Ecommerce Payment Processing Explained

Every time a customer completes an online purchase, there are several different entities and technologies at work to authorise and process the transaction. Understanding how ecommerce payment processing works allows merchants to better understand which ecommerce payment processing solutions will best suit their business.

What is Ecommerce Payment Processing?

Ecommerce payment processing covers every system, technology, and financial relationship involved in completing an online sale.

Ecommerce payment processing is the system that allows online businesses to accept payments and receive the funds into their bank accounts. The process includes the technology involved in authorising the transaction, the financial institutions that move the funds between those businesses, and the security measures involved in handling the customer's card data.

For any online business, ecommerce payment processing is an essential function. Without payment processing, an online business cannot receive any revenue from its customers. However, it also directly impacts the business's costs, fraud issues, and more.

The primary difference between ecommerce and in-person payments is that the customer and their card are not physically present when processing ecommerce payments. This is known as a card-not-present transaction. Because there is no way of physically verifying the customer's card during this transaction, there is a higher risk of fraud for ecommerce transactions. This introduces a higher risk of fraud into the transaction, which translates to higher fees for ecommerce payments.

How Ecommerce Payment Processing Works (Step-by-Step Flow)

Each online transaction follows a defined sequence of events, from the moment a customer submits payment to the point funds reach the merchant's account.

Customer Checkout and Payment Submission

When a customer adds the items to their shopping cart and proceeds to purchase the items from an online business, their payment information is collected by a payment gateway. This information will later be used to authorise their transaction.

Payment Authorization and Authentication

After the payment information is collected, it is sent to a payment processor, which will send a request through a card network like Mastercard or Visa to the customer's issuing bank. The customer's issuing bank will respond with an authorisation for or against the transaction. This process takes place in two to three seconds.

Role of Card Networks, Issuing Banks, and Acquiring Banks

Three financial entities are involved in each ecommerce transaction:

Settlement and Fund Disbursement

Once the transaction is authorised between the customer and the merchant, the funds are not immediately transferred between the two parties' banks. The funds are settled between the customer's bank and the merchant's bank. This settlement takes place within one to three business days. The merchant will receive the funds of the transaction after deducting the fees for processing the transaction.

Common Failure Points and Declined Transactions

There are two main reasons that an ecommerce transaction may be declined by the customer's bank:

Hard declines: A permanent rejection of the transaction. These can happen if the card is invalid or the customer's account is closed. In these instances, the transaction cannot be processed, even on a retry of the transaction.

Soft declines: Can be reversed by retrying the transaction. These can happen if the customer does not have enough funds in their account or if the transaction timed out when being processed.

A separate type of decline is referred to as a false decline. False declines are cases in which the customer's transaction is authorised by their bank but declined by the merchant's acquiring bank. These instances can result in the merchant losing revenue from the transaction while the customer has a poor experience with the merchant. Reducing the number of false declines is of significant interest to ecommerce merchants.

Core Components of Ecommerce Payment Processing Infrastructure

Several distinct components work together to move payment data and funds through each transaction.

Payment Gateway

A payment gateway handles the actual transfer of payment information between the customer and the ecommerce store. All data is encrypted prior to transmission to ensure the data cannot be accessed by anyone other than the ecommerce store.

There are two forms of payment gateways:

The gateway replaces payment information with a unique identifier (or token) that authorises the payment but can be used in place of the actual payment information for all future transactions.

Payment Processor

A payment processor will route the transaction from the ecommerce store to the payment gateway to the card networks and the bank that accepts those payments (the acquiring bank). The acquiring bank will receive the transactions at the end of the day and report to the ecommerce store.

As the middleman between the ecommerce store and the acquiring bank, the acquiring bank maintains a relationship with the card networks and the issuing bank to facilitate the transactions.

Merchant Account

A merchant account is a bank account that is held at the bank that accepts the payments (the acquiring bank). This merchant account temporarily holds the funds from the ecommerce store until they are transferred to the merchant's account.

