If you've decided it’s time to start selling online with your very own eCommerce website, you're about to embark on one of the most rewarding journeys in the world: entrepreneurship!

Of course, it's not always going to be easy, and there's a lot to learn before you can even really get started.

You could imagine that eCommerce is like its own ecosystem, where web design, online security, credit cards, shipping, and more all come together in a relationship that makes everything work. It's important to understand at least the basics of all these moving parts, but don't feel discouraged or overwhelmed at the amount of information you'll have to learn. We're here to teach you!

In this article, we're going to talk about something sure to pique the interest of every beginning online seller: how to accept payments. We'll discuss payment gateways, merchant accounts, and a bit more — and how it all works.

How Does a Website Process an Online Payment?

It's easy to do anything on the internet and just assume some technological magic is happening in the background. But as soon as you understand what's actually behind the process, it starts to make a lot more sense.

On a basic level, the entire internet works through a transfer of information. Payment processing is no different, except that the information follows a winding path between the customer, the issuing bank, and the acquiring bank. Let's start with a few definitions:

  • The issuing bank is the bank that issued the customer their credit card, and where the funds come from when they make their purchase from you.
  • The acquiring bank is the bank where you have your account, where the customer's payment ends up when it's complete.
  • In between, we have the payment gateway, which authorizes the transaction much like a card reader at a brick-and-mortar retail store.
  • The payment gateway in turn utilizes a payment processor, a financial institution that allows the transfer of information between the customer and merchant once the transaction has been authorized by the gateway.
  • To access a payment gateway, you need a merchant account, a type of account with a financial institution or other provider, made specifically for accepting payments online. Merchant accounts are sometimes called merchant IDs (or MIDs).

When an online customer makes their purchase, the transaction information "travels" back and forth through these five destinations in order to facilitate the safe, secure authorization of the transaction, with the end result of the buyer's payment reaching the seller's bank account.


Understanding Merchant Accounts

A merchant account is a bank account that allows merchants to accept credit and debit card payments online. Usually, a merchant account provides a payment gateway along with it, so a retailer would only need to get a merchant account. In eCommerce, you'll need an internet merchant account specifically for accepting cards online.

When a customer's transaction is settled, the funds enter the seller's merchant account and are then transferred to the seller's business bank account. This usually takes a few days.


Setting up a Merchant Account

In order to get a merchant account for eCommerce, you'll need to go through an application process with a bank that offers internet merchant accounts. The bank will do a risk assessment of your business, in which factors like length of time in business, financial history, personal credit score of the business owner, and existence of other merchant accounts are all noted. Most new businesses are more likely to be accepted for a merchant account by the bank at which they have their business bank account.

Costs and Fees

Merchant accounts can have several fees involved in their operation, including everything from an application fee, to a setup fee, to a monthly maintenance fee. These fees aren't always outlined thoroughly in your contract, so be aware that hidden fees are an unfortunate reality with some merchant account providers.

You'll also lose a small amount of every sale to a transaction fee, which is unavoidable. The current industry standard for transaction fees is 2.9% plus $0.30 per transaction.

Fraud and Liability

Unlike a purchase made in a brick-and-mortar store, an online purchase is made without the additional security features of an in-person transaction, such as a chip-enabled card terminal or the ability to check a customer's identification. When a card is used in person, the card issuer takes responsibility in the case of fraud and the merchant still gets paid. But because online purchases are card-not-present transactions and lack this type of security, the burden falls to the merchant to ensure that fraud does not occur.

If a customer makes a fraudulent transaction on your online store, you are responsible for refunding the actual cardholder and paying any fees associated with the fraudulent transaction, which can be very expensive. You can even lose your merchant account, and with it, the ability to do business. Since the liability falls to you, you need to ensure you have adequate fraud protection on your eCommerce website by utilizing anti-fraud methods such as address verification and other security checks.


