Payment Gateway vs Payment Processor: What Is the Difference?

The payment gateway vs. payment processor confusion is one of the most common in fintech — and it costs businesses money. Merchants who don’t understand the stack often pay for redundant services, accept unfavorable contracts, or struggle to troubleshoot failed payments. For CFOs managing multi-country payment operations, this understanding is essential for cost optimization and vendor selection.

What Does a Payment Gateway Actually Do?

A payment gateway sits at the front end of the payment process. When a customer enters card details at checkout, the gateway performs several critical functions in milliseconds: it tokenizes the card number (replacing it with a non-sensitive token to reduce PCI DSS scope), encrypts the data, authenticates the customer if 3D Secure is required, and sends a formatted authorization request to the payment processor or acquiring bank.

Gateways also handle the user experience layer — the checkout UI, payment form, redirect flows for bank authentication (common in EU under PSD2/SCA requirements), and the response messaging back to the merchant. A gateway failure means the checkout page breaks. It is a mission-critical piece of the payment stack, and gateway uptime SLAs (99.99% is standard) directly affect revenue.

What Does a Payment Processor Do?

A payment processor handles the back-end financial mechanics. After the gateway sends an authorization request, the processor routes it to the appropriate card network (Visa, Mastercard), which passes it to the cardholder’s issuing bank. The issuer approves or declines and sends the response back through the same chain. The processor then batches all approved transactions and submits them for clearing and settlement, typically once per day.

Processors also manage acquiring bank relationships — in many architectures, the processor IS the acquiring bank, or operates as the acquirer’s technical arm. They handle the financial risk of chargebacks, fraud monitoring, and PCI compliance at the processing level. For the merchant, the processor is the entity that actually moves money to your merchant account.

When Does the Gateway vs. Processor Distinction Actually Matter?

For most small-to-mid-sized businesses, it does not matter in practice because they use integrated solutions where one provider (Stripe, Adyen, Square) handles both functions. You pay a single blended rate and deal with a single contract.

It matters significantly for:

• Enterprises with existing merchant accounts: If you have a direct acquiring relationship with a bank (e.g., a major Turkish bank like Garanti or İş Bankası), you may want to add a best-in-class gateway (e.g., Checkout.com as gateway-only) while keeping your existing acquirer for lower rates on domestic Visa/Mastercard.
• Multi-acquirer setups: Large e-commerce businesses route transactions across multiple acquirers based on card type, geography, or authorization rate optimization. A standalone gateway can route to the best acquirer for each transaction.
• Custom checkout requirements: If you need a white-label checkout with complex 3DS2 flows, local payment methods, and custom fraud rules, a standalone gateway gives more control.

How Do Modern Integrated Providers Like Stripe and Adyen Work?

Stripe operates as a payment facilitator (PayFac) — it holds a master merchant account with acquiring banks and sub-merchants (you) are aggregated under it. This means faster onboarding (no underwriting) but potentially less favorable rates and less control. Stripe acts as both gateway and processor, charging a flat percentage (e.g., 1.4% + €0.25 for European cards in the EU).

Adyen is a licensed acquiring bank in the EU (through Adyen N.V.) and operates direct card scheme memberships globally. It combines gateway, processor, and acquirer functions with interchange++ pricing — showing merchants exact interchange costs. Adyen is typically more cost-effective for businesses processing over €1M per year, but requires more technical integration and minimum volume commitments.

What Are the Key Factors for Choosing Between Gateway and Processor Setups?

The decision framework depends on your volume, technical capability, and geographic footprint. Low volume (<€1M/year): use an integrated PayFac like Stripe or iyzico (Turkey). Mid volume (€1M–€50M/year): evaluate Adyen, Checkout.com, or Worldpay with interchange++ pricing. High volume (>€50M/year): consider direct acquiring relationships in your core markets with a best-in-class gateway overlay.

For businesses operating in Turkey alongside EU markets: Turkish card transactions on domestic schemes (Bankkart, Troy) require a Turkish-licensed acquirer — global processors like Stripe do not directly process these. A hybrid setup (local Turkish acquirer + global gateway like Adyen for international) is common for Turkish e-commerce exporters. See the full context in our payment infrastructure guide.

