Payment Gateway Flow: Mermaid Sequence Diagram

About Source

A payment gateway flow is the end-to-end sequence of messages that moves a transaction from a customer's browser to an issuing bank and back, authorizing or declining the charge in real time.

When a customer submits a checkout form, the merchant website sends the card details — or more commonly a one-time token generated client-side — to the payment gateway. The gateway acts as the traffic director: it normalizes the request, performs initial validation, and forwards it to the card processor (such as Visa or Mastercard's network). The processor is responsible for routing the authorization request to the customer's issuing bank, the institution that holds the account.

The issuing bank performs several checks: it verifies the card number and CVV, confirms available funds or credit, evaluates fraud signals (velocity, geolocation, device fingerprint), and applies any 3D Secure challenges if configured. It then returns an authorization code if approved, or a decline code indicating the reason (insufficient funds, suspected fraud, expired card, etc.).

The response travels back through the same chain: processor → gateway → merchant. The merchant receives a structured result containing the authorization code, amount authorized, and any acquirer reference numbers needed for settlement and reconciliation. It then confirms or rejects the order to the customer.

An important nuance: this flow covers authorization only, which reserves funds without moving money. The actual fund transfer happens during the capture phase — see Payment Capture Flow for that step. Many gateways perform auth-and-capture simultaneously for immediate purchases, but marketplaces and hotels commonly separate them.

The gateway also emits a webhook after the final state is determined. See Payment Webhook Processing for how merchants reliably consume those events. For the cryptographic protections applied to card data in transit, see Payment Tokenization.

Frequently asked questions

A payment gateway is the intermediary that normalises and routes payment authorization requests between a merchant's checkout and the card networks and issuing banks. It handles tokenisation, fraud checks, network routing, and returns a structured approval or decline to the merchant.

The customer submits a card token from the checkout form. The gateway validates the request, forwards it through the acquirer and card network to the issuing bank. The bank runs fraud and fund checks and returns an authorization code or decline code. The result travels back through the same chain to the merchant within seconds.

Auth and capture are separated when fulfilment is delayed — marketplaces authorize at order time and capture on shipment, hotels authorize at check-in and capture at checkout. Immediate digital-goods purchases typically combine both in a single API call.

Common mistakes include storing raw card numbers instead of gateway tokens, not verifying webhook signatures before processing events, ignoring idempotency keys on retries (causing double-charges), and treating authorization as confirmation of payment before capture occurs.

mermaid

sequenceDiagram
    participant Customer
    participant Merchant as Merchant Website
    participant Gateway as Payment Gateway
    participant Processor as Card Processor
    participant Bank as Issuing Bank

    Customer->&gt;Merchant: Submit payment form
    Merchant->&gt;Gateway: Send tokenized card details
    Gateway->&gt;Gateway: Validate request, check fraud rules
    Gateway->&gt;Processor: Authorization request
    Processor->&gt;Bank: Route authorization to issuing bank
    Bank->&gt;Bank: Check funds, CVV, fraud signals
    Bank-->&gt;Processor: Approved / Declined + reason code
    Processor-->&gt;Gateway: Authorization response
    Gateway->&gt;Gateway: Log transaction, emit webhook
    Gateway-->&gt;Merchant: Payment result + auth code
    Merchant-->&gt;Customer: Order confirmation or failure message