Levels of Data Integration

There are three levels of processing involved in credit card transactions, in which more and more data must be collected in order for the transaction to be authorized. The level required depends on the type of customers you serve. The higher the level, the more data required for verification, and usually the lower your interchange fee.

Level 1 processing is used for business-to-consumer (B2C) transactions, in which customers use their personal credit cards. All that's required for verification is the merchant name, transaction amount, and the date.

Level 2 processing is intended for business-to-business (B2B) transactions, in which a business-specific payment method is used in order to control corporate or employee spending. More data is collected, not just for verification but also to help provide the purchasing business with more information about how their funds are being spent. The required data includes the same data as in Level 1 processing with the addition of tax amount, tax ID, merchant postal code, merchant minority code, merchant state code, and customer code.

Level 3 processing is the highest level requiring the most verification, and is usually used for transactions involving government entities and corporate purchasing. The required data includes everything from Level 2 and adds several others like item descriptions and quantities, duty amount, destination postal and country codes, item product codes, and more.

Depending on the types of customers you want to do business with, you may need to ask your merchant account provider about upgrading to a higher processing level.


Understanding Payment Gateways

A payment gateway is required for you to accept credit card payments on your online store. It acts as a secure mediator between transactions performed on your store, and the payment processor that actually deals with the transfer of funds. Since payment gateways are required by law in order for your site to work with a payment processor, most merchant accounts have a payment gateway included.


How Payment Gateways Work

When a customer initiates a purchase, the transaction data follows a somewhat complex procedure that only takes a few seconds. This procedure can be summed up in five steps:

  1. The customer enters their payment information and places their order, which will be processed as a card-not-present transaction (since they're shopping online and not swiping their card in person). The data is immediately encrypted.
  2. The encrypted information is sent to the payment processor being used by merchant.
  3. The payment processor sends the transaction to the customer's credit card association, which charges an interchange fee for the transaction.
  4. If the card is valid and has enough funds to cover the purchase, and there are no holds or freezes on the card, the transaction is approved.
  5. The transaction is now authorized and this information is sent back through the chain in reverse (to the payment processor, then the payment gateway, and finally arriving at your online store).

Once these five steps are complete, the transaction is settled. The customer's payment will appear in your merchant account within 24 to 48 hours.


Transaction Types

The transaction type informs the payment processor what kind of transaction your store is performing with the customer's card. There are several common types of transactions which all have their uses for various scenarios.


An Authorize (AUTH_ONLY) transaction is a means of guaranteeing a payment within a certain specified amount, but without collecting payment instantly. When the customer's card is run, the given amount of funds will be put on hold and you'll be given a unique authorization code. When the time comes to collect the funds, you perform a Capture transaction using the authorization code, which results in the actual payment being made to you. If you don't initiate a Capture transaction within a time limit specified by your payment gateway (usually 30 days), the hold will be removed and the customer's funds will return to their account.


A Capture (PRIOR_AUTH_CAPTURE) transaction uses an existing authorization code to complete the transaction. The captured amount can be less than the authorized amount. If you make frequent purchases with a debit card, this is why sometimes you'll see an authorization from the vendor for a set amount and then the actual transaction ends up being lower.


An Authorize/Capture (AUTH_CAPTURE) transaction is exactly what it sounds like: it combines the Authorize and Capture transactions into a single two-step process. While this is the most common transaction type, it's susceptible to technical difficulties arising from network timeouts or other hiccups in communication between the online store and the payment gateway. This is relatively rare, but when it happens, it leads to issues like the customer placing the order again and receiving a double charge, while your shopping cart software only shows the customer being charged once.


A Refund or Credit (CREDIT) transaction is also just what it sounds like. It simply returns the captured funds back to the customer's card. You can issue a full or partial refund. Most payment gateways put a 60-day time limit on captured funds for the purpose of refunding, but you may have the option of extended credit capabilities.