How Do Payment Gateways Handle 3D Secure and SCA?

Strong Customer Authentication (SCA), mandated by PSD2 in the EU, requires online card transactions to be authenticated using two of three factors: knowledge (PIN/password), possession (device/card), and inherence (biometric). The gateway handles the 3DS2 challenge flow — redirecting the customer to their issuing bank for biometric or OTP authentication when SCA is required.

SCA exemptions (transaction risk analysis, recurring payments, low-value transactions under €30) are crucial for conversion rate preservation. A gateway with intelligent SCA exemption logic can exempt 60–80% of eligible transactions from the friction of a full challenge, while still meeting PSD2 compliance. This capability varies significantly between gateway providers and is a key differentiator for EU merchants. Learn more about the regulatory framework in our ISO 20022 standard guide.

What Is a Payment Orchestration Layer and Do You Need One?

A payment orchestration platform sits above your gateway and processor stack, routing each transaction to the optimal provider based on predefined rules. Examples include Spreedly, Primer, and Gr4vy. Orchestration makes sense when you have multiple acquirers (for redundancy or market-specific optimization), multiple payment methods (cards, wallets, open banking, RTP), and complex routing logic (route Visa to Acquirer A, Mastercard to Acquirer B, Turkish Lira transactions to local acquirer).

For a company operating in Turkey, Macedonia, Albania, and the EU, a single global processor rarely provides optimal rates in all markets. A Turkish domestic acquirer (Garanti, iyzico) typically offers better rates on TRY-denominated card transactions. An EU acquirer (Adyen, Worldpay) is better for EUR cross-border transactions. An orchestration layer — or a well-configured Adyen account with local acquiring in each market — manages this complexity without the merchant needing multiple direct integrations. The decision to add orchestration is justified when annual payment volume exceeds €10M and you process in three or more currencies.

How Do Alternative Payment Methods Fit the Gateway-Processor Model?

Alternative payment methods (APMs) — bank transfers, digital wallets (Apple Pay, Google Pay, PayPal), buy-now-pay-later (BNPL), and local schemes — do not always fit the card gateway-processor model. Bank transfer APMs (iDEAL in Netherlands, Sofort/Klarna in Germany, Bancontact in Belgium) are initiated through the gateway as payment method options but route through bank APIs rather than card networks — bypassing interchange entirely.

Digital wallets encapsulate card credentials and pass tokenized card data through the gateway-processor chain normally (just without the physical card). BNPL providers (Klarna, Afterpay) act as merchants themselves — they pay the merchant immediately via card or bank transfer and collect from the consumer in installments. For merchants, BNPL has higher merchant fees (2–6%) than card, but drives higher conversion rates and higher average order values. Your gateway must support the APMs relevant to your target markets — this should be an explicit evaluation criterion when selecting providers. Explore the payment infrastructure overview for the full ecosystem context.

What Are the PCI DSS Requirements for Gateways and Merchants?

PCI DSS (Payment Card Industry Data Security Standard) mandates how cardholder data must be handled by any entity in the payment chain. Merchants who outsource card data handling entirely to a PCI-compliant gateway (e.g., using Stripe’s hosted payment fields or Adyen’s drop-in components) can qualify under SAQ A — the simplest PCI self-assessment questionnaire with the fewest controls required. Merchants who capture and transmit raw card numbers face SAQ D or Level 1 compliance — full audits, penetration testing, and substantial ongoing cost.

Choosing a gateway that fully handles card data — keeping raw PANs (Primary Account Numbers) off your servers — is not just a security decision; it is a compliance cost decision. A company processing 500,000 card transactions annually that handles raw card data faces Level 2 PCI compliance costs of €50,000–200,000 per year in audits, scanning, and remediation. Outsourcing card data handling to a compliant gateway eliminates this cost entirely. This is one of the most economically significant technical architecture decisions a CFO can influence in the payment stack.

