Payment gateway: what it is, how it works and how to choose one

By Tiago Costa · Updated on July 9, 2026

Illustration of a payment gateway: the bridge between the customer checkout and the bank, authorizing the charge.

Definition

A payment gateway is the service that sits between the customer and the bank and processes the charge: it authorizes the card, tokenizes the data and retries payments that fail.

  • Authorizes and tokenizes each transaction, without storing the card in your system.
  • Retries declined charges (dunning) and reduces involuntary churn.
  • Examples: Stripe and Asaas.

What a payment gateway is

A payment gateway is the service that connects your application to the financial system. When a customer enters a card to subscribe to a plan, the gateway receives that data, transmits it securely to the issuing bank and returns the answer (approved or declined) in seconds. It is the bridge between your checkout and the money that lands in your account.

In SaaS, the gateway is what turns a subscription into actual revenue. Every dollar of MRR only materializes when the gateway manages to authorize the recurring charge each month. That is why it is not an infrastructure detail: it is a central part of the recurring-revenue machine. Stripe and Asaas are well-known examples.

How it works: authorization and tokenization

A charge flows through a few quick steps. The customer enters the card; the gateway encrypts and sends the data to the card network and the issuing bank, which check balance, limit and fraud signals; the answer comes back authorizing or declining the transaction. All of this happens in fractions of a second, invisible to the user.

The key piece is tokenization: instead of storing the card number in your database, the gateway replaces it with a token, a code with no value outside that context. You then charge the customer again next month using the token, without ever holding the card. This drastically reduces the risk and the compliance scope that falls on your system.

Infographic of a payment gateway flow: from the card at checkout to authorization, with the data tokenized.
The flow of a charge: the gateway authorizes the card and tokenizes the data, without storing it in your system.

Gateway, acquirer and processor: the differences

It is common to confuse three roles that work together but do different things. The gateway is the software layer that captures the data at checkout and forwards it securely. The processor routes the transaction between networks and banks. The acquirer is the institution that actually settles the money and deposits it into the merchant account.

  • Gateway: authorizes, tokenizes and talks to the checkout.
  • Processor: routes the transaction through the card networks.
  • Acquirer: settles the transaction and pays the merchant.

In practice, many modern providers bundle the three roles into a single product, which is why the line between them blurs. For someone running a SaaS, what matters is that the whole stack authorizes the charge and deposits the revenue reliably.

Smart retries and dunning: less involuntary churn

Not every declined charge means a customer who wants to cancel. An expired card, a limit briefly maxed out or a random bank decline knock down payments from customers who still want the product. When those charges are not recovered, the customer drops for a purely operational reason: this is involuntary churn.

A good gateway attacks this with smart retries and dunning: it reprocesses the charge on the times and days most likely to be approved, tries a backup card and sends emails asking the customer to update their details. Every recovered charge is MRR that does not vanish from your balance. Across a large base, recovering even a fraction of declines makes a meaningful difference to retention.

Illustration of smart retries and dunning: declined charges being reprocessed to recover subscriptions.

Security: tokenization, PCI and chargebacks

Processing cards means following the PCI DSS standard, the set of security rules from the card networks. By using the gateway tokenization and hosted checkout, much of that responsibility leaves your system, because the sensitive data never touches your servers. This lowers the cost of compliance and the risk of a breach.

The gateway also helps handle a chargeback, the dispute in which the cardholder asks the bank for a refund. Fraud prevention, identity verification and evidence collection help reduce how often they happen and contest legitimate charges. A high volume of chargebacks, beyond the direct loss, can lead the card network to penalize the business.

How to choose a gateway for subscription SaaS

For a SaaS, the criteria go beyond the per-transaction fee. Look at the approval rate (the higher it is, the more revenue lands), the quality of retries and dunning, support for recurring billing and subscriptions, local payment methods (in Brazil, Pix is decisive) and how easy the API is to integrate.

  • Approval rate: approving more cards is more revenue without selling more.
  • Recurring billing and dunning: native subscription support and smart retries.
  • Local methods: cards, Pix, bank slips and wallets to match your audience.
  • Integration: API, webhooks and reports that talk to your system.

Cloud spending keeps growing, and Gartner projects that public cloud spending will reach around $723 billion in 2025, which underscores how much a reliable billing infrastructure matters for any recurring-revenue business. Choosing the right gateway is, in the end, protecting the revenue you have already won.

Frequently asked questions

It is the service that sits between the customer and the bank and processes the charge: it authorizes the card, tokenizes the data and retries payments that fail. Stripe and Asaas are examples.

The gateway captures and tokenizes the data at checkout; the processor routes the transaction through the card networks; the acquirer settles the money and deposits it into the merchant account.

It does not have to. With tokenization, the card number is replaced by a token, and the sensitive data does not stay in your system, which lowers risk and PCI compliance scope.

With smart retries and dunning: it reprocesses declined charges at the best times, tries backup cards and asks customers to update their details, recovering subscriptions that would otherwise drop over a payment failure.

Usually you open an account with the provider, submit your business details for verification and integrate via API or a hosted checkout. From there, you can authorize charges and receive settlement.

Yes. Most gateways process cards, wallets and local methods like Pix and bank slips in Brazil. Offering local methods usually raises approval and reduces checkout friction.

Related concepts