Professional Payment Gateway Development - PCI DSS 4.0 Services

PCI DSS (Payment Card Industry Data Security Standard) 4.0 became mandatory in March 2025, replacing version 3.2.1. Key changes affecting web payment integration: new requirement to verify that all scripts loaded in the payment page are authorized and their integrity maintained (relevant to Magecart/JS skimming attacks); new requirement to manage all payment page scripts via an inventory; and updated requirements for secure coding and vulnerability management. The most important architecture decision for compliance scope: using hosted payment fields (Stripe Elements, Razorpay Standard) keeps your application in PCI SAQ A scope — the lightest compliance tier. Custom card form implementations require SAQ A-EP or full SAQ D, which involves 200+ controls vs. SAQ A's 22.

For India-primary businesses: Razorpay or PayU. They provide UPI (non-negotiable for Indian checkout), UPI AutoPay for subscriptions, netbanking, EMI, Indian wallets, and domestic settlement in INR. Stripe does support UPI and Indian payment methods but with less coverage and higher fees than domestic processors. For India + international businesses: Stripe for international traffic (card, Apple Pay, Google Pay, SEPA, etc.) alongside Razorpay for Indian traffic via routing logic based on customer geography. Most serious Indian businesses use both. For pure international (US/EU) applications with no India traffic: Stripe or Adyen.

UPI AutoPay (also called e-NACH via UPI) allows merchants to collect recurring payments from customer UPI IDs on a scheduled basis without requiring customer action each time — similar to SEPA Direct Debit or ACH recurring. Setup flow: customer registers a mandate (one-time approval via UPI PIN), specifying the merchant, maximum amount, and frequency. Subsequent debits up to the mandated amount execute automatically on the specified schedule without customer interaction. RBI mandates: transactions above ₹15,000 require additional authentication for each debit; below ₹15,000 can be auto-debited. For SaaS subscriptions, UPI AutoPay mandates significantly reduce churn from customers who would otherwise miss manual renewal payments.

SCA is a European PSD2 requirement mandating two-factor authentication for card transactions above €30 initiated online. In practice, SCA triggers a 3DS2 authentication challenge — the card issuer presents an in-app push notification or OTP to the cardholder. Without proper SCA implementation, card issuers decline soft-declined transactions, creating payment failures. Stripe's Payment Intents API handles SCA automatically: it requests authentication when required, applies regulatory exemptions (low-value transactions under €30, low-risk transactions the issuer approves) to avoid unnecessary challenges, and surfaces the authentication UI when it cannot be avoided. Correctly implemented, SCA adds minimal friction; poorly implemented (not using Payment Intents, or handling the authentication_required error incorrectly), it creates 10–25% conversion loss on European transactions.

Buy Now Pay Later allows customers to pay in installments (typically 3–4 payments over 6 weeks) with no interest on the consumer side — the merchant pays a higher processing fee (typically 2–8%) vs card (1.5–3%). BNPL significantly increases conversion for mid-to-high value purchases (typically orders over $50/₹2,500). Provider selection by market: US — Affirm (large purchases, BNPL up to $17,500), Klarna (widespread consumer recognition), Afterpay/Clearpay (fashion focus). India — Simpl (widest merchant acceptance, no-cost EMI focus), LazyPay (Paytm-affiliated, strong mobile penetration), ZestMoney (credit-first for users without credit cards), Bajaj EMI (hardware/electronics). Integration via Stripe Financial Connections for US/Europe; Razorpay for Indian BNPL providers. Display BNPL at cart and checkout, not just checkout — showing installment options early reduces abandonment before checkout is even reached.

Stripe Connect enables payment platforms where funds flow between customers and third-party sellers through your platform. Three account types: Standard (sellers manage their own Stripe accounts, limited platform customization), Express (Stripe-managed dashboard for sellers, platform controls payout schedule), and Custom (fully white-labeled, platform manages entire seller experience, maximum complexity). For most marketplaces, Express balances control and complexity. Key flows: platform charges buyer → holds funds → releases to seller minus platform fee on delivery confirmation; escrow periods; dispute mediation. Sellers must complete Stripe KYC (identity, bank account). US sellers automatically receive 1099-K for earnings over IRS threshold. International payouts require currency handling per seller location.

Three implementation approaches: (1) Coinbase Commerce — merchants accept Bitcoin, Ethereum, USDC, and other cryptos; Coinbase handles custody and conversion; funds settle to your bank account in fiat or remain as crypto; easiest integration. (2) Stripe's crypto on-ramp — lets users buy crypto with a card within your app to then use for payments; useful when users want to transact on-chain but hold fiat. (3) Direct on-chain payment detection — your backend monitors specific wallet addresses for incoming transactions; works without third-party custody but requires managing confirmation thresholds, volatility risk, and blockchain monitoring infrastructure. For most businesses, Coinbase Commerce provides sufficient crypto acceptance functionality without operational complexity. USDC stablecoin acceptance is often preferred over volatile crypto to eliminate exchange rate risk on the merchant side.

Dunning is the process of recovering failed subscription renewals — retrying declined payments on a schedule, notifying customers about payment failures, and managing access restriction during the grace period. Payment failures are not always permanent — 'insufficient funds' may succeed 3 days later when the customer gets paid; 'do not honor' may succeed with a different retry time. Smart dunning (scheduling retries based on failure reason code rather than fixed intervals) recovers 30–50% more failed payments than naive 24-hour retry. Email notification sequences alerting customers to update their payment method recover another significant fraction. Stripe Billing's smart retries use ML to determine optimal retry timing. Combined, smart dunning and proactive card expiry management are the highest-ROI actions a SaaS business can take on payment infrastructure after basic integration.

A single payment provider (Stripe or Razorpay) for one-time payments with basic compliance takes 2–3 weeks. Full checkout with multiple methods (card + UPI + BNPL + wallets + Apple/Google Pay) takes 4–6 weeks. Subscription billing with dunning management and webhook lifecycle handling adds 3–4 weeks. Marketplace payments with Stripe Connect adds 4–6 weeks for seller onboarding and split payout flows. International multi-provider routing (Stripe for international + Razorpay for India) takes 5–7 weeks total. Payment testing is disproportionately time-consuming — every failure mode and edge case needs explicit test coverage before real transactions go through.

A complete Code24x7 payment engagement includes: payment architecture design (provider selection, compliance scope, payment method matrix), checkout UI implementation (hosted fields for PCI compliance, payment method coverage, mobile UX), Payment Intents API integration with SCA handling, webhook infrastructure with idempotency and signature verification, subscription billing and dunning if required, marketplace split payments if applicable, automated reconciliation pipeline, PCI DSS compliance documentation (SAQ A completion, CSP configuration), payment analytics dashboard, and 30-day post-launch support. All code delivered as part of your application codebase — payment logic is your code, not a black box. Security review of payment flows included.