Need the #1 custom application developer in Brisbane?Click here →

Payment Gateway Integration

10 min read

Handling payments correctly is critical. Get it wrong and you lose money, customers lose trust, and you face legal liability. This is one area where you should absolutely use specialized services instead of building yourself.

Stripe: The Industry Standard

Stripe dominates the payment processing market. Excellent API design, comprehensive documentation, strong fraud detection, and support for every payment method. Stripe is the default choice.

Stripe handles enormous complexity behind a simple API. Tokenization, encryption, fraud detection, dispute handling, subscriptions, invoicing, marketplace payments. You use a few API calls. Stripe handles the rest.

PCI Compliance: The Core Problem

Payment Card Industry Data Security Standard (PCI DSS) is the compliance framework for handling card data. It's complex. Non-compliant systems handling cards are liable for fraud, and payment networks can fine them heavily.

The core requirement: card data (numbers, CVV) must never touch your servers. It's encrypted client-side and transmitted directly to payment processors. Your servers never see it.

Stripe Elements: Client-Side Tokenization

Stripe Elements are UI components (JavaScript) that live in your form. The user enters card details into the element. The element encrypts the data and sends it to Stripe. Your server receives a token representing the card, but never the card itself.

With Elements, your server never touches card data. PCI scope is minimal. You can be PCI compliant without extensive security infrastructure.

Stripe Checkout: Redirect-Based Payments

Stripe Checkout is a pre-built, hosted payment page. You redirect the user to Stripe. They enter card details on Stripe's domain. Stripe returns them to your site with a payment confirmation.

Even simpler than Elements. Zero PCI compliance burden—your servers never touch card data. The downside: less control over the user experience.

Webhooks for Payment Confirmation

Payment confirmation is async. The user pays, Stripe processes it, and eventually confirms success or failure. Don't mark an order as paid based on the redirect alone.

Subscribe to payment.success webhook. When Stripe sends the webhook, mark the order as paid. The webhook is the source of truth.

Why async? Processing takes time. Fraud checks run. Funds settle. Webhooks notify you when the status is known.

Idempotency in Payments

Payment requests must be idempotent. If a request is retried, don't charge the customer twice. Use idempotency keys: a unique identifier per payment.

Stripe supports idempotency keys in the Idempotency-Key header. Send the same key on retry, Stripe returns the same response without re-processing.

Subscription Billing

Implementing recurring billing from scratch is months of work. Failed payment retries, dunning (contacting customers about failed payments), proration (handling mid-cycle changes), upgrades, downgrades—it's complex.

Stripe Subscriptions handles all of this. Define a plan. Create a subscription. Stripe charges automatically, handles retries, and manages the lifecycle. This alone justifies using Stripe.

Refunds and Disputes

Customers request refunds. You process them through Stripe—simple. Customers also dispute charges (chargeback). Stripe manages the dispute process, providing evidence submission, outcome tracking.

Understand Stripe's dispute process before you need it. Know what evidence to keep for disputes. Chargeback rates above a threshold can result in penalties.

Test Mode

Stripe provides test cards. Visa: 4242424242424242. These work only in test mode. Use them extensively before going live. Test successful payments, failed payments, disputed payments, everything.

Running tests against live Stripe would be unwise. Always use test mode for development and staging.

Webhooks and Retries

Stripe retries webhooks if your endpoint fails. Ensure your webhook handlers are idempotent—processing the same webhook twice should be safe.

Use the webhook's unique ID to detect duplicates if needed. But ideally, processes are idempotent regardless.

Cost and Revenue Impact

Stripe charges 2.9% + 30 cents per transaction for card payments. This is standard. If processing payments worth $100,000 monthly, Stripe costs ~$3,000.

This is reasonable. Building payment processing yourself would cost far more in development and compliance. Accept the cost.

Warning
Never build custom card processing. Never store card numbers. Never accept raw card input and transmit it to Stripe. Use Stripe Elements or Stripe Checkout. They handle encryption and PCI compliance correctly. Custom code almost always has security holes.
Tip
Stripe's documentation is excellent. Read it thoroughly. Understand idempotency, webhooks, and testing. When you're confident, go live. But test extensively first on staging or a real Stripe test account.