A payment gateway is the software layer that securely transmits credit card and bank-account data from your customer to the bank that processes the payment. It encrypts the sensitive information, sends it to the processor for authorization, and returns the approved or declined result to your website or terminal in seconds.

What is a payment gateway, exactly?

If your business accepts payments online, over the phone, or anywhere the physical card isn't swiped, you're using a payment gateway whether you realize it or not. The gateway is what sits between your checkout form (or your virtual terminal, or your invoice pay link) and the rest of the payment system.

Three things happen every time a payment runs through a gateway:

  1. Capture. The gateway collects the card number, expiration, CVV, and billing details from your customer.
  2. Encrypt and tokenize. The raw card data is encrypted in transit and converted to a token so the actual card number never sits on your servers.
  3. Route and approve. The gateway sends the encrypted request to the card networks (Visa, Mastercard, Amex, Discover) via your payment processor, which approves or declines the transaction in about two seconds.

Without a payment gateway, accepting card-not-present payments would be impossible to do securely. Without a good payment gateway, it's possible but expensive, slow, and risky.

How a payment gateway works (step by step)

Here's what happens during a typical online checkout:

  1. The customer hits "Pay." They've entered card details into your checkout page, hosted payments page, or invoice pay link.
  2. The gateway encrypts the data. Card data leaves the customer's browser already encrypted - your servers never see raw numbers.
  3. The gateway sends to the processor. The encrypted request hits your payment processor, which routes it to the customer's card-issuing bank.
  4. The issuing bank decides. Funds available? Card valid? Fraud signals clean? Yes or no.
  5. The processor returns the answer. Approval (with an auth code) or decline (with a reason code) flows back through the gateway.
  6. Your site or terminal updates. Customer sees a confirmation page or an error. The transaction lands in your dashboard immediately.
  7. Settlement happens overnight. Batched authorizations turn into actual deposits in your merchant account - usually next business day, sometimes longer.

All seven steps take about two seconds on average. The gateway is doing most of the heavy lifting in steps 2, 3, and 5.

Payment gateway vs payment processor vs merchant account

These three terms get used interchangeably, but they're actually different things:

ComponentWhat it doesExamples
Payment gatewayCaptures, encrypts, and transmits payment dataCoreGateway, NMI, Authorize.net
Payment processorMoves the actual money between banksElavon, Fiserv, TSYS, Payroc
Merchant accountYour business bank account that receives the fundsUnderwritten through a processor or sponsor bank

Some companies bundle all three into one package; others specialize. Most modern gateways like CoreGateway work across multiple processors so you can place your merchant account where it makes the most sense for your business.

What features should a payment gateway have in 2026?

The bar has moved. A modern payment gateway should include all of the following, ideally without nickel-and-diming you with add-on fees for each module:

Acceptance channels

  • Virtual Terminal for keyed-in payments from any browser - phone orders, mail orders, customer-not-present sales
  • Hosted Payments Page - a branded, PCI-compliant checkout page you embed or redirect to
  • Invoicing with secure pay links your customers can pay in two taps
  • QR code payments for in-person events, tables, kiosks
  • REST API for integrating directly with your software

Customer and billing tools

  • Customer vault. Tokenized storage of cards and bank accounts so repeat charges don't require re-entering details.
  • Automatic card updater. When a customer's card expires or gets replaced, the gateway refreshes it through the card networks so renewals don't fail.
  • Recurring billing with flexible schedules (daily through annual, plus custom intervals) and prorated payments for plan changes.

Cost and reporting

  • Surcharging and convenience fee modules. Where legal, these let you pass card-processing costs to customers transparently.
  • L2/L3 interchange optimization. Passes enhanced data on B2B card transactions to qualify for lower interchange rates.
  • Detailed reporting. Build any view by user, channel, product, or fee class.

Security and compliance

  • PCI-DSS Level 1 certified. The highest tier of card-data security.
  • SOC 2 Type II. Independent audit of operational security controls.
  • HIPAA compliance. If you're in healthcare-adjacent verticals.
  • Tokenization and end-to-end encryption. Card data never sits on your servers in raw form.
What to avoid: Gateways that charge separately for the vault, the card updater, recurring billing, surcharging, and reporting. By the time you add the line items up, the "cheap" base fee turns into double or triple what was quoted.

