
Most founders start with the tech and lose a year. Do it in the order that actually opens doors: settle your licence path, keep your card-data footprint small, line up acquirers, then decide what to build versus buy. Three gates are slow no matter what; the fourth is the only one you can compress from years to weeks.
«How do I start a payment processing company?» is really five questions:
what licence you need
how you meet PCI DSS and card-network requirements
who actually moves money between banks
what you build vs buy
how you price so the economics work
Answer them out of order and you pay in lost time. This guide walks the gates in the sequence we use when we help a new processor go live.

Licence path
PI/EMI (EU/UK), MSB + state licences (US), or sponsor/PayFac. Sets independence vs speed.
→

Card-data footprint
Tokenize early, keep PAN off your servers, run on PCI DSS Level 1 rails. A design choice, not paperwork.
→

Acquirers & orchestration
More than one acquirer, smart routing and cascading to protect approvals. One acquirer is one point of failure.
→

Build vs buy
Own routing & brand — build the rails yourself or run on a white-label platform. Payneteasy: PCI DSS Level 1, 150+ fraud filters, 1,000+ integrations.
Your licensing path depends on whether you touch/hold funds, onboard merchants, act as PayFac, provide only technical processing, or operate as an acquirer/PSP.
Time — the licence, PCI and acquiring gates are slow by nature; the build-vs-buy gate is the one you can compress from years to weeks.
In short: two gates you can't rush — the licence path and your acquirer set — and two you control — how much card data you touch, and whether you build the processing stack yourself or run it on white-label rails. The rest of this guide walks each gate in order, starting with the licence.
1. The first step to start a payment processing company: pick a licence path
Before you write a line of code, settle how you are legally allowed to move money. This is the longest pole in the tent; it defines your whole timeline.
You have two realistic routes:

Get licensed yourself
In the EU/UK, that usually means becoming a Payment Institution (PI) or Electronic Money Institution (EMI). In the US, it means registering as a Money Services Business (MSB) and, for many models, obtaining state money-transmitter licences. These permits let you hold and move other people's money in your own name.
→

Operate under a sponsor's programme
Operate under a sponsoring acquirer / PayFac programme, subject to underwriting, network registration, risk monitoring and contract limits. You become a sub-merchant or a sponsored PSP instead of a directly regulated institution.
This first fork is your earliest real decision:

Your own licence
Buys independence, control, and full margin — but can take months to well over a year, plus ongoing compliance cost.
vs

A sponsor / PayFac
Gets you to market faster — but you give up some control and part of the spread on every transaction.
Neither path is wrong. Starting the build before you've chosen one is.
2. Keep card data out of your own house
If your systems collect, store, process or transmit PAN, they enter the cardholder data environment and expand PCI DSS scope — the card-industry security standard enforced on anyone who touches cardholder data. The cost of meeting it scales directly with how much data you hold and where it flows.
The strategic move is not "get certified at any cost." It's design your stack so you hold as little card data as possible, and keep your PCI scope — the slice of your systems auditors must inspect — as small as it can be.
Three design habits do most of the work:

Tokenise early
Tokenization replaces each card number (PAN) with a non-sensitive token. A breach of your systems exposes tokens, not live card numbers.
→

Avoid storing raw card data
Use hosted fields/pages or client-side encryption from a PCI DSS Level 1 provider so your back end never sees PANs directly.
→

