Payment processing is the sequence of steps that moves money from a customer’s account to yours after a sale. For WooCommerce merchants, it runs invisibly in the background, until something breaks, a fee appears you didn’t expect, or a chargeback lands on a transaction you thought was settled.
This guide covers how payment processing actually works: who the players are, what each step does, how fees are structured, and what to look for when choosing a processor for your WooCommerce store.
Running a WooCommerce store? ConvesioPay is a certified Adyen partner that combines gateway, processor, and merchant account into a single WooCommerce-native integration, no minimum volume, no selective onboarding. Get started →
1. The Key Players in Payment Processing
Every card transaction involves at least four parties, each with a distinct role:
| Party | Role | Example |
|---|---|---|
| Cardholder | The customer making the purchase | Your customer |
| Merchant | The business selling goods or services | Your WooCommerce store |
| Issuing bank (issuer) | The bank that issued the customer’s card | Chase, Bank of America, Capital One |
| Acquiring bank (acquirer) | The bank or institution that holds the merchant’s funds | Adyen, Stripe, Wells Fargo |
Two additional layers sit between the merchant and the issuer:
- Payment gateway — encrypts and transmits transaction data from your store to the processor. In modern setups this is typically a hosted checkout widget or embedded form, not a separate vendor.
- Payment processor — routes the transaction between the acquirer and the card networks (Visa, Mastercard). In many cases, the processor and acquirer are the same entity or are bundled together.
Understanding these roles matters because each party takes a cut of every transaction — and how they’re bundled (or not) directly affects your effective processing rate.
2. How a Payment Transaction Works
A standard card transaction follows two distinct stages: authorization and settlement. These are often conflated, but they serve different functions and happen at different times.
Authorization (seconds)
- The customer enters card details at your WooCommerce checkout
- Your payment gateway encrypts the data and passes it to the processor
- The processor routes the request through the card network (Visa or Mastercard) to the issuing bank
- The issuing bank runs its checks: available balance, fraud signals, card status, velocity rules
- The bank returns an approval or decline code via the same chain
- Your store receives the result — funds are held on the customer’s card but have not moved
Settlement (1–2 business days)
- At end of day (or at a configured batch time), your processor sends authorized transactions to the acquirer
- The acquirer sends the batch through the card network to each relevant issuing bank
- Each issuer transfers the transaction amount minus interchange fees
- The acquirer deposits the net amount to your business bank account, minus their markup
Authorization confirms the money is there. Settlement is when it actually moves. The gap between the two is why you’ll see “pending” charges on your customers’ bank statements before the transaction fully clears.
3. Authorization, Capture, and Settlement: What’s the Difference
These three terms describe different stages of the same transaction and are frequently confused:
| Term | What it means | When it happens |
|---|---|---|
| Authorization | The issuer confirms funds are available and places a hold | At checkout |
| Capture | The merchant requests the held funds be collected | At fulfillment, or immediately |
| Settlement | Funds physically move from issuer to acquirer to merchant | 1–2 business days after capture |
Most WooCommerce stores authorize and capture simultaneously, the customer is charged at the moment of purchase. Merchants selling physical goods sometimes authorize at checkout and capture at shipment, only charging the customer when the order leaves the warehouse. This requires a processor that supports separate auth and capture flows.
Authorization holds typically expire after 7 days if not captured. If you’re seeing uncaptured authorizations aging out, it’s usually a webhook or fulfillment configuration issue, not a processor problem.
4. The Role of Card Networks
Visa, Mastercard, American Express, and Discover are card networks, not banks. They don’t issue cards or hold merchant funds. Their role is to:
- Set interchange rates — the baseline fee that goes to the issuing bank on every transaction
- Define the operating rules that processors, merchants, and issuers must follow
- Route authorization and settlement messages between acquirers and issuers
- Manage the dispute and chargeback process, including reason codes and response timeframes
American Express is the exception: it operates as both a card network and issuing bank for its branded cards, which is why Amex transactions have a different fee structure and dispute process.