How much does a payment gateway cost?

Three components make up the total cost of a payment gateway:

  1. Monthly platform fee - typically $10 to $50 per merchant account. CoreGateway's standard platform is $20/month.
  2. Per-transaction fee - usually a small percentage (often .50%) plus a flat fee (often $0.15) on each approved transaction.
  3. Interchange - set by the card networks, varies by card type. Premium rewards cards cost more; debit cards cost less.

You'll see two main pricing models in the market:

Interchange-plus pricing

Each cost component is shown separately on your statement. You pay the exact interchange the card networks charge, plus a transparent processor markup. This is the model preferred by businesses that process meaningful volume because the math is honest and the savings on lower-cost transactions actually reach the merchant.

Flat-rate pricing

Everything rolled into one percentage (think 2.9% + $0.30). Easier to understand at a glance. Usually more expensive once volume picks up because the processor pockets the difference between actual interchange and the flat rate.

Honest take: If you're processing more than $10,000 a month, interchange-plus almost always saves money. If you're processing under $1,000 a month, flat-rate may be simpler. CoreGateway uses interchange-plus.

PCI compliance and payment gateways

PCI DSS (Payment Card Industry Data Security Standard) is the security framework every business that touches card data must follow. The level of compliance work you're on the hook for depends on how you handle card data.

Using a PCI Level 1 certified payment gateway - especially a hosted payments page or virtual terminal where card data is entered directly into the gateway's interface, not yours - can reduce your PCI scope to SAQ A, which is the simplest annual self-assessment. That's typically a 20-question form instead of the 300+ questions on higher SAQ levels.

If you're storing card numbers on your own servers, you're in a much harder PCI bucket (SAQ D), which usually means quarterly vulnerability scans, penetration testing, written security policies, and dedicated compliance work. A good gateway is the single biggest PCI scope reducer most businesses have.

Types of payment gateways

Three main integration styles, each with trade-offs:

1. Hosted payment page (redirect or iframe)

The customer is sent to a payment page hosted by the gateway, branded to look like your site. Pro: minimum PCI scope, fastest deploy. Con: slightly less seamless than fully integrated checkout.

2. Integrated checkout (API-based)

Card data is captured directly on your site and posted to the gateway via API. Pro: fully branded customer experience, full control over UI. Con: higher PCI scope (SAQ A-EP or D depending on implementation), more development work.

3. Direct API for embedded software

SaaS platforms, ERPs, or vertical software that need to embed payments deeply use the gateway's REST API directly. CoreGateway's ISV program is built around this. Pro: total integration depth, monetize transactions on your platform. Con: longest build time, requires developer resources.

How to choose the right payment gateway

Before you sign up with any gateway, run through this checklist:

  • Is the pricing transparent? You should see exactly what you'll pay before signing.
  • Are the features you need actually part of the standard platform, or sold as add-ons?
  • Is the gateway PCI-DSS Level 1 certified? Anything less is a red flag.
  • What's the contract length? Reputable modern gateways are month-to-month.
  • How do they handle declines? Smart retry logic and an automatic card updater protect recurring revenue.
  • What's the support like? Real phone support or a chatbot loop?
  • Does the API or documentation look usable? Spend 10 minutes in their docs before signing.
  • Can you place your merchant account where it makes sense? Single-processor lock-in is a long-term limitation.

The TL;DR

A payment gateway is the technology layer that securely captures card data, transmits it to your processor, and returns an approved-or-declined result in about two seconds. Every business that accepts online or card-not-present payments needs one.

The right gateway in 2026 offers the virtual terminal, hosted payments page, recurring billing, customer vault, automatic card updater, surcharging, L2/L3 optimization, and detailed reporting as part of the standard platform. It's PCI-DSS Level 1 and SOC 2 certified. It's priced on interchange-plus, not buried flat-rate. It's month-to-month, not multi-year locked.

That's the bar - and the right vendor will clear it without you having to negotiate.