A Void (VOID) transaction is similar to a refund, but can only be used for transactions that haven't settled yet (usually only on the same day). You can only void an entire amount, so if you need to refund only a partial amount, you need to wait for the transaction to complete and then refund it.


PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a series of guidelines mandated by Visa, MasterCard, and other card brands that came about when the cards' individual security standards were merged. The PCI DSS guidelines exist to protect cardholder data and consist of 12 requirements, ranging from not using default passwords to frequent vulnerability scanning. Any business that accepts credit cards online must be PCI compliant.

PCI compliance is a complex goal with a simple solution: use a PCI-compliant payment gateway and build your online store with a PCI-compliant eCommerce software. Then, all the work inherent in PCI compliance is done for you and you can concentrate on running your business without shouldering the load of cardholder security.



When you need to store a customer's payment information for future use such as recurring billing, the only safe way to accomplish this is through tokenization — the customer's sensitive data is replaced by a token, a piece of non-sensitive data from which the customer's information is impossible to retrieve by any outside intruder. Tokenization systems must be proven to be resistant against all types of hacking and decryption attempts and must comply with PCI standards.


Credit Card Networks and Acquiring and Issuing Banks

The acquiring and issuing banks are both crucial parts of payment processing, but what exactly are they? It's relatively simple.

The acquiring bank is the bank at which you have your merchant account, where you acquire the funds spent by your customers.

Issuing banks are responsible for issuing branded credit cards to consumers. Examples include Chase, Bank of America, and Wells Fargo, which issue various cards including Visa, MasterCard, and American Express. The issuing bank is the institution responsible for setting up rewards on certain cards, like cash back, airline miles, or points for use at a certain location like Disney theme parks.

Issuing banks provide credit cards through contracts with credit card networks (also called interchange associations), the four major ones being Visa, MasterCard, Discover, and American Express. Discover and American Express are both combinations of issuing bank and credit card network.

The issuing bank is also the financial institution that backs the customer's credit card with funds. When a transaction is made and the cardholder and transaction data follows its complex path through the payment gateway to the payment processor, the end result is that the acquiring and issuing banks communicate back and forth to facilitate the transaction amount (minus any fees) ending up in your merchant account.


Improved Online Transaction Security

As eCommerce grows, both credit card networks and other payment institutions are working to improve the security of online transactions to help counter the additional risk of the customer's credit card not being physically present. 3-D Secure 2.0 and digital wallets are both such innovations.


3-D Secure 2.0

3-D Secure 2.0 improves the security of online transactions by combining the authorization process with an additional level of online authentication covering three domains (hence 3-D). These three domains are the Acquirer Domain (the acquiring bank), Issuer Domain (the issuing bank), and Interoperability Domain (the handling of the exchange of the customer's data and its authentication).

This is put into practice through an extra layer of authentication that usually redirects the customer to a secure site owned by the credit card network in question, in which the customer must provide additional information to approve their purchase. The four major credit card networks have each implemented 3-D Secure 2.0 in their own way, including Verified by Visa, MasterCard Secure, American Express SafeKey and Discover ProtectBuy.


Digital Wallets

A digital wallet is a system that allows a customer to enter and save all their personal credentials and payment information for use on participating online stores. When the customer checks out, rather than needing to enter their payment information, they only need to enter the PIN or password they've set up to use their digital wallet. Popular digital wallets include Visa Checkout and Masterpass, both of which work with every card network. There are no extra fees, just an added layer of security.

Digital wallets also have the added advantage of smoothing the customer's checkout experience, since they only need to authenticate use of the wallet through a PIN or password, rather than tediously enter their credit card information on their mobile device.


Recommended Payment Processors

Since 3dcart offers a premier online shopping cart software for businesses of all sizes to sell online, over our 20 years of eCommerce experience we've developed a close relationship with over 100 payment gateways.  You'll find any of these to be a fine solution for starting your online business.

If you want to learn more about some of the innovative payment methods available today, check out our free ebook below.

Free report: The Real Cost of Running a Shopify Store