FinCo Learn · Payments, explained
What Is a Payment Gateway, and How Do I Choose One?
Gateway vs. processor vs. merchant account
These three terms get used interchangeably, and that confusion costs business owners real money — it is hard to compare offers when you do not know which piece each one is quoting. FinCo Payment Solutions, a merchant-services consultancy in Austin, Texas, untangles them constantly. The cleanest way to think about it: the gateway moves the data, the processor moves the money, and the merchant account is where the money lands.
A useful analogy: the gateway is your online point-of-sale terminal. In a physical store, the card reader captures the card, encrypts it, and sends it off for approval. Online, you have no physical reader — the gateway plays that role for a checkout page, a mobile app, an invoice link, or a recurring-billing system. Sometimes a single provider bundles all three layers behind one login, which is convenient but can blur where one service ends and the next begins, including on your statement.
When you actually need a gateway
Not every business needs a standalone gateway. You need gateway functionality whenever a card is charged without being physically swiped, tapped, or inserted — what the industry calls card-not-present. The common triggers:
- Ecommerce — any online store taking cards at checkout.
- In-app payments — charging inside a mobile or web application.
- Recurring or subscription billing — storing a credential to charge on a schedule. This is where tokenization (below) stops being optional.
- Invoicing and pay-by-link — emailing a customer a secure link to pay.
- Virtual terminals — keying a card by hand for phone or mail orders.
A purely in-person business may already have gateway capability built into its terminal and never think about it as a separate layer. The moment you add an online or recurring channel, the gateway becomes a decision worth making deliberately rather than accepting whatever was bundled by default.
The three integration approaches, and their trade-offs
How you connect the gateway to your site or app changes how much control you get — and, critically, how much PCI DSS compliance burden lands on you. The more card data touches your own systems, the larger your PCI scope. That single trade-off drives most of the decision.
| Approach | How it works | Control | PCI / security burden |
|---|---|---|---|
| Hosted / redirect checkout | Shopper is sent to the gateway's secure page (or a hosted field/iframe) to enter card data, then returned to you | Lowest — limited styling and flow control | Lowest — card data never touches your servers, which sharply reduces PCI scope |
| Embedded / direct API | You build the checkout and pass card data through your own backend via the gateway's API | Highest — full control of UX, flow, and data | Highest — card data flows through your systems, expanding PCI scope and audit obligations |
| Platform plugin / extension | A pre-built connector for a common site builder or commerce platform | Moderate — within the platform's limits | Moderate — depends on whether the plugin uses hosted fields or routes data through your install |
There is no universally correct choice. A subscription business that needs a seamless branded checkout may accept more PCI scope for the control an API gives. A small storefront on a common site builder is usually better served by a hosted or plugin approach that keeps card data — and the compliance burden — off its own systems.
What to evaluate before you commit
Once you know which integration fits your stack, evaluate gateways on the criteria that actually matter over the life of the relationship — not just the checkout demo:
- Security and PCI DSS scope — how much compliance burden the integration puts on you, and what the provider supplies to reduce it (hosted fields, SAQ guidance). Security is merchant protection, not a feature upsell.
- Tokenization — does the gateway replace the card number with a token so you can charge again without storing the raw card? Essential for recurring billing and for shrinking PCI scope.
- Supported payment methods and currencies — cards, digital wallets, ACH, and the currencies your customers actually use.
- Recurring and subscription support — native billing schedules, retries, and dunning, if your model needs them.
- Developer documentation and support — clear, current docs are a leading indicator of how the integration will actually go.
- Uptime and reliability — when the gateway is down, you cannot take money. Ask about historical uptime and status transparency.
- Portability — the one most people forget. If you switch providers later, can you take your customer and token data with you, or are your stored credentials locked to this gateway? Portability protects your leverage for the entire relationship.
Exit terms and data portability deserve the same scrutiny as the checkout itself — they determine whether a future switch is a phone call or a forced rebuild.
Honest caveats
A few things worth saying plainly. First, more control is not automatically better: taking on a full API integration means taking on the PCI scope and security responsibility that comes with it, and for many businesses that is the wrong trade. Second, a bundled all-in-one provider can be the right call for simplicity — but bundling makes it harder to see what each layer costs and harder to swap one piece without disturbing the others; reading your statement carefully matters. See how to read your processing statement to spot where gateway fees actually sit.
Third, gateway choice interacts with your pricing model. If you are running or considering a cash-discount or surcharge program, confirm the gateway and your dual-pricing or surcharging setup handle card-type detection correctly. Finally, this is general guidance, not a recommendation of any specific brand — the right gateway depends on your stack, your channels, and your compliance posture, and those should be reviewed for your situation. [DATA: share of FinCo merchants on hosted vs. embedded gateway integrations, as of June 2026]
Frequently asked questions
Is a payment gateway the same as a payment processor?
No. A payment gateway transmits and secures the transaction data — encrypting and tokenizing the card, then requesting authorization. The processor handles the actual movement of funds between the cardholder's bank and your merchant account. Some providers bundle both behind one login, which is why the terms get confused.
Does using a payment gateway make my business PCI compliant?
Not by itself. A gateway can dramatically reduce your PCI DSS scope — especially a hosted or redirect integration where card data never touches your servers — but PCI compliance remains your responsibility. The integration approach you choose determines how much of that burden falls on you versus the gateway.
Can I switch payment gateways and keep my saved customer cards?
Sometimes, but not always — this is the portability question to ask up front. Stored card credentials are often tokenized in a way that is specific to one gateway, which can make migrating saved cards difficult. Confirm in writing whether your token and customer data are portable before you commit.
Do I need a separate gateway if I only sell in person?
Usually not. In-person terminals typically include gateway functionality already. A standalone gateway becomes relevant when you add a card-not-present channel — an online store, in-app payments, recurring billing, or invoicing — where there is no physical card reader to do the job.
Related guides
- How Do I Read My Merchant Processing Statement?
- Dual Pricing vs. Surcharging: What's the Difference?
- How Do I Get Out of a Payment Processing Contract?
- SEO vs. GEO: What's the Difference?
- FinCo solutions — processing, hardware, software, web services
Not sure which gateway and integration fit your setup?
A FinCo consultant will review your current statement and your web or app setup, then walk you through which gateway type and integration approach actually fit your stack — including what PCI scope each option puts on you. The statement analysis is free, and there is no obligation to change anything.
Talk to a consultantLast updated June 14, 2026 · Reviewed by FinCo Payment Solutions, Austin, Texas