# How to Choose a Payment Gateway: A B2B Decision Framework

Source: https://payneteasy.com/blog/how-to-choose-a-payment-gateway

_A practical B2B framework for choosing a payment gateway: pricing, local acquiring, PCI DSS, integration speed and 5 questions to ask vendors._

19.05.2026

9 min read

Table of contents

1. [Gateway vs processor vs acquirer vs PSP — terminology that matters](#terminology-that-matters)
2. [Cost structure: flat-rate, interchange-plus, and hidden fees](#cost-structure)
3. [Payment methods, currencies, and local acquiring](#payment-methods-and-local-acquiring)
4. [Security, PCI DSS v4.0, and fraud controls](#security-and-pci-dss)
5. [Integration speed and developer experience](#integration-and-dx)
6. [Smart routing, scalability, and uptime SLAs](#routing-and-uptime)
7. [Decision framework: 5 questions to ask any gateway vendor](#decision-framework)
8. [FAQ](#faq-heading)

Contact author

Selecting a payment gateway is a multi-year infrastructure decision. Once integrated, switching costs are real: re-integration time, customer notification cycles, churn risk on stored payment methods, and contractual lock-in with acquirers. Getting it right the first time matters.

The market is fragmented and growing fast — the global payment gateway segment was sized at **USD 26.7 billion in 2024** and is projected to reach USD 48.4 billion by 2029 at a 12.6% CAGR, according to [MarketsandMarkets](https://www.prnewswire.com/news-releases/payment-gateway-market-worth-48-4-billion-by-2029---exclusive-report-by-marketsandmarkets-302112857.html). Providers range from regional acquirer-owned solutions to global orchestration platforms. The challenge is not access. It is matching technical and commercial fit to your business model: ecommerce, marketplace, SaaS subscription, high-risk vertical, or cross-border B2B.

This guide walks through the criteria that actually move the needle on approval rates, cost-of-funds, and time-to-market — and the terminology you need to negotiate intelligently with vendors.

## Gateway vs processor vs acquirer vs PSP — terminology that matters

Before evaluating vendors, get the vocabulary right. Marketing copy across the industry routinely blurs these roles.

### The five roles in a card transaction

- **Payment gateway** — the front-end connector that captures and transmits cardholder data from checkout to the processor. Owns tokenisation, hosted fields, and SDKs.
- **Payment processor** — handles authorisation messaging between the gateway and card networks (Visa, Mastercard, Amex).
- **Acquiring bank** — holds the merchant account, settles funds to the merchant, and assumes financial liability for chargebacks.
- **PSP (Payment Service Provider)** — bundles several of the above under a single contract (Stripe, Adyen, and similar).
- **Payment orchestration platform** — sits above multiple gateways and acquirers, routing transactions intelligently. Often confused with a "gateway", but the role is materially different.

A standard card transaction passes through **authorisation** (typically under 2 seconds) and **settlement** (T+1 to T+3 business days, depending on the acquirer and card scheme). If a vendor pitches a "gateway" but you actually need orchestration — multi-acquirer routing, vault portability, cascading retries — you will outgrow the product within 18 months.

## Cost structure: flat-rate, interchange-plus, and hidden fees

### Pricing models compared

- **Flat-rate** (e.g. 2.9% + $0.30 per transaction) — predictable, but opaque markup; typically more expensive at scale.
- **Interchange-plus** (interchange + fixed bps + per-transaction fee) — transparent, scales economically above roughly $50K monthly volume.
- **Tiered / blended** — vendor groups transactions into "qualified / non-qualified" tiers; almost always favours the vendor. Avoid.

All-in card processing costs in the US typically fall between 1.5% and 3.5% MDR, depending on card type, region, and risk profile. Public pricing pages of major PSPs illustrate the spread — see [Stripe Pricing](https://stripe.com/pricing) and [Adyen Pricing](https://www.adyen.com/pricing) for current published rates.

### Fees beyond the headline rate

- Authorisation fee — charged per attempt, including declines
- Chargeback fees — typically a flat fee per Visa/Mastercard dispute, set by the acquirer; additional fees apply if a case escalates to arbitration (see Visa and Mastercard public chargeback documentation)
- FX markup on cross-border — usually applied as a percentage above the interbank rate, plus separate Visa/Mastercard cross-border scheme fees
- Monthly minimums, PCI compliance fees, gateway access fees
- Early termination penalties

**Negotiation tip:** request a sample statement based on your last 30 days of transaction data. Reputable vendors will provide it pre-contract.

## Payment methods, currencies, and local acquiring

A gateway that supports "all major cards" is the baseline. The differentiation is in **local payment methods (LPMs)** and **local acquiring**.

### Payment method coverage by region

Regional mix data is published annually in the Worldpay Global Payments Report:

- **Europe** — SEPA Direct Debit, iDEAL (NL), Bancontact (BE), Sofort / Klarna, BLIK (PL). Account-to-account transfers account for a growing share of e-commerce transaction value.
- **APAC** — Alipay, WeChat Pay, GrabPay, UPI (India), PIX. Digital wallets dominate the regional e-commerce mix.
- **LATAM** — Boleto Bancário (BR), OXXO (MX), PSE (CO). Cards still lead, with wallets and cash-based vouchers as significant secondary channels.
- **MENA** — mada (SA), KNET (KW), Benefit (BH).

### Why local acquiring beats cross-border processing

Industry data from Adyen, Worldpay, and Stripe consistently shows that domestic (local-acquired) transactions are approved at materially higher rates than cross-border transactions on the same card, and that local acquiring also reduces per-transaction cost. If your largest market is outside your acquirer's home country, ask the vendor about local entity acquiring or partner-acquirer routing.