The acquiring bank underwrites the merchant account; they review the type of business, how many transactions are processed, and the history of chargebacks against the merchant account. The acquiring bank will hold a portion of the merchant's funds as a buffer for potential chargebacks against the merchant by customers.

Payment aggregators (companies like Stripe, Square, and PayPal) hold all merchants under one merchant account. This avoids the acquiring bank underwriting each merchant's account. Merchants gain access to their accounts quickly by avoiding underwriting, but place themselves at risk for account holds by the payment aggregators should they have a high number of chargebacks.

How Merchant Accounts and Payment Gateways Differ

Payment gateways and merchant accounts are two separate components of ecommerce payment processing. As with any payment gateway, the payment gateway does not hold any money from the customers.

A merchant account is a financial account; it receives and temporarily holds the funds from ecommerce sales.

The acquiring bank that holds the merchant account assumes the financial risk of the merchant and customer relationship. Conversely, the payment gateway provider assumes the risk of security and data; they are the entity that ensures that the data is encrypted.

For the majority of ecommerce stores, both of these components are provided by one provider. For those that process high volumes of sales, the merchant will likely handle their acquiring bank and merchant account, but will use a payment gateway of their choice.

Common Ecommerce Payment Methods

The payment methods a store accepts directly affect which customers can complete a purchase.

The decision to use an additional payment method besides credit and debit cards is determined by the markets from which the ecommerce store receives orders. Customers from markets in which another form of payment is the dominant form will abandon the shopping cart if the ecommerce store does not support that form of payment.

Therefore, additional payment methods are required for ecommerce stores to reach their markets and improve their rates of order fulfilment.

Ecommerce Payment Processing Fees Explained

Payment processing costs are made up of several separate fee types, each charged by a different party in the transaction chain.

Interchange Fees

The interchange fee is the largest fee for most ecommerce stores. The acquiring bank must pay the issuing bank for the acceptance of the customer's card. The rate for interchange fees is set by the credit card companies. 1.9% rates apply to online transactions compared to in-store merchants because of the higher risk of fraudulent transactions.

Processor Markups and Pricing Models

The acquiring bank or merchant service provider will add fees to the interchange fees. The percentage rates are applied to the total sales volume, but at different rates based on the merchant. The most common types of rate structures for payment processors are compared below.

Authorisation, Settlement, and Refund Fees

In addition to the percentage rate applied to the sales volume, merchants are also charged for individual events. These events include the authorisation of sales, the settlement of those sales, and the processing of refund requests.

The fees for authorisations, settlements, and refunds are charged separately from the percentage rate. Refund fees can vary between payment processing companies.

Chargeback and Dispute Costs

Should a customer begin to dispute the charge for a sale, the merchant will be debited the amount of that transaction and will be charged a fee for that chargeback. The fee is usually between $15 and $100 for the chargeback of a transaction. If a store has too many chargebacks for a period of time, the acquiring bank may charge the store an additional penalty fee and potentially end the store's ability to accept payments.

Typical Fee Ranges for Small and Mid-Sized Online Stores

The typical cost for small and mid-sized online merchants to process payments is around 1.9% to 3.5% of the total sales volume. The actual effective percentage can vary according to the type of card used for payments, the total value of each transaction, and the number of international transactions made by the customers.

Security in Ecommerce Payment Processing

Ecommerce transactions carry inherent security risks because the card and cardholder are not physically present at the point of sale.

PCI DSS, SSL, and Tokenisation

The PCI DSS is a set of security requirements that apply to any business that handles card payments. The level of compliance required of merchants is based on the technology used to create the merchant's checkout page.

Merchants who use hosted payment pages and tokenisation on the client side only have to meet the requirements for the most basic compliance with the PCI DSS. Merchants who handle card data on their own servers are required to adhere to more stringent security requirements.

To minimise their requirements with the PCI DSS, ecommerce merchants should use a payment provider that offers their hosted payment tools rather than managing their own servers and data.