What Is a Payment Orchestration Layer and Do You Need One?

A payment orchestration platform sits above your gateway and processor stack, routing each transaction to the optimal provider based on predefined rules. Examples include Spreedly, Primer, and Gr4vy. Orchestration makes sense when you have multiple acquirers (for redundancy or market-specific optimization), multiple payment methods (cards, wallets, open banking, RTP), and complex routing logic (route Visa to Acquirer A, Mastercard to Acquirer B, Turkish Lira transactions to local acquirer).

For a company operating in Turkey, Macedonia, Albania, and the EU, a single global processor rarely provides optimal rates in all markets. A Turkish domestic acquirer (Garanti, iyzico) typically offers better rates on TRY-denominated card transactions. An EU acquirer (Adyen, Worldpay) is better for EUR cross-border transactions. An orchestration layer — or a well-configured Adyen account with local acquiring in each market — manages this complexity without the merchant needing multiple direct integrations. The decision to add orchestration is justified when annual payment volume exceeds €10M and you process in three or more currencies.

How Do Alternative Payment Methods Fit the Gateway-Processor Model?

Alternative payment methods (APMs) — bank transfers, digital wallets (Apple Pay, Google Pay, PayPal), buy-now-pay-later (BNPL), and local schemes — do not always fit the card gateway-processor model. Bank transfer APMs (iDEAL in Netherlands, Sofort/Klarna in Germany, Bancontact in Belgium) are initiated through the gateway as payment method options but route through bank APIs rather than card networks — bypassing interchange entirely.

Digital wallets encapsulate card credentials and pass tokenized card data through the gateway-processor chain normally (just without the physical card). BNPL providers (Klarna, Afterpay) act as merchants themselves — they pay the merchant immediately via card or bank transfer and collect from the consumer in installments. For merchants, BNPL has higher merchant fees (2–6%) than card, but drives higher conversion rates and higher average order values. Your gateway must support the APMs relevant to your target markets — this should be an explicit evaluation criterion when selecting providers. Explore the payment infrastructure overview for the full ecosystem context.

What Are the PCI DSS Requirements for Gateways and Merchants?

PCI DSS (Payment Card Industry Data Security Standard) mandates how cardholder data must be handled by any entity in the payment chain. Merchants who outsource card data handling entirely to a PCI-compliant gateway (e.g., using Stripe’s hosted payment fields or Adyen’s drop-in components) can qualify under SAQ A — the simplest PCI self-assessment questionnaire with the fewest controls required. Merchants who capture and transmit raw card numbers face SAQ D or Level 1 compliance — full audits, penetration testing, and substantial ongoing cost.

Choosing a gateway that fully handles card data — keeping raw PANs (Primary Account Numbers) off your servers — is not just a security decision; it is a compliance cost decision. A company processing 500,000 card transactions annually that handles raw card data faces Level 2 PCI compliance costs of €50,000–200,000 per year in audits, scanning, and remediation. Outsourcing card data handling to a compliant gateway eliminates this cost entirely. This is one of the most economically significant technical architecture decisions a CFO can influence in the payment stack.

What Should a CFO Know About Payment Stack Total Cost of Ownership?

Payment stack TCO goes beyond the visible MSC line item. Include: gateway monthly/annual fees (commonly €200–2,000/month for enterprise tiers), processor setup fees, FX conversion spreads on cross-currency settlements, chargeback fees (€15–50 per chargeback), fraud screening tool costs, PCI compliance costs, and the internal engineering cost of payment integrations and maintenance. For a company processing €20M annually, these ancillary costs can add 0.2–0.4% to the apparent headline rate.

Review your full payment stack cost annually with your CFO lens. The gateway and processor landscape evolves rapidly — providers that were premium-priced three years ago may now offer competitive rates due to competitive pressure from Stripe and Adyen. A formal payment stack RFP every three years is good treasury hygiene for any business processing over €5M annually. Cross-reference your costs against the benchmarks in our acquiring and issuing bank guide and the broader Payment Infrastructure hub.

Frequently Asked Questions