Softjourn

How to Build Your Own Payment Gateway

Interested in building your own payment gateway from scratch? Here’s what you need to know before jumping in

October 16, 2020 by Softjourn

Many businesses can become interested in building their own payment gateway: merchants wanting to reduce payment service fees, startups looking into offering a gateway in an underserved region, or online companies who started out with a white label service that is now presenting them with technical limitations instead of support. 

However, too many do not fully understand the size and scope of building a payment gateway from scratch. There are many misconceptions about the steps involved with creating and running your own payment gateway. 

In this article, we’ll answer many questions to give you the full picture of what is necessary to build your own payment gateway solution from scratch.

Where do I start?

You might think you need to speak with developers or technology service providers when thinking about building a payment gateway. After all, it is a digital solution for accepting credit card payments. 

However, this belief is misguided; the first thing you will need to do is build business relationships with either a payment processor or an acquiring bank

Why do I need a payment processor?

If you wish to offer a payment gateway as a service, you need something to connect it to. This something is the payment processor. A payment processor, sometimes called a merchant service, moves the transaction through the payment network. Sometimes an acquiring bank can be a payment processor. 

The processor you choose to partner with will provide you with technical information to integrate your gateway with their system. Depending on the payment types you wish to be able to accept, you may need to partner and integrate with several processors.

Why do I need an acquiring bank?

If you are a merchant that wishes to have their own payment gateway, you’ll need a payment processor and an acquiring bank. Merchants already need a merchant account to accept digital payments, which are provided by acquiring banks. 

An acquiring partner is a bank or financial institution (FI) that processes credit or debit card payments on behalf of a merchant. The acquiring bank you choose will assume risk for your business, and as such, will require certain financial commitments due to chargebacks, refunds, ACH returns, and potential fraud. 

An acquiring bank is not the same as a commercial bank, which offers checking and savings accounts. A commercial bank may have an acquiring division, but not all commercial banks can underwrite merchant accounts. Make sure the financial institution you wish to partner with can set you up with a merchant account. 

The payment process has many players, but its many steps can happen within just a few seconds.

1. Customer initiates a digital purchase. 2. The merchant transmits the cardholder information to the payment gateway. 3. The payment gateway encrypts the cardholder information and transmits it to the payment processor. 4. The payment processor verifies the cardholder information and transmits it to the card network. 5. The card network transmits the information to the issuing bank. 6-9. Depending on the amount of funds in the cardholder’s account, an approved or declined message is transmitted back along the payment network. 10. If the payment is approved, funds are transmitted to the merchant’s account at their acquiring bank.

What technical specifications will I need?

Your payment processor of choice will provide the specifications necessary to integrate your payment gateway with their system and the overall payment network. If you plan to accept many different payment types, you may need to get additional specifications from other acquirers or processors. 

These technical specifications will inform what technology you can or should use to build your payment gateway. 

What if I want to sell in multiple geographic locations?

You will need a relationship with a processor that operates in all of the locations. This can mean a partnership with a specific processor that operates in multiple locations, or partnerships with multiple processors.

Local regulations for the region or regions that you wish to do business in will also weigh on the choice of technology for your payment gateway. We have received requests to help create gateways to operate in, as examples, Latin America and Malaysia; local laws and standards can make growth difficult for other popular payment providers like PayPal, which seems to leave open a gap for other providers. 

However, obstacles for larger companies are obstacles for a reason; they are not always so easily addressed by others. 

How much does it cost to build a payment gateway?

Our ballpark estimation for creating a payment gateway minimum viable product (MVP) is between $200K and $250K. This is of course dependent on the functionality you wish to incorporate into your gateway. The MVP described here would at least get you set up in accepting credit and debit card payments.

How long does it take to build a payment gateway?

It can take years to build a payment gateway from scratch. A faster solution is to license a white label product, which can be up and running in just a few months. Many white label products can be customized to your company’s needs.

It can also take months or years for processors or acquirers to decide to integrate with your payment gateway, making it viable for market use. 

To build an MVP payment gateway from scratch, we roughly estimate up to six months. This estimate will likely fluctuate depending on the specifics of your request. 

Won’t I save money in the long term if I build my own gateway?

Maybe, if your processing volume is large enough. Many wrongly assume that if they host a payment gateway solution of their own that they can eliminate credit card processing fees that they are paying to their processor. 

Fees for card network usage and/or processing will always be required by providers like Visa and Mastercard. 

Interchange and settlement costs can only be eliminated with direct integrations with card network providers. This level of integration really only makes sense if your company processes very large transaction volumes, such as into the billions.

Surcharges can be reduced through owning your own payment gateway, but this is again dependent on whether your transaction volume offsets the cost of building and operating a payment gateway.

Owning and operating your own payment gateway also comes with the additional cost of paying for servers and gateway product maintenance. 

It is only worth taking an open source product in-house or developing your own if eliminating some of the third-party gateway-related fees offsets the annual price of gateway maintenance, PCI DSS audit, certifications, and other myriad costs.

Don’t forget about security

Partnering with a processor and getting technical specifications for integration are just the tip of the iceberg. Merchants look for secure payment gateways to boost customer confidence. Secure payment gateways with fraud detection mechanisms can help avoid chargebacks and other problems resulting from fraudulent purchases.

