Understand the difference between a payment gateway and a payment service provider, how card transactions flow, and what to look for when choosing in the UK.

When you start looking at how to accept card payments, the terminology can feel deliberately confusing. Payment gateway, payment service provider, acquirer, payment facilitator: providers use these terms interchangeably in marketing copy, but they refer to quite different things. Getting them straight matters because the model you choose shapes your fees, your settlement speed, your compliance obligations, and how much control you retain over the payments experience.
At the most basic level, a payment gateway is a piece of technology. It securely captures payment data at checkout, encrypts it, and transmits an authorisation request on your behalf. A payment service provider (PSP) is a broader commercial arrangement that may include a gateway but also bundles the acquiring relationship, the merchant account, fraud tooling, and sometimes currency conversion into a single service. Some PSPs go further and act as payment facilitators, onboarding you as a sub-merchant under their own master merchant account rather than giving you a dedicated account of your own.
This article explains each concept clearly, walks through how a card transaction actually moves from customer to merchant, and sets out the practical considerations, including FCA authorisation and UK safeguarding rules, that should inform your decision.
A payment gateway is the secure channel that connects your checkout, whether that is a website, a point-of-sale terminal, or an in-app purchase flow, to the rest of the payment infrastructure. When a customer enters card details, the gateway encrypts that data and forwards an authorisation request to the acquiring bank or processor. Once the issuing bank responds, the gateway relays that approval or decline back to you and your customer, typically in one to three seconds.
The gateway does not move money. It moves data. Settlement, the actual transfer of funds into your bank account, happens separately through the acquiring and card-scheme infrastructure. Because the gateway sits at the point where raw card data is first captured, it is also the main lever for reducing your PCI DSS scope. When a gateway uses tokenisation or hosted payment pages, raw card numbers never touch your servers, which can reduce your compliance burden significantly under PCI DSS v4.0.1.
Examples of standalone gateway providers include Opayo (formerly Sage Pay) and Judopay. These products integrate with a separate merchant account that you hold directly with an acquirer such as Barclaycard, Lloyds Cardnet, or Worldpay.
A payment service provider is a broader term for a company that enables merchants to accept payments. In practice, the term covers a spectrum. At one end you have providers that are essentially gateways with a thin layer of reporting on top. At the other end you have full-stack providers, such as Stripe, Adyen, or Mollie, that bundle the gateway, the acquiring relationship, a merchant account (or sub-merchant account), fraud tooling, recurring billing, and multi-currency settlement into a single contract.
Full-stack PSPs are sometimes called payment facilitators or PayFacs. Instead of you holding your own direct relationship with an acquiring bank, the PayFac holds the master merchant account and onboards you as a sub-merchant beneath it. This is how Stripe, Square, and PayPal operate. It means you can start accepting payments within hours rather than the days or weeks that a traditional acquirer underwriting process can take.
The trade-off is that the PayFac, not you, controls risk decisions. Account holds, reserves, and sudden terminations are more common under the aggregated model, especially for businesses in higher-risk categories. Merchant Savvy's research suggests that PayFacs are used by roughly 25 percent of the smallest UK merchants (those with annual card turnover up to approximately £380,000) but only about 2 percent of larger businesses, who tend to secure their own acquiring relationships for better rates.
Understanding the flow of a card transaction makes the roles of each party concrete. The journey from a customer tapping their card to funds appearing in your account involves five distinct actors and two separate phases.
The authorisation phase happens in seconds. Settlement, the actual movement of funds, follows separately, usually within one to two business days for most card schemes, though settlement timing varies by acquirer and PSP.
The comparison below captures the main practical differences between using a standalone payment gateway with your own merchant account versus using a full-stack PSP or PayFac. Neither model is universally better: the right choice depends on your transaction volume, your technical resources, and how much you want to own the acquiring relationship.
| Factor | Gateway + Dedicated Merchant Account | Full-Stack PSP / PayFac |
|---|---|---|
| Onboarding speed | Days to weeks (acquirer underwriting required) | Hours to days (sub-merchant onboarding) |
| Pricing model | Interchange-plus or negotiated rates; separate gateway fee | Flat-rate or blended fee per transaction; all-in |
| Merchant account | Dedicated account; your own MID (Merchant ID) | Aggregated; you are a sub-merchant under PSP's MID |
| Settlement timing | Typically T+1 to T+2; contractually agreed | Varies; some PSPs hold funds for 2-7 days initially |
| Account stability | Higher; direct acquirer relationship | More risk of holds or reserves at PSP discretion |
| PCI DSS scope | Depends on integration; hosted fields reduce scope | Typically reduced; PSP handles most card-data flows |
| Payment methods | Primarily card; adding methods requires separate contracts | Broader out of the box: cards, open banking, wallets |
| Developer experience | API quality varies by legacy provider | Generally strong APIs; sandbox environments standard |
| Best suited for | Established businesses with meaningful card volume | Startups, SMEs, and businesses scaling quickly |

Any company that provides payment services in the UK must be either authorised or registered with the Financial Conduct Authority (FCA) under the Payment Services Regulations 2017, or the Electronic Money Regulations 2011 if it issues e-money. There are two tiers of authorisation: Authorised Payment Institution (API) for firms processing above a certain threshold, and Small Payment Institution (SPI) for smaller-volume operators. You can check a provider's status on the FCA Financial Services Register.