Lean on a PCI DSS Level 1 platform
Certifying a large estate from scratch is typically a long multi-month project and a continuous obligation. Depending on the integration model, a PCI DSS Level 1 provider can reduce your own PCI scope.
Your card-data footprint is a design choice you make on day one, not a form you fill out at the end.
3. Line up your acquirers — and a route to more
A payment company is only as strong as the acquirers it can reach.
An acquirer is the bank or licensed processor that settles card payments with the card networks and funds your merchants. No acquirer, no card payments. It is that blunt.
The failure mode almost nobody plans for is wiring yourself to a single acquirer:
| What happens | What it means for you |
|---|
| They tighten risk rules or drop a merchant category | You lose that segment overnight — no fallback route. |
| They don't cover a region you decide to enter | You can't expand there without a new acquirer relationship. |
| Their approval rate quietly sags for a card profile you care about | Real sales bounce for reasons you can't see or fix. |
With one acquirer, every such change is your problem. You have no routing choices.
So plan, from the start, for several acquirers — for geography, risk appetite, card profiles and redundancy — plus a routing layer that chooses between them.
That routing layer is orchestration: a smart switchboard that sends each payment to the acquirer most likely to approve it, and reroutes when one is having a bad day. Cascading retries eligible failed payments where decline reason, scheme rules and risk policy allow it — not every decline can or should be retried elsewhere.
A reseller passes traffic to one place and hopes. A real processing/orchestration setup gives you routing control; a simple reseller setup usually does not. That control is what protects your approval rates and your uptime.
4. Build or buy — where the timeline is won or lost
Building a gateway and processing stack from scratch is large:

Card-data handling
Tokenization and secure storage of cardholder data.

3-D Secure
And other authentication flows at checkout.

Routing & cascading
Logic that chooses and retries acquirers.

Fraud screening
And risk limits across your portfolio.

Reconciliation
And settlement reporting.

Payouts
Sending funds out on the same platform.

Per-acquirer integration
A separate integration for every acquirer and method — often via OpenAPI or similar machine-readable specs.
Realistically, that's years of engineering and certification before a customer pays you a cent.
The alternative is a white-label gateway: the full processing engine runs under your own brand, on infrastructure someone else has already built and certified. You are not reselling their product; you are running yours on rails you control. Payneteasy, for example, ships a PCI DSS Level 1 white-label gateway with smart routing, more than 150 fraud filters, and over 1,000 pre-built integrations, with launch measured in weeks rather than years. The years-long part of the job is the part you skip — you stop building the rails and start routing on rails you control under your brand.
5. Price for the spread, not the headline rate
Your profit is not the rate you quote a merchant. It's the spread — the gap between what you charge and what acquiring and card-network costs sit underneath.
Every card transaction cost breaks into:

Interchange
Paid to the card issuer (issuing bank), set by schemes, varies by card type, channel and region.
+

Scheme fees
Paid to networks (Visa, Mastercard, etc.).
+

Acquirer/processor margin
Your or your provider's markup.
Founders often fixate on the headline rate and ignore the stack below.
Two main pricing models:
Blended (flat-rate) pricing
One flat percentage for all transactions, combining interchange, scheme fees and margin into a single rate. Simple to sell, but can overcharge merchants heavy on low-interchange debit.
vs
Interchange-plus (and IC+/IC++ variants)
Interchange (and sometimes scheme fees) passed through at actual cost, plus a fixed, disclosed markup. More transparent and typically cheaper at scale, but requires your system to handle more detailed statement data.
Neither is automatically "better." It depends on who you sell to and how mature your merchants are.
Two practical steps before you publish a rate card:

Model your effective rate per merchant category
High-risk merchants, subscription SaaS, hospitality, and retail carry different fraud, chargeback and scheme-fee profiles. A single headline rate may work for one and fail for another.
→

Check fee tolerance in your target segments
In some verticals, merchants will accept a higher flat rate for simplicity; in others, they will demand interchange-plus transparency.
Once you know your licence path, PCI footprint, acquirer set and tech strategy, pricing is the last gate — but it's where the economics either work or don't.
Frequently Asked Questions
Usually yes — either your own (PI/EMI in the EU/UK, MSB/state licences in the US) or access to one via a sponsor/PayFac. The path you choose sets your timeline and margin.
Licensing and acquiring are the slow gates (months to 1y+). The processing technology is the part you can compress: building from scratch takes years, while a white-label gateway launches in weeks.
Build only if the gateway itself is your differentiator. Otherwise white-label gives you PCI DSS L1 infrastructure, routing, fraud filters and ready integrations under your brand, far faster.
Wiring to a single acquirer. Plan for multiple acquirers and a routing layer from day one — it is what makes you a processor rather than a reseller, and it protects approval rates and continuity.