What Actually Happens Between "Pay Now" and "Payment Confirmed"

A clear look at the mechanics of modern payment processing, the three-stage journey every transaction takes, the players involved, and the decisions that quietly shape whether a sale completes or doesn't.

From a customer's side, an online payment looks like one click. From the merchant's side, that single click triggers a tightly choreographed sequence involving several banks, a card network, an encryption layer, an authorisation engine, and a settlement system, each performing its own job within a couple of seconds.

For most business owners, the inner mechanics of this sequence are invisible until something breaks. A transaction declines for no obvious reason. A settlement arrives later than expected. A chargeback turns up weeks after a sale that seemed clean. By the time the issue surfaces, the merchant is troubleshooting a system they haven't fully understood, and trying to make sense of jargon that was never explained clearly.

The goal of this article is straightforward: walk through what actually happens when a customer pays, who's doing what, what each step protects against, and how merchants can make decisions about their own setup with eyes open. No jargon for jargon's sake, and no marketing claims dressed up as fundamentals.

What Payment Processing Actually Is

Payment processing is the chain of steps that moves money, and the information about that money, from a customer's account to a merchant's account when a digital transaction occurs. It covers card payments, debit transactions, wallet payments, bank-based methods, and increasingly account-to-account flows.

Three things are happening at once whenever a payment is processed:

1. Verification. Confirming that the customer's payment instrument is legitimate, has funds available, and is being used by the person it belongs to.
2. Movement. Initiating the actual transfer of money between the customer's bank and the merchant's bank.
3. Protection. Encrypting sensitive data, applying fraud controls, and ensuring the transaction complies with regulatory requirements.

A payment processor, or more accurately, the network of providers that includes the gateway, the acquirer, the card network, and the issuing bank, handles all of this on the merchant's behalf. Done well, it's invisible. Done badly, it shows up as declined transactions, frustrated customers, and revenue that quietly leaks out the back of the business.

The Three Stages Every Card Transaction Goes Through

Every card transaction, online or in person, moves through three distinct stages: authorisation, authentication, and settlement. They run quickly enough that customers experience them as one moment, but each is doing different work.

Authorisation

This is where the system asks a single question: can this transaction go through?

The sequence:

1. The customer enters card details, at an online checkout, in an app, or by tapping a card at a terminal.
2. Those details get encrypted and sent to the acquiring bank, the merchant's bank.
3. The acquiring bank passes the request to the card network, Visa, Mastercard, Amex, etc.
4. The card network routes it to the issuing bank, the customer's bank.
5. The issuing bank checks the card number, expiry, security code, billing details, available funds, and any risk flags. If everything looks right, it approves the authorisation.

What sounds like five separate steps takes a couple of seconds. The payment processor is the entity coordinating the communication, packaging the data correctly, and making sure each party gets what it needs to make a decision.

Authentication

Once the issuing bank says yes, the system formalises the approval.

What happens here:

1. The issuing bank confirms approval to the card network.
2. The card network passes the approval back through the acquiring bank.
3. The issuing bank places a temporary hold on the customer's funds in the amount of the purchase.
4. The customer sees a confirmation screen, receipt, or success message.

If anything failed during authorisation, insufficient funds, suspicious activity, an invalid card detail, or a risk decision by the issuer, the chain reverses and a decline reason is returned to the customer instead.

In modern setups, 3D Secure, sometimes layers in here as an additional verification step, particularly under Strong Customer Authentication rules in Europe. When a transaction is flagged as needing extra confirmation, the customer is briefly redirected to their bank to confirm, typically with biometrics or an app prompt, before the authorisation is finalised.

Settlement

The money hasn't actually moved yet. Settlement is where that happens.

The mechanics:

1. At the end of each processing day, the acquirer batches up the approved transactions.
2. The batch is sent to the card network.
3. The card network coordinates the actual fund movement between issuing banks and acquiring banks.
4. The customer's bank releases the held funds.
5. The acquirer credits the merchant's account.

