Payments

Payment Gateway vs Payment Service Provider: What Is the Difference

Understand the difference between a payment gateway and a payment service provider, how card transactions flow, and what to look for when choosing in the UK.

Payment Gateway vs Payment Service Provider: What Is the Difference

When you start looking at how to accept card payments, the terminology can feel deliberately confusing. Payment gateway, payment service provider, acquirer, payment facilitator: providers use these terms interchangeably in marketing copy, but they refer to quite different things. Getting them straight matters because the model you choose shapes your fees, your settlement speed, your compliance obligations, and how much control you retain over the payments experience.

At the most basic level, a payment gateway is a piece of technology. It securely captures payment data at checkout, encrypts it, and transmits an authorisation request on your behalf. A payment service provider (PSP) is a broader commercial arrangement that may include a gateway but also bundles the acquiring relationship, the merchant account, fraud tooling, and sometimes currency conversion into a single service. Some PSPs go further and act as payment facilitators, onboarding you as a sub-merchant under their own master merchant account rather than giving you a dedicated account of your own.

This article explains each concept clearly, walks through how a card transaction actually moves from customer to merchant, and sets out the practical considerations, including FCA authorisation and UK safeguarding rules, that should inform your decision.

Reduce riskPrevent fraud, error and policy breaches
Ensure complianceMeet regulatory and internal obligations
Improve visibilityReal-time status and audit-ready trails
Strengthen oversightClear roles, approvals and limits
Protect your businessConfident payments that keep moving

What a Payment Gateway Actually Does

A payment gateway is the secure channel that connects your checkout, whether that is a website, a point-of-sale terminal, or an in-app purchase flow, to the rest of the payment infrastructure. When a customer enters card details, the gateway encrypts that data and forwards an authorisation request to the acquiring bank or processor. Once the issuing bank responds, the gateway relays that approval or decline back to you and your customer, typically in one to three seconds.

The gateway does not move money. It moves data. Settlement, the actual transfer of funds into your bank account, happens separately through the acquiring and card-scheme infrastructure. Because the gateway sits at the point where raw card data is first captured, it is also the main lever for reducing your PCI DSS scope. When a gateway uses tokenisation or hosted payment pages, raw card numbers never touch your servers, which can reduce your compliance burden significantly under PCI DSS v4.0.1.

Examples of standalone gateway providers include Opayo (formerly Sage Pay) and Judopay. These products integrate with a separate merchant account that you hold directly with an acquirer such as Barclaycard, Lloyds Cardnet, or Worldpay.

What a Payment Service Provider Covers

A payment service provider is a broader term for a company that enables merchants to accept payments. In practice, the term covers a spectrum. At one end you have providers that are essentially gateways with a thin layer of reporting on top. At the other end you have full-stack providers, such as Stripe, Adyen, or Mollie, that bundle the gateway, the acquiring relationship, a merchant account (or sub-merchant account), fraud tooling, recurring billing, and multi-currency settlement into a single contract.

Full-stack PSPs are sometimes called payment facilitators or PayFacs. Instead of you holding your own direct relationship with an acquiring bank, the PayFac holds the master merchant account and onboards you as a sub-merchant beneath it. This is how Stripe, Square, and PayPal operate. It means you can start accepting payments within hours rather than the days or weeks that a traditional acquirer underwriting process can take.

The trade-off is that the PayFac, not you, controls risk decisions. Account holds, reserves, and sudden terminations are more common under the aggregated model, especially for businesses in higher-risk categories. Merchant Savvy's research suggests that PayFacs are used by roughly 25 percent of the smallest UK merchants (those with annual card turnover up to approximately £380,000) but only about 2 percent of larger businesses, who tend to secure their own acquiring relationships for better rates.

The Card Transaction Flow: Step by Step

Understanding the flow of a card transaction makes the roles of each party concrete. The journey from a customer tapping their card to funds appearing in your account involves five distinct actors and two separate phases.

The authorisation phase happens in seconds. Settlement, the actual movement of funds, follows separately, usually within one to two business days for most card schemes, though settlement timing varies by acquirer and PSP.

1
Customer initiates payment: the cardholder enters
Or taps card details at checkout or a terminal
2
Gateway receives the data: the gateway
Encrypts the card details and transmits an authorisation request to the acquirer (or processor)
3
Acquirer routes to the card scheme
The merchant's bank forwards the request through Visa, Mastercard, or another scheme network
4
Card scheme contacts the issuer: the
Customer's bank receives the request and checks card validity, available funds, and fraud signals
5
Issuer approves or declines: an authorisation
Code or decline code travels back through the card scheme to the acquirer
6
Gateway returns the result: the acquirer
Passes the decision back through the gateway, which notifies the merchant and customer within one to three seconds
7
Settlement: at end of day, the
Merchant submits a batch. The issuer sends funds via the card scheme to the acquirer, who deposits them into the merchant account after deducting interchange and other fees

Gateway-Only vs Full-Stack PSP: A Direct Comparison

The comparison below captures the main practical differences between using a standalone payment gateway with your own merchant account versus using a full-stack PSP or PayFac. Neither model is universally better: the right choice depends on your transaction volume, your technical resources, and how much you want to own the acquiring relationship.

