Beginner’s guide to eCommerce payment processing

One of the most complex areas of launching an eCommerce business is getting set up with payment processing services so that you can accept payments online.

While merchants with existing brick-and-mortar businesses are familiar with some of the ins-and-outs of payment processing, they’re not always familiar with how online payments work.

There are several payment methods you can accept, along with some terms that you should know to get up and running with eCommerce payment processing.

Types of online payments

Knowing how payment processing works and what kind of payments you can accept is the first thing you’ll need to consider before signing up for a payment processor.

Credit cards
Almost all payment processors will allow you to accept credit card payments from your customers, which is one of the most common ways to pay online.

Credit card payments typically go through the following lifecycle:

  1. Customer enters payment details on your site
  2. These details are sent from your site to your payment gateway to check if the transaction should be approved or declined
  3. Your payment gateway makes the determination on the transaction, and tells your site if it’s okay or not
  4. Your site either accepts the payment and completes checkout, or shows the customer a decline message and rejects the payment has an interesting diagram to provide a more detailed overview of how this works.

PayPal is one of the most trusted payment methods on the internet, and it’s a huge benefit for merchants to offer it. Nielsen Online Buyer Insights reports that PayPal Merchants benefit from a 27% increase in total customers after integrating PayPal, while total amount spent by customers increases 15% and transactions per customer almost double.

PayPal can process credit card transactions, but they can also act as a money transfer service when PayPal credit is used (like a digital wallet).

We’ve got a comparison of available PayPal services for merchants who aren’t too familiar with PayPal, as we’ll focus mostly on credit card processing in this article.

ACH transfers / eChecks
Bank transfers or eChecks are essentially like paying with cash or checks online. They allow the customer to enter bank details for your payment gateway to check the funds and initiate a transfer to your merchant account.

There are also some payment methods, such as Dwolla, that can simulate “cash transfers” online, which are typically lower cost for merchants than credit card processing.

Bitcoin / Cryptocurrency
Bitcoin is still a very small portion of online payments, so many merchants don’t accept bitcoin or other cryptocurrencies. However, if your customers may be concerned with privacy, bitcoin may be an option they appreciate having (though otherwise I probably wouldn’t bother with it for your store).

Bitcoin transfers are sort of like a secure ACH transfer (but in a unique currency rather than USD, etc), as the transfer is immediate and there are no payment processing fees. However, this really isn’t a great option for beginners, so while it can seem like a cutting edge thing to do, you’re better off with PayPal / credit card payments.

Payment processing terms

Let’s take a look at a glossary of eCommerce payment processing terms with which you’ll want to be familiar as you launch your business. These are mostly related to credit card processing, as that’s typically a rabbit hole for many new merchants 🙂

Merchant account

A merchant account is essentially your bank account for transferred payments; it’s where the payment coming from the customer goes to first before you can transfer it out to your business bank account (if you have a separate business bank account). The merchant account isn’t involved directly in the payment transaction, so you have a lot of flexibility in where you get your merchant account (i.e., your local bank).

If you have a brick-and-mortar location, you most likely already have a merchant account for the payments you accept in-person. If you don’t already have one, you have a choice between a dedicated or an aggregated account.

A dedicated account will be a merchant account only used by you, and is the choice of many merchants (though you’ll typically need some more set up to get a dedicated account). When payments are processed, they’re typically transferred to this account within a couple of days, and then released to you for transfer to your business bank account within a couple more days.

An aggregated account is what many modern processors like Braintree and Stripe offer — they’re bundled in with your payment gateway so you don’t have to sign up for both a merchant account and a payment gateway account. They’re great for new merchants, as you only sign up for one “payment processing” account, and after payments have cleared, they can just be transferred to your business’s bank account.

Payment gateway

A payment gateway is the online replacement for a point-of-sale terminal (the thing your credit card is swiped through). This is what handles approving and declining transactions and managing responses to and from your website.

When you use an eCommerce plugin, you typically need an extension or add-on plugin to connect your payment gateway to your website. The integration plugin is what handles the communication between your website and the payment gateway to check whether transactions should be approved or declined. You can usually buy a pre-made integration for your eCommerce plugin and your payment gateway; if none are available, you need to hire a developer to build one, as your website needs a way to communicate with your payment gateway.

If you have a dedicated merchant account, you may be charged fees for it, and your payment gateway fees will be assessed separately. If you sign up for an aggregated account that includes both the merchant account and payment gateway, your fees are typically for the entire “payment processing” package.

The payment gateway is where you get differentiation in terms of which features are offered: whether customers can save cards for future purchases, whether you can authorize charges and capture them at a later date, and which credit cards (or other payment methods, such as eChecks) you can accept.

Charge vs. authorize

Most payment gateways can allow you to either charge or authorize a payment. Charging a payment means that your payment gateway requests funds from the customer immediately; a charge says, “please have this person’s account pay me now.”

Authorizing a payment means that your payment gateway first asks if the customer can afford the charge; it says, “does the customer have sufficient funds for the order?” This lets you then capture the payment and complete the charge later.

If you want further details, we have a writeup on Authorizing vs Charging.


