What payment gateways really do

"Payment gateways" (or "payment hubs") are repeatedly advertised as a component of modern payment processing. But what exactly is behind the term? For which companies and use cases is the use of a payment gateway really worthwhile? What advantages can be achieved? What should be considered when using it in relation to existing systems and the aspect of security?

In IT, a gateway refers to a connection between two or more systems in the role of an intermediary and means

a) ... in the context of digital payment transactions in retail: the processing of electronic payments (usually credit cards and debit cards) between buyers (customers) and sellers (merchants), whereby the gateway acts as an intermediary and forwards payment transactions to connected PSPs¹ and acquirers². (e.g. ACI, SPREEDLY, NUVEI, but also others)³

b) ... in the context of traditional payment transactions at corporates: the processing of financial transactions on bank accounts at house banks, primarily for outgoing payments (suppliers, employees, public authorities) but also incoming direct debits (customers). The payment gateway establishes the connection from the company to the bank - similar to an electronic banking system. The boundaries to the Treasury Management System (TMS) are often blurred (e.g. SERRALA, TIS, OMIKRON, but also others)⁴

The following article focuses on the aspects of a payment gateway in traditional payment transactions (b).

On the external side, a payment gateway connects a company's house banks via the available channels EBICS, H2H, SWIFT (and now API). On the internal side, it establishes the connection to the ERP and accounting systems. It thus provides the first significant advantage compared to the use of e-banking systems: the automatic upload of payment files without manual intervention (= straight through processing). Furthermore, a payment gateway usually offers a format library with which payment information can be converted from internally used interface formats into country-specific XML formats recognised by the respective banks.

Figure 1: System landscape with payment gateway for sending payment files

Source: KPMG AG

In addition, a payment gateway typically offers a range of additional functionalities, such as (non-exhaustive list):

• Management of bank master data
• Management of users and authorisation rights
• the release of payments
• Tracking and error analysis of payments
• Receiving account statements
• Reporting for accounts, balances and transactions
• if necessary, a liquidity forecast or even liquidity planning

The gateway is therefore in direct competition with the banks' e-banking systems, which are only needed as a fallback or for special payments. Its use therefore also has an impact on cooperation with the banks.

Initially, account master data is managed across all banks in the payment gateway. This can create transparency across all bank accounts worldwide for the first time (if not already available) or lead to redundancy in master data management (if the master data is already recorded in ERP systems). When using Corporate Seal, authorisation rights can even be administered without the bank's involvement - often a major speed advantage when adjusting limits for new employees, for example. The bank is still required to analyse errors in payment files, but the gateway also provides options for validating and troubleshooting payment files.

The additional administrative tasks in the payment gateway initially entail more work and responsibility for the treasury department. However, the new tasks also strengthen Treasury's perception as a competent contact partner for the subsidiaries and service function within the Group.

Obviously, a payment gateway also changes the co-operation with the house banks. Some banks see themselves forced into the role of a pure "backend" and payment processor or their relevance in implementation projects diminishes, which can lead to disagreements with individual banks. Other banks are concerned about issues such as liability and fraud prevention or have more extensive rights contractually guaranteed with regard to the event-driven release of data (e.g. log files for authorisation history). However, most banks are taking a proactive approach to the trend, supporting customers in their implementation projects or even entering into co-operation agreements with payment gateways.

Some payment gateways provide bank-specific, country-specific and pre-tested payment formats in the form of a library (payment library). This enables the gateway to generate a valid XML payment format in accordance with the ISO 20022 standard from payment information in various internal formats (e.g. CSV, TXT or IDOC from an ERP). This offers numerous advantages:

• When central banks introduce new payment methods (e.g. instant payments, real-time payments or split payments), payment formats can be quickly put into production for each bank.
• Format libraries are helpful when replacing old formats (e.g. DTAZV) and introducing the ISO standard, as they accelerate and simplify the technical migration.
• In addition, new payment runs can be implemented more quickly and additional payment processes can be automated in accounting.

Figure 2: Format library of a payment gateway

Source: KPMG AG

Although ERP systems also offer templates for country-specific payment file formats to a certain extent, these must be adapted to the format specifications of the respective local banks with a customising effort. Above all, the initial format test together with the bank is more extensive and depends on the availability of the bank's implementation managers. The responsibility and effort for maintaining and servicing the formats also lies with the company's IT department. With the pre-validated and automatically maintained formats of a payment library, on the other hand, internal IT work can be saved and efficiently outsourced to the service provider.

A distinction must be made between outsourcing that goes beyond format maintenance and e-banking and thus the functional spectrum of a payment gateway. Other providers (e.g. ADP, Bottomline Technologies, PAYONEER, DATEV, but also others)⁵ are required to outsource the entire payment transaction including the filling and preparation of payment files for vendor payments or complex HR payments as well as their posting and the monitoring of settlement.

With the centralisation of bank master data management. bank connection, account administration and payment processing, the payment gateway automatically makes the subsidiaries more dependent on the head office. This improves the overview of local bank accounts and authorisation rights, facilitates the enforcement of uniform limits and forces the subsidiaries to coordinate more closely with the central treasury department when opening and closing bank accounts. The CFO is likely to be very interested in such an improvement in governance. Centralisation can also lay the foundation for a shared service centre (payment factory) at a later date.

