What is a payment gateway? 2026 Malaysia guide

Key takeaways:

• A payment gateway is the front-end technology that captures and encrypts customer payment data at checkout, then passes it to a processor and acquirer to move funds into your business account.

• In Malaysia, a payment gateway needs to support card networks plus local rails — FPX, DuitNow QR, and major e-wallets — and operate under Bank Negara Malaysia (BNM) oversight.

• Airwallex combines a payment gateway with multi-currency accounts and local Malaysian acquiring, so businesses can accept FPX, DuitNow, and 160+ international payment methods on one platform.

What is a payment gateway? In short, it's the technology that lets your business accept payments online.

For Malaysian businesses, this is one of the most important infrastructure choices you'll make. Your gateway influences everything from approval rates to fees to settlement speed.

This guide explains what a payment gateway is and how it works in Malaysia in 2026. It also covers the local rails to know about and what to look for before you choose a gateway.

What is a payment gateway?

A payment gateway is the technology that captures and encrypts your customer's payment details at checkout. It then sends that data securely to the next stage of the payment process.

Think of it as the digital equivalent of a card terminal in a physical store.

When a customer in a shop taps a card on the terminal, the device reads the card details and passes them on for authorisation. A payment gateway does the same job online. It captures card numbers, FPX bank selections, or e-wallet logins, and encrypts that data. It then hands it off to the systems that actually move the money.

What a gateway doesn't do is move funds itself. It doesn't approve or decline transactions, hold money, or transfer it to your account. Those tasks belong to the payment processor, the customer's issuing bank, and your acquiring bank — which we cover next.

Payment gateway vs payment processor vs merchant account

These three terms often get mixed up, but they refer to different parts of your payment stack.

The payment gateway is the front-end layer. It captures your customer's payment data at checkout and encrypts it.

The payment processor is the back-end engine. It takes that encrypted data and routes it through the relevant card network or local rail. It then communicates with the customer's bank, confirms whether the transaction is approved, and handles settlement into your account.

A merchant account sits in between. It temporarily holds funds after the processor approves a transaction, before they reach your business account. Many modern platforms pool merchants under a shared account, so you don't need to apply for one separately.

For a deeper walk-through of how the gateway and processor interact in Malaysia, see our guide on payment gateways vs payment processors.

How a payment gateway works in Malaysia

Every online payment follows the same broad sequence, but the route changes depending on whether the customer pays by card or by a local Malaysian rail. Here’s how it works:

Step-by-step payment gateway flow

Here is what happens in the seconds after a customer clicks "Pay now":

1. Capture. The gateway collects the payment details — card number, FPX/DOBW bank selection, or e-wallet log-in — on your checkout page.

2. Encryption. It encrypts the data and may tokenise card numbers, so the raw details never sit on your servers.

3. Routing. The encrypted data goes to your acquiring bank. The acquirer forwards it to the relevant card network (Visa, Mastercard, UnionPay) or to PayNet for local rails.

4. Authorisation. The customer's issuing bank checks for funds, runs fraud checks (including 3D Secure where applicable), and approves or declines.

5. Response. The result comes back through the same chain to the gateway, which updates the checkout page in real time.

6. Settlement. Funds move from the issuing bank through the processor and into your account. This usually takes a few business days, depending on your provider and payment method.

How local rails flow differently from cards

Card payments route through international networks like Visa and Mastercard. Malaysia's local methods do not.

FPX has long been the country's main bank-transfer rail, but PayNet is rolling out DuitNow Online Banking/Wallets (DOBW) as the next-generation replacement. DOBW consolidates online banking and e-wallet payments under a single PayNet rail.

DuitNow QR is Malaysia's interoperable QR standard. Customers scan one code with any participating bank app or e-wallet, and PayNet handles the back-end routing.

For all of these, your gateway only handles the checkout layer. The actual money movement runs through PayNet, not the card networks.

4 types of payment gateways

Payment gateways come in four broad shapes. The right one for your business depends on how much control you want over the checkout, and how much technical work you can take on.