From 7 May 2026, significantly strengthened safeguarding rules came into force for payment institutions and e-money institutions. Safeguarding is the requirement to protect customer funds that are held by a PSP pending execution of a payment. Under the new rules, firms must place those funds in a designated trust account or cover them with an appropriate insurance policy; they cannot commingle them with the firm's own operating funds. Firms also face new obligations around daily reconciliation, monthly FCA reporting, annual independent safeguarding audits (for firms holding over £100,000), and governance requirements including a named senior manager accountable for compliance.
For merchants, the relevance is twofold. First, if your PSP holds your settlement funds before paying out, you want confidence that those funds are properly safeguarded and would be protected in the event of the PSP's insolvency. Second, if your own product involves holding or moving client money, you may need your own FCA authorisation rather than relying solely on a PSP's permissions.
Pricing is the most visible factor but rarely the most important one at early stage. Flat-rate fees from a PayFac are easy to model but can become expensive relative to interchange-plus pricing once your monthly card volume exceeds roughly £25,000 to £50,000. At that point, the effort of a direct acquirer relationship usually pays off.
Settlement speed matters for cash flow. Find out exactly when funds hit your bank account and whether the PSP imposes rolling reserves or holds on new accounts. Some providers hold a percentage of settlement for 90 days or more until they build a fraud and chargeback history for your account.
Supported payment methods are increasingly important. UK consumers now use open banking payments, Apple Pay, Google Pay, and buy-now-pay-later products alongside cards. A gateway that only handles card payments may require separate integrations for each method; a full-stack PSP typically aggregates them.
PCI DSS scope affects how much compliance work falls on your team. A gateway that provides a hosted payment page or JavaScript-based card fields means card numbers are entered directly into the PSP's environment, not yours, which can substantially reduce your scope under PCI DSS v4.0.1.
FCA authorisation status should always be verified. Confirm the provider appears on the FCA Financial Services Register as an Authorised Payment Institution or an Authorised Electronic Money Institution before contracting. Do not accept a claim of authorisation at face value.
The distinction between a payment gateway and a payment service provider is not just semantic. It determines who holds your merchant account, who underwrites your risk, how quickly you receive funds, what you pay per transaction, and how much compliance responsibility sits with you versus the provider. A gateway is the technology layer; a PSP is the commercial and operational layer that may or may not include a gateway.
For most UK startups and growing businesses, a full-stack PSP offers the fastest path to accepting payments with the least operational overhead. As transaction volume grows, the economics of a direct acquiring relationship become more attractive. Either way, verify your provider's FCA authorisation status, understand exactly how your settlement funds are safeguarded, and read the terms on reserves and holds before you sign.
Yes. Many modern providers are both. Stripe, Adyen, and Worldpay, for example, provide a gateway as part of a broader PSP offering. When a provider does both, you interact with a single API but it handles acquiring, settlement, and fraud tooling in addition to the data-capture function of a pure gateway.
You can use a full-stack PSP or payment facilitator without your own dedicated merchant account. The PSP holds the master account and you operate as a sub-merchant. This is the model used by Stripe, Square, and PayPal. If you want a dedicated merchant account with your own Merchant ID, you need to apply directly to an acquiring bank such as Barclaycard, Lloyds Cardnet, or Worldpay.
It means the provider has been assessed by the Financial Conduct Authority and given permission to provide payment services in the UK under the Payment Services Regulations 2017. Authorised Payment Institutions must hold adequate capital, maintain proper safeguarding of client funds, and meet ongoing conduct requirements. You can verify status on the FCA Financial Services Register at register.fca.org.uk.
Using a PSP with a hosted payment page or JavaScript-based card fields means raw card data is captured within the PSP's environment rather than your servers. This can reduce your PCI DSS scope significantly, often to a shorter self-assessment questionnaire. However, PCI scope is determined by your entire integration. You should confirm scope with a qualified security assessor if you are unsure.
An acquirer is a bank or financial institution that holds a merchant account and settles card transactions on a merchant's behalf. A payment service provider may or may not be an acquirer. Some PSPs have their own acquiring licences (Adyen and Worldpay, for example). Others act as intermediaries that route through a third-party acquirer. In a PayFac model, the PayFac has an acquiring relationship and passes funds through to sub-merchants.
Nasara Pay helps UK firms send and control payments with lower fees, better rates and full visibility.
Practical guides and updates for UK firms, straight to your inbox.