Choose the gateway around the business model
Compare supported payment methods, settlement timing, refund tools, international support, subscription requirements, documentation and support quality. The most popular provider is not automatically the best fit for every business.
Check whether the business needs cards, UPI, net banking, wallets, COD, subscriptions or marketplace-style split settlements.
Complete KYC and account preparation early
Gateway approval can take time and may require business documents, bank details, website policies, product information and contact details. Start KYC before the final launch window.
Use accounts owned by the business rather than a developer so access and settlements remain under client control.
Create orders securely on the server
Sensitive keys should never be exposed in browser JavaScript. The server should create the payment order using the verified cart total, currency and internal order reference.
The customer-facing amount must match the amount stored by the business system. Do not trust totals sent directly from the browser.
Verify signatures and webhooks
A successful screen in the browser is not enough. Verify payment signatures and process authenticated webhooks so the order status remains accurate even if the customer closes the tab.
Webhook processing should be idempotent so duplicate events do not create duplicate updates.
Design clear order and payment statuses
Separate order status from payment status. Pending, authorised, paid, failed, refunded and partially refunded are different conditions that may require different staff actions.
Customers should receive a clear message when payment fails or remains pending, without accidentally creating multiple paid orders.
Test refunds, failures and edge cases
Test successful payments, failed payments, cancelled payments, timeouts, duplicate clicks, delayed webhooks and refunds. Use the provider test environment before live credentials.
Record gateway IDs and timestamps needed for support and reconciliation.
Prepare production security and monitoring
Restrict secrets, use HTTPS, validate requests, log important events without storing sensitive payment data and review dependency updates.
After launch, monitor payment failures, webhook errors and reconciliation differences.
Practical checklist
- Gateway account and KYC belong to the business
- Server-side order creation is implemented
- Secrets are stored outside public code
- Signature and webhook verification are enabled
- Order and payment statuses are separated
- Failure, timeout and refund flows are tested
- Production logs and reconciliation references are available
Common questions
Secret keys should not be exposed in public browser code. Sensitive gateway operations must be handled securely on the server.
The customer may close the page or lose connectivity. Authenticated webhooks let the server receive the final payment event independently.
Many Indian gateways support multiple methods, but the exact availability depends on the provider account, approval and product configuration.
The business receiving settlements should normally own and control the gateway account, bank details and administrative access.