Tokenization refers to the ability to securely save a customer’s payment information for a later date. You should never, ever, ever store customers’ credit card numbers on your website. Instead, if you want to allow customers to save a payment method for easy use in the future or for recurring payments, your payment gateway will need to offer the ability to tokenize the payment details.

This means that the payment gateway securely stores the customer’s credit card number and personal details, and instead gives your site a “token” to use.

This is kind of like how poker chips work — the payment processor gives you a token for the credit card number instead of the actual credit card number. At a later time, you can charge the customer by using the payment token — your website basically says to the payment gateway, “Please charge token #123456,” and the payment gateway can then run the credit card details for that token securely since it’s stored which tokens go with which credit card.

That way, if your site is ever compromised, only useless payment tokens are gathered (since they’re specific to your merchant account, they can’t be used by anyone else), rather than very important credit card numbers.

If you’d like to allow customers to save payment methods for future use, or you want to allow things like pre-orders and recurring payments, you’ll want to ensure that your payment processor supports tokenization. They sometimes also refer to this as a “secure vault” or similar.

SSL certificate

Here’s what you need to know about SSL Certificates: get one. That’s it.

Get one no matter whether your payment processor requires one or not; it’s a no-brainer investment, and you can get them starting for less than $10 per year. Not only do SSL certificates protect customer information if your payment processing takes-place on site, they also protect login credentials — both yours and customers — when logging into your site so they can’t be intercepted.

Aside from this, they also improve conversions. Customers are trained to look for the “green lock” at checkout, and even if they’re being taken off-site to complete purchase, they don’t know that it’s not necessary. Just get one.

My favorite place for low-cost SSL certificates is NameCheap — the Comodo PositiveSSL cert for $9 is a good beginner option, or the EssentialSSL certificate for $29 per year, which includes a site seal you can use as a trust badge.

If you want a wildcard cert or more features, Digicert is an exceptional company. They offer unlimited duplicates for multiple server setups and free certificate re-issues in case you change DNS services; more importantly, they’re extremely knowledgeable and have solved any problem I’ve had with my SSL certificates super-quick.

Want to read more about SSL certs? We have an overview important details.

PCI compliance

PCI Compliance is one of those terms that many merchants have heard of and know is important, but don’t really understand what’s related to it or how it works.

PCI Compliance refers to regulations that are imposed on merchants in order to be able to accept payments securely online. There are several levels of compliance, which relate to different layers of security for payment processing, and merchant accounts can require different levels of compliance to accept payments (or some allow the use of an SSL certificate alone and charge a monthly fee for non-compliance).

Since payment processing requires communication between your site and a payment processor, it may or may not be related to your payment gateway / eCommerce plugin alone, which is why it tends to be complicated to understand.

If payments occur off of your site, and the customer gets redirected back to your site (like PayPal Standard), this is PCI compliant because your site never handles sensitive customer data or credit card numbers.

If customers remain on site, then the way your payment gateway integration is built and the features your payment gateway offers will influence PCI compliance.

SkyVerge has a good overview of PCI compliance and payment gateway integrations that explains this in further detail; while it’s related to WooCommerce, the overview applies to any eCommerce plugin (for WooCommerce stores, it does have a comparison of the compliance and features for many gateway integration plugins in a spreadsheet).

Helpful resources on payment processing

This gives you an introduction to types of processing and terms payment processors use, but decided what processor is right for your store is up to you. It will depend on:

  • what payments you need to accept (credit cards, ACH / eChecks, etc)
  • whether you have a merchant account already or not
  • whether you need to be PCI compliant and what level of compliance you need to meet
  • whether or not there’s an integration plugin available for your eCommerce plugin and payment gateway (you’ll have to fund one if not)
  • what features the payment gateway offers
  • what features the payment gateway integration plugin supports (if it can tokenize cards using your payment gateway’s tokenization, etc)

We have a guide on selecting a payment processor that has further points.

If you use an eCommerce plugin already, we’ve also compared some of the payment gateway integration plugins available for each:

Payment processing recommendations

So which payment processors do I recommend? That depends on whether you have a merchant account already or not.

If you already have a merchant account (i.e., for your brick-and-mortar store), and you want to use this for your online payments as well, I’d highly recommend checking out Braintree. While they offer accounts with combined merchant accounts and payment gateways for new merchants, you can also use their payment processing services with an existing merchant account. They have fantastic customer service, and they offer tons of great tools and features for merchants.

The built-in integration they have for PayPal is also excellent (PayPal owns Braintree). The WooCommerce integration for Braintree supports many of these features.

Many merchants also use Authorize.Net, which is another excellent choice (they were the first company to offer online payment gateway services). They offer tokenization, eCheck support, and tons of other features. You can use Authorize.Net as a payment gateway with an existing merchant account, or use their bundled offering for an all-in-one processor.

Stripe is also one of my favorites, and we’ve written about why you should use Stripe since it’s really easy to get set up. They offer combined merchant accounts and payment gateway services, so you’ll be up and running within minutes, and almost every eCommerce platform anywhere integrates with Stripe.