On the cost side, the savings in format maintenance and the efficiency gains from a standardised admin process are initially offset by the costs of software subscriptions for an additional cloud platform. However, a payment gateway also strengthens competition between banks in terms of:

• the reliability and duration of payment execution
• the introduction of new payment methods
• and, last but not least, pricing.

Switching a bank account to a better or cheaper bank still involves a lot of effort, but is much quicker and easier in terms of the technical setup in a payment gateway. With high transaction volumes, the fixed costs for software rental should therefore amortise in the medium term.

Placing the technical solvency of a company in the hands of a cloud provider could initially raise understandable concerns for a responsible treasurer - for example, with regard to data security, provider risk and control over payment transactions.

In order to still enjoy the benefits, operational risks can initially be limited by selecting a suitable provider that guarantees the required availability and reliability (failover, backup, limitation of downtimes) - preferably with a suitable SLA (Service Level Agreement) and ISO certification. On closer inspection, you will realise that the risk of failure and the availability of support from most providers today is at a level similar to that of banks.

Compliance with data protection law (GDPR, DSGVO) and data security is known to be vehemently enforced by authorities in companies by means of high penalties and is now widely recognised by the public. This makes the protection of personal information in payment transactions (e.g. bank details) or even sensitive data (e.g. salary payments) particularly important. Outsourcing companies such as payment gateways generally take precautions for this in their contracts and processes. However, the treasury department should also take measures in this regard - e.g. in the form of:

• an authorisation concept
• clear guidelines and training for admins
• approval processes
• and documentation

In addition, a subsidiary that commissions the head office to process payment transactions should initially delegate this task with suitable contracts in order to create a legal basis for centralisation. Outsourcing is also a good opportunity to take a fundamental look at data protection and data security in order to prevent the misuse of sensitive user data.

In addition to the risks already mentioned, the issue of cyber security in connection with payment gateways is also likely to raise some concerns. Initially, all parties involved in the payment transaction process are exposed to cyber attacks to a similar extent:

• Banks (and also central banks):
  Banks are particularly in the focus of cyber attacks but on the other hand are subject to high regulatory pressure. New laws such as the Digital Operational Resilience Act (DORA) impose strict cyber security requirements and force banks to invest heavily in security and fraud detection. On the other hand, these are also necessary to protect a complex and extensive infrastructure and organisation.
• Cloud providers (payment gateways or treasury management systems):
  Cloud providers also have smaller budgets available with a smaller size. On the other hand, as technology leaders, they are in the best position to protect themselves against threats with technical measures (authentication, encryption, dynamic IP addresses, etc.). Although they are not subject to the strict laws of the supervisory authorities, they usually undergo certifications for information security (such as ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018 or SOC 2, to name but a few). Cloud providers therefore manage to successfully fend off cyberattacks time and time again⁶.
• Corporates (with an on-premise installation of the ERP or TMS):
  Unfortunately, the weakest link in the chain is still often likely to be the companies themselves if they do not invest sufficiently in cyber security, maintain emergency plans or carry out IT security certifications. By storing sensitive payment transaction data in ERP systems, email programmes or folder structures, companies are exposed to a high risk.

If a company is thinking about increasing IT security in payment transactions, outsourcing additional processes to cloud providers is therefore often even an improvement on the status quo.

To summarise, a clever IT setup for payment transactions opens up financial potential and is an important lever for improvement. Before launching major payment transaction projects, it can therefore make sense to think about the specific payment strategy (in addition to the banking strategy) and to clarify the following questions, for example:

• Format development:
  Make or buy?
• Administration of limits:
  In-house or with banks?
• Governance:
  Centralisation or decentralisation of payment transactions?
• Importance of security:
  Manual interfaces or automation?

The next ERP migration or a project to replace legacy formats, for example, could be a good opportunity to take a fundamental look at the payment strategy and review the IT landscape - especially with regard to the use of a payment gateway.

Source: KPMG Corporate Treasury News, issue 149, November 2024

Authors:

Nils Bothe, Partner, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG

Sascha Uhlmann, Senior Manager, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG

_______________________________________________________________________________________________________________

1 A payment service provider (PSP) provides the technical infrastructure for processing cashless payment methods at the interface to the end customer - both online in e-commerce (via the checkout process) and in bricks-and-mortar retail (via payment terminals).

2 An acquirer is a bank or financial service provider that handles the authorisation and processing of card payments and pays out the amounts to the merchant's bank accounts.

3 The selection of providers was made at random. These are illustrative examples without any judgement as to the relevance or competence of the respective providers.

4 Same comment as in footnote 3.

5 The above selection of providers that can act as outsourcing partners for other parts of payment transactions was made at random. These are illustrative examples without any judgement as to the relevance or competence of the respective providers.

6 Amazon Web Services (AWS) is an exemplary representative of the industry and uses numerous innovative tools in the area of early detection, defence and protection against cyberattacks. According to AWS, numerous attacks have already been averted with the help of these tools. ("In the first quarter of 2023 [...] we stopped over 1.3M outbound botnet-driven DDoS attacks")

Source: Ryland, M. (2023, September 28). How AWS threat intelligence deters threat actors. AWS Security Blog. Available at: https://aws.amazon.com/de/blogs/security/how-aws-threat-intelligence-deters-threat-actors