This stage typically takes one to a few business days, depending on the payment method, the acquirer's schedule, the merchant category, and the markets involved. Cross-border transactions can take longer; some local instant-payment methods settle in seconds or minutes.

A key thing to understand: "processed" doesn't always mean "paid." A transaction can be authorised and authenticated, and the customer can see it as complete, without the funds having actually reached the merchant's account yet.

Who Does What: The Cast of Characters

The terms used in payments aren't always intuitive. A quick reference:

Payment gateway. The piece of software, often a checkout integration, that captures payment information on the merchant's side and securely transmits it to the processor. The front door of the transaction.

Payment processor. The entity that coordinates the communication between the gateway, the acquirer, the card network, and the issuing bank. The traffic controller of the transaction.

Acquiring bank. The merchant's bank, which receives funds from card transactions on the merchant's behalf.

Issuing bank. The customer's bank, which issued the card being used.

Card network. Visa, Mastercard, American Express, Discover, and similar networks. The infrastructure connecting issuers, acquirers, and the transaction flow.

POS terminal. The hardware-and-software combination used by physical retailers to accept payments in person.

ACH. A US-based bank-to-bank transfer network used for things like direct deposit, recurring debits, and bill payments. Different countries have their own equivalents, SEPA in Europe, Faster Payments in the UK, Pix in Brazil, UPI in India.

Address Verification System. A check that compares the billing address the customer entered against the address on file with the issuing bank. Helps reduce certain types of card-not-present fraud.

Tokenisation. The process of replacing a card number with a non-sensitive substitute, a token, that can be stored or referenced without exposing the underlying card data.

Knowing who plays which role helps when something goes wrong, because the right contact for fixing the problem depends on which part of the chain is causing it.

How to Make Your Payment Setup Actually Perform

Beyond just accepting payments, there are a few decisions that determine whether a setup helps or hinders the business.

Make Checkout Fast

Online shoppers expect speed. Most studies put modern checkout expectations in the single-digit-seconds range, and digital wallets, which dominate a significant share of global online purchases, exist largely because they're faster than typing card details.

Storing payment credentials securely, through tokenisation, not by holding raw card data, lets returning customers complete subsequent purchases in a few taps rather than a few minutes. The conversion impact is consistently meaningful.

Make Mobile-Native Decisions

Mobile commerce now drives a large and growing share of global digital purchases. A checkout that works fine on desktop but breaks on a phone is leaking conversion every day. Apple Pay, Google Pay, and similar wallet-based flows aren't optional features. They're how a large portion of customers prefer to pay on mobile.

Make Security Visible

Security is both a real protection and a customer-facing trust signal. A visible 3D Secure badge, a clean SSL/TLS connection, and trust marks throughout checkout reduce the friction customers feel when handing over payment details.

The actual security layer matters too: PCI DSS compliance, tokenisation, and modern authentication standards aren't optional in a serious setup. The difference between a stack that handles these well and one that doesn't shows up in fraud rates, chargeback ratios, and regulatory exposure.

Offer the Right Payment Methods

Card support alone isn't enough in many markets. Digital wallets now reach the majority of digital consumers globally, while buy now, pay later services and account-to-account payments have grown into substantial categories in their own right.

The right answer isn't "offer everything." It's "offer what your customers actually want in each market." A Polish customer expects BLIK; a Dutch one expects iDEAL; a UK customer increasingly expects Apple Pay or open-banking options alongside cards. Matching the offering to the geography is one of the higher-leverage conversion levers available.

Protecting the Business from Fraud

Online fraud is a continuous threat, not an occasional incident. A few practical steps materially reduce exposure:

• Choose a processor with serious security depth. PCI DSS compliance is the baseline, not the ceiling. Strong fraud tooling, tokenisation, and real-time risk scoring are what actually protect against the volume and sophistication of modern attacks.
• Capture the data that helps verify legitimacy. Billing address, CVV, and other risk signals reduce the success rate of stolen-card attempts.
• Use 3D Secure 2 intelligently. Risk-based authentication keeps friction low for legitimate customers while challenging the transactions that genuinely warrant it.
• Keep all systems patched. Outdated checkout software, plugins, and extensions are a frequent entry point. This isn't glamorous work; it's just necessary.
• Watch your chargeback ratio carefully. Card networks impose monitoring programmes once chargeback ratios drift above thresholds. Staying well below the limit isn't only about fraud prevention. It protects the processing relationship itself.

