ArchGen

Secure Payment Gateway Architecture

Focus: Tokenization -> Fraud/Risk -> Core Processing -> Card Networks/Acquirers -> Settlement & GL. Key areas: Web/Mobile SDK, PCI SAQ A/A-EP pattern, 3DS 2....

Use this as a block diagram of the system when explaining architecture.

Preview
Edit this example
Diagram caption: Secure Payment Gateway Architecture (Tokenization -> Fraud/Risk -> Core Processing -> Card Networks/Acquirers -> Settlem has 5 layers: Client & Merchant Integration Layer, Edge & Security Gateway Layer, Risk & Decisioning Layer, Core Payment Processing Layer, External Payment Rails (Networks & Banks).

Prompt

Secure Payment Gateway architecture showing the end-to-end transaction flow. The diagram should start with the Client Checkout UI using a Tokenization SDK to encrypt card data. Follow the request to the API Gateway, passing through a Fraud Detection Engine and Risk Service. The Core Payment Processor then routes the transaction to external Card Networks (Visa/Mastercard) and Acquiring Banks. Include a side-car process for the Settlement and Reconciliation System interacting with the General Ledger.
Highlights
  • Layer details · Edge & Security Gateway Layer: Modules include API Gateway, Secrets & Key Management, Compliance & Audit Controls.
  • Layer details · Client & Merchant Integration Layer: Modules include Client Checkout UI, Tokenization SDK (Client-Side Encryption), Merchant Backend (Optional).
  • Module responsibilities · Client & Merchant Integration Layer / Client Checkout UI: Collect payment intent and checkout context; Invoke tokenization to avoid raw PAN handling; Handle step-up authentication flows when required

Overview

Secure Payment Gateway Architecture (Tokenization -> Fraud/Risk -> Core Processing -> Card Networks/Acquirers -> Settlem has 5 layers: Client & Merchant Integration Layer, Edge & Security Gateway Layer, Risk & Decisioning Layer, Core Payment Processing Layer, External Payment Rails (Networks & Banks).

Layer details

Show all (5)
  • Client & Merchant Integration Layer: Modules include Client Checkout UI, Tokenization SDK (Client-Side Encryption), Merchant Backend (Optional).
  • Edge & Security Gateway Layer: Modules include API Gateway, Secrets & Key Management, Compliance & Audit Controls.
  • Risk & Decisioning Layer: Modules include Fraud Detection Engine, Risk Service (Policy & Controls), Token Vault / Card Alias Store.
  • Core Payment Processing Layer: Modules include Core Payment Processor, Routing & Network Adapter Service, Transaction Event Store.
  • External Payment Rails (Networks & Banks): Modules include Card Networks, Acquiring Banks / PSP Acquirers.

Module responsibilities

Show all (14)
  • Client & Merchant Integration Layer / Client Checkout UI: Collect payment intent and checkout context; Invoke tokenization to avoid raw PAN handling; Handle step-up authentication flows when required
  • Client & Merchant Integration Layer / Tokenization SDK (Client-Side Encryption): Encrypt cardholder data before transmission; Produce a single-use payment token (nonce); Minimize PCI scope for merchant systems
  • Client & Merchant Integration Layer / Merchant Backend (Optional): Create and manage orders and payment intents; Forward tokenized payment requests to gateway APIs; Handle async payment status webhooks
  • Edge & Security Gateway Layer / API Gateway: Provide a single secured entry point for payment APIs; Protect backend services and enforce policies; Route requests to fraud/risk and core processing
  • Edge & Security Gateway Layer / Secrets & Key Management: Secure cryptographic keys for tokenization and vaulting; Support rotation and access controls; Provide auditable cryptographic operations
  • Edge & Security Gateway Layer / Compliance & Audit Controls: Ensure compliance posture for payments; Maintain traceable auditability of transaction actions; Prevent sensitive data leakage
  • Risk & Decisioning Layer / Fraud Detection Engine: Score transactions for fraud likelihood; Block/flag suspicious payment attempts; Return risk signals to core processor
  • Risk & Decisioning Layer / Risk Service (Policy & Controls): Apply merchant and regulatory policies; Determine whether to require step-up auth (3DS); Provide allow/deny/verify decisions
  • Risk & Decisioning Layer / Token Vault / Card Alias Store: Securely store token mappings and card aliases; Support recurring/merchant-initiated payments (optional); Provide de-tokenization only within PCI boundary
  • Core Payment Processing Layer / Core Payment Processor: Orchestrate the end-to-end payment transaction; Invoke risk decisions and enforce outcomes; Route transactions to the correct network/acquirer
  • Core Payment Processing Layer / Routing & Network Adapter Service: Translate internal requests to network-specific protocols; Select optimal route to acquirers/networks; Provide resiliency and fallback routing
  • Core Payment Processing Layer / Transaction Event Store: Persist authoritative events for every payment action; Enable replayable processing for settlement systems; Support traceability and dispute investigation
  • External Payment Rails (Networks & Banks) / Card Networks: Route authorization messages to issuers; Enforce network-level rules; Provide settlement files and dispute mechanisms
  • External Payment Rails (Networks & Banks) / Acquiring Banks / PSP Acquirers: Acquire transactions on behalf of merchants; Connect to networks and handle clearing/settlement; Provide funding and reporting to gateway

Key flows

Show all (3)
  • Tokenization and secure intake: the Client Checkout UI uses a Tokenization SDK to encrypt card data and obtain a single-use payment token; only token + non-sensitive metadata is sent to the API Gateway over TLS, reducing merchant PCI scope and preventing raw PAN exposure.
  • Risk decisioning and authorization: the API Gateway routes the tokenized request through the Fraud Detection Engine and Risk Service to produce allow/deny/step-up signals; the Core Payment Processor de-tokenizes within the PCI boundary (via Token Vault) and routes authorization to external Card Networks (Visa/Mastercar
  • Settlement and accounting sidecar: transaction events are emitted to an event stream and consumed by the Settlement & Reconciliation Sidecar, which matches gateway events with acquirer/network settlement reports, computes fees/net amounts, and posts journal entries to the General Ledger for audit-ready financial record