## Security, PCI DSS v4.0, and fraud controls

### Compliance baseline

PCI DSS v4.0.1 is the current active version of the standard, with the future-dated new requirements introduced in v4.0 taking effect on **31 March 2025** — see the official timeline from the [PCI Security Standards Council](https://blog.pcisecuritystandards.org/countdown-to-pci-dss-v4.0). Verify that the vendor's AOC (Attestation of Compliance) is current and covers the integration mode you are using — hosted, redirect, or direct post.

### Reducing your own PCI scope

- Hosted fields / iframes → SAQ A (minimal scope)
- Direct API with tokenisation → SAQ A-EP
- Server-side card capture → SAQ D (full scope, expensive to maintain)

Choose the integration mode that keeps you in the lowest scope your UX requirements allow.

### Fraud tooling

Mature gateways combine several layers of [fraud prevention](/payment_technologies/control/antifraud):

- **Rule-based filters** — velocity, geo-IP, BIN, AVS/CVV mismatch
- **Network-level signals** — Visa Advanced Authorisation, Mastercard Decision Intelligence
- **ML scoring** — trained on cross-merchant patterns
- **3D Secure 2.x** — frictionless authentication, SCA-compliant for PSD2 in the EU and UK

Ask vendors for chargeback rate benchmarks by vertical, not generic "fraud prevention" claims.

## Integration speed and developer experience

### What good developer experience looks like

- REST or GraphQL API with versioning and a public changelog
- Server-side SDKs in your primary stack
- Drop-in or hosted-fields UI for fastest integration
- Sandbox environment with realistic test data
- Webhook reliability — signed, retried, idempotent
- Postman collection or OpenAPI spec
- Status page with historical uptime

### Time-to-first-charge as a benchmark

A reasonable benchmark a competent backend developer should be able to hit with a mature gateway is first sandbox charge within a couple of hours of receiving API credentials. If onboarding requires multiple sales calls before API access, that signals slower ongoing support velocity.

## Smart routing, scalability, and uptime SLAs

### When you need orchestration

A single gateway is fine until you hit one of:

- Multi-acquirer routing for approval-rate optimisation
- Geographic redundancy across acquirers
- Cascading retries on soft declines
- Compliance with country-specific acquirer mandates

At that point, you need either a gateway with built-in routing or a dedicated [payment orchestration platform](/solutions/orchestration-payment-platform).

### Uptime SLAs — read the fine print

- **99.99%** — approximately 52 minutes of downtime per year
- **99.9%** — approximately 8.7 hours per year
- **99.5%** — approximately 43 hours per year

Ask whether the SLA is backed by service credits, and what is excluded — planned maintenance, third-party outages, force majeure.

## Decision framework: 5 questions to ask any gateway vendor

1. **Show me a sample statement on my last 90 days of volume — what is the effective rate?**
2. **What is your domestic vs cross-border approval rate on Visa and Mastercard in my top 3 markets?**
3. **Which PCI integration modes are supported, and what is the SAQ implication for me?**
4. **What is the documented uptime over the last 12 months, including the worst incident?**
5. **What is the data portability story if I want to leave — token vault, recurring schedules, dispute history?**

Vendors who answer all five with concrete data are negotiating in good faith. Vague answers on any of them are a flag.

The right [payment gateway](/solutions/gateway) depends on your transaction profile, geographic footprint, and growth horizon. A high-volume cross-border B2B platform has different needs than a domestic SaaS subscription business. Match the tool to the use case, not to brand recognition.

## Related products

- [White Label Payment Gateway (PSP)](/solutions/gateway) — Offer your customers a top-level payment solution, increase your turnover and boost your business profit.
- [Orchestration Platform (Merchants)](/solutions/orchestration-payment-platform) — Only one integration to consolidate all your payment providers to a unified management system.
- [Leads Protection System (Merchants)](/solutions/leads_protection_system) — The technological solution for GDPR compliance, and will protect your most valuable data and leads from hackers, thieves, malware, AND trusted employees. Based on the best PCI DSS practices.

## Frequently Asked Questions

### What is the difference between a payment gateway and a payment processor?

A gateway is the front-end connector that captures and transmits cardholder data from your checkout. A processor handles the actual authorisation messaging with card networks. Many providers bundle both, but knowing which role you are contracting for matters when you want to swap one component without re-integrating the other.

### How much does a payment gateway cost?

All-in card costs in the US typically run 2.5%-3.5% for SMB merchants on flat-rate pricing, and lower on interchange-plus pricing above roughly $50K in monthly volume. Factor in chargeback fees, FX markup on cross-border, and monthly minimums.

### Do I need a separate gateway for international payments?

Not necessarily, but you do need a gateway that supports local payment methods and local acquiring in your key markets. Domestic processing delivers higher approval rates and lower per-transaction cost than cross-border on the same card.

### Is PCI DSS compliance the gateway's responsibility or mine?

Shared. The gateway must hold a current AOC under PCI DSS v4.0.1, with future-dated requirements fully effective since 31 March 2025. Your own scope depends on the integration mode: hosted fields keep you at SAQ A (minimal scope), while server-side card capture puts you at SAQ D.

### When should I consider a payment orchestration platform instead of a single gateway?

When you need multi-acquirer routing, geographic redundancy, cascading retry logic on soft declines, or compliance with country-specific acquirer mandates - usually around the point where a single acquirer's approval-rate gap or downtime starts visibly costing you revenue.