How 3D Secure Improves Checkout Security

3D Secure authentication protocols add an extra layer of verification between the customer and their bank. Their bank confirms the customer's identity before the transaction can be processed.

The current version, 3DS2, is designed to be invisible to customers for most routine transactions. Only if the customer's bank determines that their transaction requires further authentication will they be asked to provide authentication information. If the authentication is successful, the merchant is no longer liable for the transaction and any chargebacks that occur as a result of it.

In markets like Europe, 3DS is a regulatory requirement for most online card payments. In markets where 3D Secure is an optional protocol, merchants must determine whether the reduction in chargebacks justifies any negative impact on the checkout process of their customers.

Key Challenges in Ecommerce Payment Processing

Several recurring issues affect the cost, reliability, and performance of ecommerce payment processing.

Fraud and false declines are two challenges for ecommerce merchants. Any fraud prevention protocols will result in some genuine transactions being declined from merchants' databases. This can reduce the merchants' potential revenue.

Additional costs are in the processing of cross-border payments. These costs include cross-border interchange fees, foreign exchange fees, and declined transactions initiated by the customer's bank for foreign transactions.

Friction in the checkout process of merchants' websites will result in customers adding items to the cart but abandoning the purchase process altogether. Any issues experienced during checkout can be a result of the payment provider.

There are additional costs associated with the technical maintenance of the merchant's software integration with their payment provider. Any changes to their API will likely require additional maintenance of the merchant's website.

How to Choose a Payment Processor for a Small Online Store

The right payment processor depends on the merchant's current sales volume, technical requirements, and target markets.

Payment Aggregators vs Dedicated Merchant Accounts

Payment aggregators are generally the best choice for new ecommerce businesses. Their pricing is more competitive at higher sales volumes, and they do not require a minimum sales volume to begin using their services.

For existing merchants, dedicated merchant accounts are worth considering when sales volumes begin to significantly increase.

Onboarding Speed and Underwriting Requirements

Payment aggregators can go live with merchants almost instantly. For merchants with dedicated accounts, a bank and accounting software company will review the merchant's business, which can take days or even weeks.

API Quality, Documentation, and Developer Tools

For merchants who want more control over their checkout and ordering experience, the quality of a company's API is important. A quality API with good documentation can significantly reduce the amount of time it takes to integrate with their website.

Supported Payment Methods, Regions, and Currencies

A merchant should ensure that a payment provider offers the same payment methods, currencies, and regions as their customers. If a company does not have acquiring relationships with banks in specific regions, its sales in those regions will result in higher rates of declined transactions and fees.

Pricing Transparency and Scalability

The pricing plans of payment providers vary. Some providers charge a flat fee for each transaction, while others have different fees for different types of transactions. Dedicated merchant accounts will have interchange-plus fees, which go down as the merchant increases their sales volume. Aggregator companies have a flat-rate pricing model, which is easier to understand but costs more as sales volumes increase.

Best Practices for Optimising Ecommerce Payment Processing

A few operational changes can reduce checkout abandonment, lower declined transaction rates, and prepare a store for growth.

Designing a low-friction checkout: A low-friction checkout process requires merchants to collect as few customer details as possible. Merchants can also offer a guest checkout process to make it even easier for their customers to complete their purchases.

Mobile payment optimisation: A mobile-friendly checkout process is essential as many merchants get most of their sales from mobile devices. Merchants should ensure that their checkout is mobile-friendly. Additionally, one-touch payments using companies like Apple Pay and Google Pay will increase the ease with which their customers can make purchases.

Monitoring authorisation and decline rates: Regularly reviewing the software metrics of the payment processing software will allow merchants to catch and fix any issues early in the payment process. For example, if merchants notice a declining rate of authorisation of payments, they must investigate the cause of the declined payments.

Preparing for scale and international expansion: Merchants should plan for sales volume increases and international sales before their businesses begin to experience these sales increases. Factors to consider include whether the current payment provider will be able to handle the expected sales volume and countries, and whether they need to include acquiring relationships with banks in those new markets.