mail orders, with the same security controls as the online checkout.
• SoftPOS: Turns a standard smartphone or tablet into a contactless card terminal, suited to field sales, pop-up locations, or in-person service teams without dedicated hardware.
• Recurring billing: Automates scheduled charges for subscriptions, memberships, and instalment plans.
• Transaction Rebill: Re-charges a stored payment credential for repeat or follow-up purchases without asking the customer to re-enter card details.

How to take payments online: A six-step process

The infrastructure decisions above translate into a sequential process. Most established merchants work through these six steps when setting up online payments or migrating to a new provider.

1. Choose a payment gateway

The gateway selection determines what's possible from day one. Assess providers against:

• Supported card schemes (Visa, Mastercard, Amex, and any region-specific schemes you need).
• Supported alternative payment methods (Apple Pay, Google Pay, Open Banking, SEPA Instant, Faster Payments, BNPL).
• Regional acquiring coverage across the UK, EEA, and any further markets you sell into.
• Integration approach (hosted checkout, redirect, full API), based on your engineering capacity and how much brand control you want at checkout.
• Reporting and reconciliation capability, including how easily settlement data exports into your accounting or finance stack.

2. Set up your merchant account

Once you've chosen a provider, expect an underwriting process before the account goes live. Underwriters assess your business model, processing history, average transaction value, projected monthly volume, refund and chargeback ratios, and the regulatory profile of your sector. 

For mainstream categories with clean processing history, this can take days. For specialist categories such as CBD, online trading, dating services, and adult physical goods, expect a longer review and supply more documentation upfront to keep the process moving.

3. Build a secure, conversion-optimised checkout

The checkout is where infrastructure becomes a customer experience, and small choices have outsized effects on conversion:

• Form length: every additional field costs conversions. Ask only for what's needed to fulfil the order and meet regulatory requirements.
• Guest checkout: forcing account creation before purchase is one of the largest avoidable causes of cart abandonment.
• 3D Secure friction: SCA is mandatory in the UK and EEA, but exemptions exist for low-value and low-risk transactions. Recurring charges after the first authenticated transaction are handled as merchant-initiated transactions (MITs), which fall outside PSD2 scope entirely rather than relying on a formal exemption. However, SCA is still required on the initial transaction when the customer saves their card.
• Branded vs hosted pages: hosted checkout pages reduce your PCI DSS scope but limit visual control; embedded fields give you full brand control but increase compliance burden. Choose based on which trade-off you can support.

4. Add the right payment methods

Refer to the payment methods table earlier in this guide. As a sequencing rule: launch with cards plus Apple Pay and Google Pay, then add alternative methods (Open Banking, SEPA Instant, Faster Payments, BNPL) based on observed customer demand and the cost dynamics of your average transaction value.

5. Lock down security and compliance

Security and compliance get their own section below. In short: PCI DSS for cardholder data, PSD2 SCA for transaction authentication, and GDPR for customer data. All three are non-negotiable for UK and EEA merchants.

6. Monitor and optimise

Once payments are live, the metrics that drive ongoing optimisation are:

• Authorisation rate: The percentage of attempted transactions that the issuer approves. Low rates often point to fixable issues in BIN routing, 3DS configuration, or data quality.
• Chargeback ratio: Chargebacks as a percentage of total transactions, by card scheme. Stay well below the scheme thresholds that trigger remediation programmes such as Visa's VAMP or Mastercard's equivalent.
• Decline reasons: A breakdown of why declines happen (insufficient funds, suspected fraud, 3DS failure, and so on). Patterns here surface specific fixes.
• Authorisation rate by payment method, device, and country: Highlights where conversion is leaking and where to focus next.

» Ready to take payments online? Get a payment gateway built for UK and EEA merchants

Securing online payments and meeting UK and EEA compliance

Three regulatory frameworks govern how UK and EEA merchants handle payment data, authenticate transactions, and protect customer information. Compliance isn't optional, and meeting each one requires specific operational controls.

PCI DSS: Cardholder data security

The Payment Card Industry Data Security Standard (PCI DSS) is maintained by the PCI Security Standards Council and applies to any business that stores, processes, or transmits cardholder data. The current version is PCI DSS v4.0.1, with compliance requirements that scale to your transaction volume.

For most established merchants, the practical question is scope reduction. Hosted checkout pages and tokenised payment fields keep cardholder data off your servers entirely, which collapses the assessment burden from a full report on compliance down to a self-assessment questionnaire. Smaller scope means a smaller compliance lift each year, and fewer systems exposed if there's ever a breach.

PSD2 SCA: Transaction authentication

Strong Customer Authentication (SCA) is mandatory for most online card transactions in the UK and EEA, under the Payment Services Regulations and PSD2 respectively. The customer must authenticate using two of three factors: something they know (password or PIN), something they have (a registered device), or something they are (biometrics).

The standard implementation is 3D Secure 2 (3DS2), which runs the authentication invisibly when the issuer's risk engine is comfortable, and prompts the customer for a step-up only when needed. Several exemptions let you skip SCA on qualifying transactions: low-value payments, transactions assessed as low risk through Transaction Risk Analysis, recurring merchant-initiated payments, trusted beneficiary whitelisting, and corporate cards. Using these exemptions where you qualify materially improves conversion without compromising compliance.

GDPR: Customer data protection

The UK GDPR and Data Protection Act 2018 in the UK, and the EU GDPR in the EEA, govern how you handle personal data, including payment-related data such as cardholder names, billing addresses, and any data linked to a customer account. Core requirements include a lawful basis for processing, data minimisation, security-by-design, and breach notification to the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach.

For payment data specifically, GDPR overlaps with PCI DSS. Meeting one helps with the other, but neither substitutes for the other.

Specialist categories face additional scrutiny

UK and EEA merchants in specialist categories such as online trading, dating services, CBD, and adult physical goods typically face elevated risk monitoring from acquirers, including stricter chargeback thresholds, more frequent reviews, and additional underwriting checks. This is a structural feature of those verticals, driven by historical chargeback patterns and regulatory attention, rather than a reflection of any specific merchant's performance. 

Plan for these realities upfront: build chargeback ratios into your operational KPIs, expect more frequent acquirer reviews, and choose a payment partner that underwrites your category routinely rather than treating you as an exception.

» Worried about fraud exposure? Talk to a payment risk specialist

Taking online payments: Next steps for UK and EEA merchants

Taking payments online comes down to three decisions: which methods to offer, which infrastructure to build them on, and how to meet the PCI DSS, PSD2 SCA, and GDPR requirements that govern all of it. 

Most established UK and EEA merchants don't need to overhaul everything at once. They need to identify which of those three areas is currently weakest and address that first. The right payment partner makes that diagnosis with you, not for you, and aligns the setup to your sector rather than slotting you into a generic template.

Fibonatix (UK) Limited, company number 09738892, is authorised and regulated by the UK Financial Conduct Authority (FCA) as a Payment Institution (FRN 768776).