1. Hosted gateways

The customer is redirected from your site to the gateway's own secure page. PayPal is a familiar example. Setup is fast and PCI compliance sits with the provider, but you have less control over the checkout look.

2. API-integrated gateways

The payment form is embedded in your site via an API, so the customer never leaves. You get a branded, on-page checkout, but it requires developer support and more PCI work.

3. Self-hosted gateways

You collect payment data on your own server and send it to the gateway via a direct post. This gives the most control but also the most responsibility, including full PCI DSS compliance. It is usually only worth it for large merchants with in-house engineering.

4. Bundled platforms

These combine the gateway with the processor and acquirer in a single service. You get one contract, one dashboard, and one point of contact when something goes wrong. Most Malaysian SMEs choose this route because it removes coverage gaps between separate vendors. Airwallex, Stripe, and Adyen all work this way.

How payment gateways are regulated in Malaysia

Payment service providers in Malaysia are licensed and supervised by Bank Negara Malaysia (BNM). The exact licence depends on what part of the payment chain a provider operates in.

Licensing regimes

A provider that moves customer funds needs a licence under the Money Services Business Act 2011 (MSB Act). This covers remittance and other money services businesses.

A provider that issues e-money to customers needs an Approved e-Money Issuer licence. Merchant acquirers (the entity that connects merchants to card schemes and local rails) must be registered under the Financial Services Act 2013.

Some providers hold more than one of these, depending on the products they offer. Always check that your gateway's licensing matches the services you're using. Operating with an unlicensed provider exposes your business to regulatory and counterparty risk.

Security standards

Card-related transactions must meet PCI DSS, the global Payment Card Industry Data Security Standard. Most modern gateways take on the heavier compliance work by tokenising card data and processing it on your behalf.

3D Secure 2.0 (3DS2) adds a layer of authentication for card payments, helping banks distinguish genuine customers from fraud. Customer data handling also has to comply with Malaysia's Personal Data Protection Act 2010 (PDPA).

What to look for in a payment gateway

Once you know what a gateway does and how it's regulated, the real question is which one fits your business. Here are five factors to consider:

1. Local payment method coverage

At minimum, your gateway should support cards, FPX or DOBW, DuitNow QR, and the major e-wallets — Touch 'n Go, GrabPay, Boost, and ShopeePay. If you sell BNPL-friendly items, add Atome, Grab PayLater, or SPayLater.

Missing the methods your customers actually use will hurt conversion at checkout.

2. Fees beyond the headline MDR

The Merchant Discount Rate (MDR) is only one cost. Watch for fixed per-transaction fees in RM, monthly or setup fees, and chargeback fees per dispute. If you accept foreign currencies, also factor in FX spreads above the interbank rate.

A gateway that looks cheap on the MDR can become expensive once you add up everything else. For side-by-side fee comparisons, see our guide to payment gateway providers in Malaysia.

3. Settlement timing and like-for-like settlement

Check how long it takes for funds to land in your account. Also check whether the gateway lets you settle in the currency the customer paid in.

Like-for-like settlement matters most if you sell internationally. Without it, every foreign-currency payment gets converted to ringgit, often at a marked-up rate.

4. Integration

Most businesses don't need a custom build. Pre-built plugins for Shopify, WooCommerce, and Magento let you go live in hours. Hosted checkout pages and payment links are even faster. A direct API integration gives you full control but needs developer time.

5. BNM licensing and PCI compliance

Confirm your gateway is licensed or registered with Bank Negara Malaysia for the services it provides, and that it's PCI DSS compliant.

Why Malaysian businesses choose Airwallex as their payment gateway

Domestic Malaysian payment gateways do a solid job at the basics. They support FPX, DuitNow, and the major e-wallets, and get you accepting local payments quickly.

But most Malaysian businesses need more than a domestic checkout. You might pay overseas suppliers in their own currency. You might run ad spend in US dollars on Meta or Google. Or you might sell to customers in Singapore, Australia.