FactorGateway + Dedicated Merchant AccountFull-Stack PSP / PayFac
Onboarding speedDays to weeks (acquirer underwriting required)Hours to days (sub-merchant onboarding)
Pricing modelInterchange-plus or negotiated rates; separate gateway feeFlat-rate or blended fee per transaction; all-in
Merchant accountDedicated account; your own MID (Merchant ID)Aggregated; you are a sub-merchant under PSP's MID
Settlement timingTypically T+1 to T+2; contractually agreedVaries; some PSPs hold funds for 2-7 days initially
Account stabilityHigher; direct acquirer relationshipMore risk of holds or reserves at PSP discretion
PCI DSS scopeDepends on integration; hosted fields reduce scopeTypically reduced; PSP handles most card-data flows
Payment methodsPrimarily card; adding methods requires separate contractsBroader out of the box: cards, open banking, wallets
Developer experienceAPI quality varies by legacy providerGenerally strong APIs; sandbox environments standard
Best suited forEstablished businesses with meaningful card volumeStartups, SMEs, and businesses scaling quickly
Comparison of gateway-plus-merchant-account model versus full-stack PSP or payment facilitator model for UK merchants.
Gateway-Only vs Full-Stack PSP: A Direct Comparison

UK Regulation: FCA Authorisation and Safeguarding

Any company that provides payment services in the UK must be either authorised or registered with the Financial Conduct Authority (FCA) under the Payment Services Regulations 2017, or the Electronic Money Regulations 2011 if it issues e-money. There are two tiers of authorisation: Authorised Payment Institution (API) for firms processing above a certain threshold, and Small Payment Institution (SPI) for smaller-volume operators. You can check a provider's status on the FCA Financial Services Register.

From 7 May 2026, significantly strengthened safeguarding rules came into force for payment institutions and e-money institutions. Safeguarding is the requirement to protect customer funds that are held by a PSP pending execution of a payment. Under the new rules, firms must place those funds in a designated trust account or cover them with an appropriate insurance policy; they cannot commingle them with the firm's own operating funds. Firms also face new obligations around daily reconciliation, monthly FCA reporting, annual independent safeguarding audits (for firms holding over £100,000), and governance requirements including a named senior manager accountable for compliance.

For merchants, the relevance is twofold. First, if your PSP holds your settlement funds before paying out, you want confidence that those funds are properly safeguarded and would be protected in the event of the PSP's insolvency. Second, if your own product involves holding or moving client money, you may need your own FCA authorisation rather than relying solely on a PSP's permissions.

What to Look For When Choosing

Pricing is the most visible factor but rarely the most important one at early stage. Flat-rate fees from a PayFac are easy to model but can become expensive relative to interchange-plus pricing once your monthly card volume exceeds roughly £25,000 to £50,000. At that point, the effort of a direct acquirer relationship usually pays off.

Settlement speed matters for cash flow. Find out exactly when funds hit your bank account and whether the PSP imposes rolling reserves or holds on new accounts. Some providers hold a percentage of settlement for 90 days or more until they build a fraud and chargeback history for your account.

Supported payment methods are increasingly important. UK consumers now use open banking payments, Apple Pay, Google Pay, and buy-now-pay-later products alongside cards. A gateway that only handles card payments may require separate integrations for each method; a full-stack PSP typically aggregates them.

PCI DSS scope affects how much compliance work falls on your team. A gateway that provides a hosted payment page or JavaScript-based card fields means card numbers are entered directly into the PSP's environment, not yours, which can substantially reduce your scope under PCI DSS v4.0.1.

FCA authorisation status should always be verified. Confirm the provider appears on the FCA Financial Services Register as an Authorised Payment Institution or an Authorised Electronic Money Institution before contracting. Do not accept a claim of authorisation at face value.

Conclusion

The distinction between a payment gateway and a payment service provider is not just semantic. It determines who holds your merchant account, who underwrites your risk, how quickly you receive funds, what you pay per transaction, and how much compliance responsibility sits with you versus the provider. A gateway is the technology layer; a PSP is the commercial and operational layer that may or may not include a gateway.

For most UK startups and growing businesses, a full-stack PSP offers the fastest path to accepting payments with the least operational overhead. As transaction volume grows, the economics of a direct acquiring relationship become more attractive. Either way, verify your provider's FCA authorisation status, understand exactly how your settlement funds are safeguarded, and read the terms on reserves and holds before you sign.

Frequently asked questions

Can a payment gateway also be a payment service provider?

Yes. Many modern providers are both. Stripe, Adyen, and Worldpay, for example, provide a gateway as part of a broader PSP offering. When a provider does both, you interact with a single API but it handles acquiring, settlement, and fraud tooling in addition to the data-capture function of a pure gateway.

Do I need my own merchant account, or can I use a PSP without one?

You can use a full-stack PSP or payment facilitator without your own dedicated merchant account. The PSP holds the master account and you operate as a sub-merchant. This is the model used by Stripe, Square, and PayPal. If you want a dedicated merchant account with your own Merchant ID, you need to apply directly to an acquiring bank such as Barclaycard, Lloyds Cardnet, or Worldpay.

What does FCA authorisation mean for a payment provider?

It means the provider has been assessed by the Financial Conduct Authority and given permission to provide payment services in the UK under the Payment Services Regulations 2017. Authorised Payment Institutions must hold adequate capital, maintain proper safeguarding of client funds, and meet ongoing conduct requirements. You can verify status on the FCA Financial Services Register at register.fca.org.uk.

How does a PSP affect my PCI DSS obligations?

Using a PSP with a hosted payment page or JavaScript-based card fields means raw card data is captured within the PSP's environment rather than your servers. This can reduce your PCI DSS scope significantly, often to a shorter self-assessment questionnaire. However, PCI scope is determined by your entire integration. You should confirm scope with a qualified security assessor if you are unsure.

What is the difference between an acquirer and a payment service provider?

An acquirer is a bank or financial institution that holds a merchant account and settles card transactions on a merchant's behalf. A payment service provider may or may not be an acquirer. Some PSPs have their own acquiring licences (Adyen and Worldpay, for example). Others act as intermediaries that route through a third-party acquirer. In a PayFac model, the PayFac has an acquiring relationship and passes funds through to sub-merchants.

Ready to move money with confidence?

Nasara Pay helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide