How to build a payment gateway in the UK

Key takeaways

• 77% of global consumers say they'll abandon their cart if their preferred payment method isn't available — your gateway choice directly affects your bottom line.¹

• Building a custom gateway costs £80,000–240,000 upfront and takes 6–11 months, with annual maintenance running around 20% of that build cost every single year.² ³

• Airwallex, Stripe, GoCardless and Adyen all process payments for UK businesses, but Airwallex combines gateway, processing and multi-currency accounts in one platform — 160+ payment methods, 130+ currencies and direct settlement in 60+ countries, cutting out the FX leakage that eats into margins when you stack multiple providers.

If you're researching whether to build your own payment gateway, you're about to make a decision that'll shape your infrastructure for years.

Here's the reality: you can spend six figures and half a year building your own system, or you can integrate with an existing provider and start processing payments next week.² ³ Both paths work. The question is which one makes sense for your business.

In the UK, this isn't just a technical decision. You're dealing with the Payment Services Regulations 2017, PSD2's Strong Customer Authentication rules, PCI DSS compliance and the FCA looking over your shoulder.⁴ ⁵ Get it wrong and you're facing regulatory headaches on top of your technical challenges.

This guide cuts through the noise. We'll walk you through what it actually takes to build a payment gateway in 2026, when building makes sense (and when it doesn't), and how UK businesses choose between platforms like Airwallex, Stripe, GoCardless and Adyen.

How to build a payment gateway in the UK (quick answer)

UK businesses considering building a payment gateway have two realistic options:

Build your own gateway— You're talking about a full system that captures payment details, encrypts everything, routes authorisation requests to banks and card schemes, and handles all the PCI DSS, SCA and fraud responsibilities yourself.

Use a third-party provider— Integrate with a PSP that's already got the gateway and processing infrastructure sorted, certified and regulated. You connect via their APIs, hosted checkout pages or payment links.

If you build from scratch, expect this:

• Timeline: 6–11 months from planning to launch

• Upfront cost: £80,000–240,000+ for most builds (£400,000–800,000 for complex enterprise setups)² ³

• Ongoing cost: Annual maintenance, PCI audits, security ops and compliance updates — typically 20% of your initial build cost, every year³

The technical roadmap looks like:

• Define scope — gateway only, or gateway plus processing?

• Design your architecture and choose your stack

• Integrate with acquirers and support 3D Secure 2 / SCA

• Build secure data handling, tokenisation and PCI-compliant flows

• Create merchant dashboards, webhooks and reporting

• Test, certify and get any FCA registrations you need

• Monitor, maintain and keep up with regulatory changes

Using a provider like Airwallex, for instance, the path is:

• Pick an FCA-regulated, PCI Level 1 provider

• Choose your integration — links, hosted pages, widgets or full APIs

• Configure payment methods, currencies, SCA rules and fraud settings

• Test in sandbox, go live, then optimise

For most UK ecommerce brands, SaaS platforms and marketplaces, the second path is faster, cheaper and less risky — especially if you're selling internationally.

What is a payment gateway and how does it work?

A payment gateway is the secure link between your checkout and the banks that move money. When a customer enters their card details, the gateway encrypts that data, sends an authorisation request to the processor or acquirer, and returns an approved or declined response in seconds.²

From your customer's perspective, it's just the checkout form. Behind the scenes, it's the first step in a chain that includes authorisation, clearing, and settlement.

Payment gateway vs payment processor

People use these terms interchangeably, but they're different things:

For a deeper look at how these pieces fit together, check out our guide to payment gateways vs payment processors.

Should you build your own payment gateway?

Building your own gateway is tempting. You control the UX, you own the data, you're not locked into one provider's roadmap.² ³ But, you're also taking on serious engineering, security and regulatory obligations.² ³ ⁴

When building your own gateway makes sense

A custom gateway can work if you:

• Operate at serious scale — At high volumes, shaving a few basis points off interchange or optimising authorisation rates can save real money

• Run complex payment flows — Multi-sided marketplaces, specialised B2B billing or payment platform models can be hard to fit into standard PSP setups

• Want to monetise payments — If you're building a PSP or payfac business, owning the gateway is part of the product

• Need deep data access — Direct access to raw authorisation logs and fraud signals lets you build custom risk models² ³

The real costs and risks

Here's what you're actually signing up for:

Capital and time— ScienceSoft estimates £80,000–240,000+ and 6–11 months for end-to-end development.² Akurateco puts simple in-house builds at £400,000, with complex enterprise systems hitting £800,000+.³

Ongoing maintenance— Staying PCI-compliant, secure and feature-complete isn't a one-off project. Annual maintenance typically runs at 20% of your initial build cost.³

PCI DSS obligations— Once you touch raw card data, you're responsible for PCI DSS compliance — audits, vulnerability scans, pen testing, the lot.

Regulatory complexity— If you hold funds or offer payment services beyond pure technical support, you're dealing with FCA authorisation under the PSRs 2017 and EMRs 2011, including capital requirements and safeguarding.

Fraud and chargeback risk— You need fraud detection, monitoring and chargeback management in place, and you carry the financial and reputational risk if something goes wrong.

For most UK retailers, SaaS businesses and marketplaces, those trade-offs don't stack up against using a modern provider.

Can you create your own payment gateway for free?

No. While you can use open-source components to cut some licensing costs, you can't dodge:

• Infrastructure and hosting

• Developer and security engineering time

• PCI DSS assessments and scanning

• Legal and compliance work

• Ongoing maintenance and incident response

The idea of creating a free payment gateway is a myth — there's no such thing in a regulated market.

How to build a payment gateway from scratch in 2026

If you've run the numbers and decided to build, here's the technical roadmap for the UK market.

1. Define scope and business model

Start by getting clear on:

• Are you building gateway only, or gateway plus processing and settlement?

• Are you serving your own business, or acting as a platform for other merchants?

• Which payment methods and currencies do you need at launch and in year two?

• Will you monetise this externally, or is it purely for internal use?

These decisions shape your architecture, licensing requirements and economics.

2. Design architecture and choose your stack

You need an architecture that can handle availability, latency, security and observability:

• Backend services (Java, Go, Node.js,.NET)

• Encrypted data stores for payment and token data

• Message queues or streams for async processing and retries

• Webhooks and dashboards for merchants and internal teams

• 24/7 monitoring, logging and alerting

Don't forget UK GDPR (and possibly EU GDPR) for data residency and privacy.

3. Integrate with acquirers and processors

Custom gateways connect to one or more acquiring banks or independent processors.

You'll need to:

• Negotiate acquiring relationships and scheme agreements

• Build API integrations for auth, capture, settlement, refunds and disputes

• Support 3D Secure 2 and Strong Customer Authentication for UK and EEA customers

• Handle scheme-specific error codes and network quirks

Each integration adds testing, certification and ongoing change management.

4. Build core gateway features

At minimum, you're building:

• Hosted payment pages or embeddable checkout components

• REST APIs and SDKs for cards, wallets and bank payments

• Tokenisation for saved cards and recurring billing

• Idempotent operations to prevent duplicate charges

• Proper handling for partial captures, reversals and refunds

• Webhooks and dashboards for reconciliation and support

Our eCommerce gateway guide shows how these features work in real checkout flows.

5. Implement PCI DSS and security controls

Security isn't optional. You must:

• Encrypt sensitive data in transit and at rest

• Implement tokenisation to minimise card data exposure

• Harden networks, endpoints and APIs

• Apply least-privilege access controls and audit trails

• Meet all 12 PCI DSS requirements across network, data, access and monitoring

Our PCI DSS guide covers what this means in practice.

6. Handle UK regulatory requirements

If you're purely a technical service provider and never hold funds, your PSRs/EMRs obligations are lighter. But, once you:

• Hold customer funds

• Offer payment accounts

• Initiate payments from customer accounts

You'll likely need FCA authorisation or registration as a payment institution or e-money institution. That brings capital requirements, safeguarding obligations, governance rules and regular reporting on top of your technical build.

7. Test, certify, launch and iterate

Before you go live:

• Run functional, performance and security testing

• Complete PCI DSS validation and scheme certifications

• Pilot with limited traffic and close monitoring

After launch, you're committing to:

• 24/7 monitoring of uptime, latency, errors and fraud

• Continuous patching, vulnerability management and PCI re-certification

• Adding new payment methods and markets in a controlled way

• Keeping up with FCA updates, PSRs/EMRs changes and SCA rule tweaks⁴ ⁵

For most businesses, it's this long-term operational burden that tips the decision towards buying.

How to implement a payment gateway via a provider

For most UK teams, the pragmatic question isn't whether to build, but how to integrate a gateway quickly without giving up control.

1. Choose a regulated, PCI-certified provider

Look for:

• FCA regulation or registration in the UK

• PCI DSS Level 1 certification as a service provider

• Transparent pricing on card fees, FX markups and chargebacks

• Clear SCA, 3D Secure and fraud-prevention capabilities

Airwallex, Stripe, Adyen, Worldpay, GoCardless and Mollie all meet PCI DSS requirements, but their coverage, pricing and multi-currency support vary significantly.

2. Pick an integration pattern

Common options:

• Payment links — No-code URLs for quick B2B collections or social/email sales³

• Hosted payment pages — The provider hosts the full checkout, reducing your PCI scope

• Drop-in widgets — Low-code components you embed in your site or app

• Full APIs and SDKs — For custom flows or complex platforms

Your choice depends on engineering capacity, timeline and how much you need to customise the checkout.

3. Configure payment methods, currencies and risk

A modern PSP should let you:

• Support local payment methods alongside cards — wallets, bank transfers, regional schemes

• Accept and display prices in multiple currencies, not just GBP

• Handle 3D Secure 2 and SCA exemptions correctly for UK and EEA customers⁵

• Set fraud rules, velocity limits, risk thresholds and allow/block lists

Airwallex processes 160+ local payment methods across 130+ currencies, with like-for-like settlement in 60+ countries — so you can let customers pay in their own currency and control when FX happens.

4. Test, launch and optimise

Before you go live:

• Run end-to-end tests for happy paths and failure cases (insufficient funds, SCA failures, timeouts, refunds)

• Validate settlement timing, reconciliation exports and accounting integrations

• Check that error messages and retry flows make sense to customers

After launch, track:

• Authorisation rates by market, method and issuer

• Cart abandonment and drop-off at each checkout step

• Chargeback and fraud rates

• FX costs as a percentage of international revenue

Work with your provider's team to tune routing, risk and UX over time.

Build vs buy: cost and risk comparison

Here's how the two paths stack up, using data from ScienceSoft and Akurateco:² ³

Security checklist for UK merchants

Even when you use a PSP, you've got responsibilities. When you're evaluating providers, check:

• PCI DSS Level 1 certification as a service provider

• Tokenisation and strong encryption ²

• 3D Secure 2 and SCA support for card payments⁵

• Fraud-prevention tools and dashboards

• Clear incident-response and breach-notification processes

Our guide to PCI-compliant payment gateways compares Airwallex, Stripe, Adyen, Worldpay, Checkout.com and Mollie on these criteria.

How to compare payment gateways and processors

Whether you build or buy, you still need to pick the right stack.

Key comparison criteria

When you're looking at Airwallex, Stripe, GoCardless, Adyen, Worldpay and Mollie, focus on:

Coverage and payment methods

• Countries and currencies supported

• Depth of local payment methods, not just cards

Pricing and FX

• Headline card and APM fees for UK and international transactions

• FX markups on cross-border payments

• Extra fees for chargebacks, fraud tools or advanced features

Settlement and treasury

• Settlement speed and consistency by market and method

• Can you settle in multiple currencies, or are you forced back into GBP?

Developer and operational experience

• Quality of docs and SDKs

• Sandbox environments and webhook support

• Support SLAs and access to solutions engineers

Stripe tends to win with developer-led SaaS thanks to strong APIs and billing tools, while GoCardless is the UK specialist for Direct Debit and bank-to-bank payments. Adyen and Worldpay skew towards larger merchants and enterprise.

Airwallex's edge is combining gateway, processing, multi-currency business accounts, FX and payouts in one stack — which cuts out the hidden leakage you get from stacking multiple providers and repeated FX conversions.

Set up secure, global payment gateways quickly with Airwallex

If you've decided building a gateway isn't the best use of your engineering budget, Airwallex gives you a fast path that still scales internationally.

With Airwallex Payments and a Business Account, you can:

• Accept payments in 130+ currencies through 160+ local payment methods — cards, wallets, bank transfers

• Offer multi-currency checkout and like-for-like settlement, cutting FX leakage on cross-border sales

• Route most transactions over local payment rails for better speed and lower cost

• Use a PCI DSS Level 1-certified, FCA-regulated provider with tokenisation, encryption and fraud tools built in ⁴

• Move funds in 60+ currencies to 200+ countries — 93% of transfers arrive same-day

• Manage collections, FX, cards, expenses and payouts from one platform instead of stitching together multiple tools

For more advanced use cases, Airwallex's Platform APIs let you embed accounts, cards and payments into your own products without taking on the full gateway build and licensing burden yourself.

Frequently Asked Questions (FAQs)

How much does it cost to build a payment gateway?

ScienceSoft estimates £80,000–240,000+ for a custom gateway, depending on functionality and integration scope.² Akurateco's analysis suggests simple internal builds cost around £400,000, with complex enterprise solutions reaching £800,000+, once you factor in certifications, fraud tools and connectors.³

How long does it take to build a payment gateway?

ScienceSoft reports 6–11 months for a full custom gateway project, covering feasibility, design, development, integration, testing and deployment.² You can build an MVP faster, but adding multiple acquirers, payment methods and markets typically pushes timelines well beyond a year.

Can I build my own payment gateway for free?

No. While you can cut software licensing costs with open-source components, you still need to pay for infrastructure, engineering, PCI DSS assessments, security tools, fraud management and — where relevant — regulatory advice and FCA authorisation. Even lightweight gateways need sustained budget and ownership.

What is the difference between a payment gateway and a payment processor?

A payment gateway captures and encrypts customer payment details at checkout, then passes them to a payment processor or acquirer, which talks to card schemes and banks to authorise and settle the transaction. Airwallex, Stripe and Adyen provide both gateway and processing, while tools like GoCardless focus on bank-to-bank flows like Direct Debit.

Is it legal to start a payment processing company in the UK?

Yes, but you need to comply with the FCA's regime under the Payment Services Regulations 2017 and Electronic Money Regulations 2011.⁴ ⁵ Depending on your model, you may need authorisation or registration as a payment institution or e-money institution, meet capital and safeguarding requirements, and follow conduct and reporting rules.⁴ ⁵

How do I choose between building and buying a payment gateway?

Ask yourself:

• Is payments infrastructure core to our product and commercial strategy?

• Do we have the budget and time for a six-figure, multi-month build plus ongoing PCI DSS and regulatory work?

• Can we realistically improve on established providers' uptime, coverage and economics?

For most UK businesses, integrating with a provider like Airwallex, Stripe, GoCardless or Adyen is more cost-effective than building from scratch, especially once you account for FX, fraud and operational overheads.

Sources and references

1. Statista, Cross-border Ecommerce 2024 – cart abandonment statistics

2. ScienceSoft, Payment Gateway Development from A to Z – development timelines and cost ranges

3. Akurateco, How to Create a Payment Gateway: A Step-by-Step Guide – cost ranges and maintenance estimates

4. FCA, Payment Services and Electronic Money – Our Approach – PSRs 2017 and EMRs 2011 overview

5. FCA, PSD2 and Strong Customer Authentication guidance – SCA requirements

6. ICO, Guide to the UK GDPR – data-protection principles