That's where Airwallex comes in. We combine a payment gateway with multi-currency accounts and BNM-licensed merchant acquiring. From one platform, you can accept, hold, and pay out in 20+ currencies.

Here’s what you get with Airwallex:

• 160+ local and global payment methods — including FPX, DOBW, DuitNow QR, GrabPay, and Touch 'n Go — through a single integration.

• Like-for-like settlement in up to 12 currencies — receive payments in the currency the customer paid in, with no forced conversion to ringgit.

• BNM-licensed acquiring — Airwallex is licensed in Malaysia as a remittance business under the Money Services Business Act 2011, an E-Money Issuer, and a registered merchant acquirer under the Financial Services Act 2013.

• Transparent pricing — from 1.4% + RM0.50 for local payment methods, with no monthly or setup fees.

• Plug-and-play integrations — pre-built plugins for Shopify, WooCommerce, and Magento, or a full API for custom checkouts.

Frequently asked questions

What is a payment gateway in simple terms?

It's the technology that captures your customer's payment details at checkout and sends them on for processing. Think of it as a digital card terminal. It doesn't move money itself — it just collects, encrypts, and forwards the data.

Is FPX a payment gateway?

No, FPX is a payment method, not a gateway. Your gateway captures the FPX selection at checkout, then routes the transaction through PayNet rather than a card network.

What is an example of a payment gateway?

Stripe, PayPal, Adyen, HitPay, and Airwallex are all payment gateways available in Malaysia. They vary in their support for local methods like FPX, DOBW, and DuitNow QR, as well as in pricing and settlement currencies.

How much does a payment gateway cost in Malaysia?

Pricing varies by provider. Most charge a Merchant Discount Rate (MDR) per transaction, plus a fixed RM amount per transaction. Watch for setup, monthly, chargeback, and FX fees on top. The cheapest headline MDR isn't always the cheapest gateway once everything is added up.

Do I need a merchant account to use a payment gateway in Malaysia?

Not usually. Most modern gateways pool merchants under a shared account, so you can start accepting payments without applying for a standalone merchant account. Traditional bank-acquired setups still require one, but they're slower to onboard and harder to qualify for as a smaller business.

Is a payment gateway safe to use?

Yes, if you choose one that is licensed in Malaysia and meets the relevant security standards. Look for Bank Negara Malaysia licensing or registration, PCI DSS compliance for card data, and 3D Secure 2.0 for card authentication. Reputable gateways also tokenise card numbers so the raw data never sits on your servers.

How do I choose a payment gateway in Malaysia?

Start with the payment methods your customers actually use, then compare total cost (MDR plus all add-on fees), settlement timing, currency support, and integration with your platform. Finally, confirm the provider is BNM-licensed and PCI DSS compliant. If you sell or plan to sell overseas, prioritise like-for-like multi-currency settlement.

Can I use more than one payment gateway?

Yes, and some businesses do this for redundancy or to optimise costs by method. The trade-off is added complexity: separate dashboards, separate reconciliations, and separate contracts. Most Malaysian SMEs are better served by a single gateway with broad method coverage.

Does my Shopify store need a separate payment gateway in Malaysia?

Yes. Shopify Payments isn't available in Malaysia, so you'll need a third-party gateway. See our Shopify payment gateways guide for options.

Sources:

1. https://knowledgebase.paynet.my/hc/en-us/articles/49693853472025-What-is-DuitNow-Online-Banking-Wallets

2. https://www.bnm.gov.my/legislation

This publication does not constitute legal, tax, or professional advice from Airwallex nor substitute seeking such advice, and makes no express or implied representations / warranties / guarantees regarding content accuracy, completeness, or currency. If you would like to request an update, feel free to contact us at [[email protected]]. Airwallex (Malaysia) Sdn. Bhd., a company incorporated under the laws of Malaysia with company registration number 201801007747 (1269761-X), is regulated as a licensed remittance business under the Money Services Business Act 2011 (Licence number 00743 with an expiry date of 3 August 2028, an E-Money Issuer and a registered merchant acquirer under the Financial Services Act 2013.