Over the next sections, we’ll discuss other concepts that can have an impact on your ability to build and operate your own payment gateway.

What is PCI DSS?

Businesses that handle cardholder information must comply with the Payment Card Industry Data Security Standard, or PCI DSS. PCI DSS is a list of practices that businesses use to improve the security of card transactions and defend cardholder information from theft. 

According to Rodolphe Simonetti, global managing director at Verizon, there is a close correlation between the lack of PCI DSS compliance and cyber breaches. “Our data shows that we have never investigated a payment card security data breach for a PCI DSS-compliant organization,” he was quoted saying in Verizon's 2019 Payment Security Report. “Compliance works.”

A security breach isn't just about losing customer information: businesses also suffer a loss of customer confidence, future sales, or the threat of legal action. They are subject to fines per PCI DSS noncompliance and, if they have one, the loss of their merchant account.

What PCI DSS compliance level do I need?

There are four levels of PCI DSS compliance. Deciding which one you need to meet is a complicated process, but generally breaks down into four areas:

  • Collection: Will cardholder information be collected on the customer's browser, the merchant's server, or the payment gateway server?
  • Storage: Will card data be stored on the merchant’s servers, or on the payment gateway’s servers?
  • Transmission: How will card data be transmitted to the gateway?
  • Processing: Will cardholder information be processed by the merchant or by the payment gateway?

The following technologies can aid in securing customer information and protecting against cyberattacks. However, use of one or a combination of these technologies themselves does not constitute PCI DSS compliance. 

PCI DSS compliance is a multi-faceted set of standards that cover a range of topics and disciplines. Learn more about PCI DSS on the PCI Security Standards Council’s website

EMV

EMV (which stands for EuroPay, Mastercard, and Visa) is the global standard for credit and debit payments based on chip card technology. Every chip card transaction contains dozens of pieces of information that are exchanged between the card, POS terminal, and the acquiring bank or processor's host. 

EMV does not replace PCI compliance; EMV was created to defend against fraudulent use of cards in a store. If you wish to accept card present transactions, you will need to be able to prove you have the backing to handle EMV transactions.

EMV 3-D Secure

EMV Three-Domain Secure, or 3DS, is a messaging protocol that enables consumers to authenticate themselves when making card-not-present (CNP) e-commerce and m-commerce purchases. The protocol provides an additional security layer that helps prevent unauthorized CNP transactions, protecting the merchant from fraud. The 3DS includes the three domains of merchant/acquirer domain, issuer domain, and the interoperability domain. 

EMV 3DS streamlines the user experience by improving communication 'in the background' between the issuing bank, the acquirer, and the merchant. 

Tokenization

Tokenization, the process of protecting sensitive data by replacing it with a token, is often used to prevent credit card fraud. In credit card tokenization, the cardholder's primary account number is replaced with the token. The token is then passed through the various networks needed to process the payment, but actual bank details are never exposed because they are held in a secure token vault. 

Tokenization in and of itself won't make a merchant PCI compliant, but it is considered a "best practice." It can help reduce PCI DSS scope. 

P2PE

P2PE, or peer-to-peer encryption, lets organizations create secure communication between devices and protects transmitted sensitive information from exposure to intermediate devices on the same network.

P2PE is often used as a compliance solution for PCI DSS.

Alternatives to building your own payment gateway

White label service

A white label service can be a quick way to get up and running offering your own payment solution. It can also reduce the cost of processing by reducing the number of middlemen between your business and your acquirer/processor. 

There are many flavors of white label service, from hosted solution to dedicated gateway to licensed open source payment gateway software. 

If you are worried that white label might not provide the level of customization you’re looking for, there are options. A client who spoke with us regarding that exact scenario learned that building a payment gateway from scratch was not a cost-effective solution for their issues regarding customizing their current white label gateway. Instead, they ended up negotiating for control over their source code in order to implement needed changes faster. You can also partner with a technology services provider to implement changes at your pace.

Replacement service provider

If you’re currently partnering with one of the well-known PSPs like Stripe, Paypal, or Square, there are alternatives out there. However, these providers are market leaders for a reason — their technical innovation has set them apart from the others. 

As such, while you can partner with one of their competitors, the price charged will not be much lower than what you are currently paying. Likewise, it will be difficult to find an alternative that has significant technological advantages over them because of their market leader status. 

Conclusion

Now that you have a well-rounded perspective of what goes into creating a payment gateway, are you still interested in building your own gateway? Talk with one of our payments experts today.

Softjourn is a global technology services provider with over a decade of experience working with Cards & Payments service providers. We've built creative solutions or augmented in-house technical teams to provide support and project-specific expertise resulting in revenue-generating features. 

We specialize in enabling and preserving the security of prepaid cards, developing transaction simulators to save roll-out time, and creating repeatable and strategic approaches to managing payment recovery. We help our customers—payment processors, banks, transaction acquirers, and prepaid card service providers—by leveraging our expertise to increase market share.

 

 

Softjourn is a global technology services provider that finds custom solutions for our clients’ toughest challenges. We leverage our domain expertise in Fintech, Cards & Payments, and Media & Entertainment (with a special emphasis on ticketing), to apply new technology that brings our clients' growing needs to life. Contact us to discuss how we can make your idea a reality!