What Strong Payment Processing Looks Like Choosing-Wise

When evaluating a payment processor, surface-level features tend to look similar across providers. The factors that actually predict whether a setup will perform sit deeper:

• Range of supported payment methods, with real coverage of the markets the merchant operates in
• Approval-rate optimisation, routing logic, retry handling, BIN-level intelligence
• Fraud and risk tooling, ideally integrated rather than bolted on
• Settlement flexibility, speed, currencies, and reporting clarity
• Compliance handling across the relevant frameworks
• Operational support that actually understands the business, not just the technology
• Transparent pricing rather than fees buried in FX margins or ambiguous markups

A processor that performs well across all of these is a fundamentally different operational reality from one that does the basics and lets the merchant figure out the rest.

FAQ

How long does it take to process a payment?

The actual authorisation and authentication happen in seconds. Settlement, the funds actually arriving in the merchant's account, typically takes one to a few business days, depending on the method, market, and acquirer schedule. Some instant payment rails settle in seconds.

Does "processed" mean "paid"?

Not always. A transaction can be authorised and authenticated, and look complete from the customer's side, without funds yet being settled to the merchant. The settlement step is when money actually moves.

How secure is modern payment processing?

Modern setups, with PCI DSS compliance, tokenisation, 3D Secure 2, and proper encryption, are significantly more secure than older systems. That said, no system is completely immune to fraud, which is why layered defences, secure processor, fraud tooling, authentication, and monitoring, matter more than any single control.

Why are card transactions declined?

Common reasons include typos in card details, insufficient funds, mismatched billing information, expired cards, suspected fraud, the issuing bank's own risk decisions, and technical issues anywhere in the chain. A surprising share of declines are recoverable through smart retry logic and routing.

How do I choose a payment processor?

The factors that matter most over time are payment method coverage in your markets, approval-rate performance, security and compliance depth, settlement structure, support quality, and pricing transparency. Features matter; the underlying posture of the provider matters more.

Will my business qualify for a merchant account?

Most established businesses with clean credit history and complete documentation qualify without difficulty. Higher-risk verticals, gaming, crypto, certain subscription models, may need a specialist provider with appetite for the specific industry profile.

How much does payment processing cost?

Card processing fees commonly fall in a range of roughly 1.5-3.5% per transaction for standard verticals, with higher rates applying to higher-risk categories. The headline rate isn't the whole story, though. FX margins, scheme fees, gateway fees, chargeback fees, and other components can add meaningful cost on top.

The Bottom Line

Payment processing looks instantaneous to the customer because it's been engineered to be. Underneath, it's a coordinated sequence involving multiple banks, a card network, an encryption layer, an authorisation engine, and a settlement system, each doing its specific job, each with its specific failure modes.

Understanding the basics gives merchants the language and the framing to make better decisions: which provider to pick, what to ask, where their money is at any given moment, and what to do when something doesn't go through. The complexity doesn't disappear, but it stops being a mystery.

For businesses serious about growth, that clarity is where smarter infrastructure starts paying off.

At Paylinq, we build payment infrastructure for merchants who want the underlying mechanics to work for them, through a single integration that brings together cards, wallets, local methods, smart routing, fraud protection, and clean settlement reporting. If you'd like to talk through what stronger payment infrastructure would look like for your business, get in touch with our team.

This article is provided for informational and educational purposes only and does not constitute financial, legal, tax, regulatory, or compliance advice. Specific operational, payment, and commercial decisions should be made in consultation with qualified professionals familiar with your jurisdiction and business model. References to specific providers, methods, schemes, or scenarios are illustrative only and do not imply endorsement or guarantee. The authors and publisher accept no liability for actions taken based on this content. Information may become outdated as payment infrastructure, regulations, and market conditions evolve.