Card network rules also define your chargeback liability. For card-not-present (online) transactions without 3D Secure authentication, dispute liability typically sits with the merchant. With 3DS active, that liability shifts to the card issuer on fraud-coded disputes — a meaningful protection for ecommerce stores. According to ConvesioPay Q1 2026 data, 3DS reduces chargeback rates by 81% across merchant accounts where it’s enabled.
5. What Merchants Actually Pay: The Fee Stack
Processing fees are not a single number — they’re a stack of charges from different parties, which is why your effective rate rarely matches the headline rate you were quoted.
| Fee type | Who receives it | Typical range |
|---|---|---|
| Interchange fee | Issuing bank | 1.5%–2.5% depending on card type and MCC |
| Assessment fee | Card network (Visa/Mastercard) | 0.13%–0.15% |
| Processor markup | Payment processor / acquirer | Varies significantly by pricing model |
The processor markup is where pricing models diverge significantly:
- Flat rate — a fixed percentage per transaction regardless of card type (e.g., 2.9% + $0.30). Predictable, but you pay the same rate on a low-cost debit card as on a high-interchange rewards card. Usually the most expensive model at volume.
- Interchange++ — actual interchange cost plus a fixed processor margin, stated separately. The most transparent model — you see exactly what the bank takes and what the processor takes. Typically lower overall cost for merchants processing above $50K/month.
- Tiered pricing — transactions bucketed into qualified, mid-qualified, and non-qualified tiers. The processor controls which tier each transaction falls into. The least transparent model; most merchants overpay without realizing it.
Card type matters enormously under interchange++ pricing. A standard Visa debit card carries a much lower interchange rate than a Visa Signature rewards card. Knowing your card mix — credit vs. debit vs. prepaid — helps you understand your true effective rate. According to ConvesioPay Q1 2026 data, the funding source mix across WooCommerce merchants is approximately 41% credit, 36% debit, and 22% prepaid.
6. Payment Gateway vs. Payment Processor vs. Merchant Account
These three components are often sold separately, sometimes bundled, and frequently confused with each other:
| Component | Function | Still needed separately? |
|---|---|---|
| Payment gateway | Encrypts and transmits transaction data to the processor | Rarely — usually bundled in modern setups |
| Payment processor | Routes transactions between the acquirer and card networks | Yes |
| Merchant account | A dedicated account that holds settled funds before transfer to your business bank | Not always — PayFac model aggregates this |
Traditional setups required three separate vendor relationships: a merchant account from a bank, a gateway contract, and a processor agreement. Modern payment facilitators (PayFacs) bundle all three — you get a single integration that handles gateway, processing, and the underlying merchant account infrastructure.
ConvesioPay operates as a certified Adyen partner using this model: one integration handles everything from the WooCommerce checkout widget through to payout. Merchants access Adyen’s fraud infrastructure, 3DS routing, and payment network — the same infrastructure used by Uber, eBay, and Airbnb — without needing to qualify for a direct Adyen account.
7. Online vs. In-Person Payment Processing
The same authorization and settlement flow applies whether a customer taps a card in person or enters details online. But the fraud risk profile — and by extension the fees and liability — differs significantly:
| Factor | Card-Present (in-person) | Card-Not-Present (online) |
|---|---|---|
| Fraud risk | Lower — chip and PIN or contactless verification | Higher — no physical card present |
| Interchange rates | Lower | Higher |
| Chargeback liability | Typically the issuer | Typically the merchant (without 3DS) |
| Authentication tools | EMV chip, contactless NFC | CVV, AVS, 3D Secure 2.0 |
For WooCommerce merchants operating entirely online, card-not-present (CNP) fraud prevention becomes one of the most important factors in processor selection. Fraudulent transactions that complete authorization successfully still result in chargebacks — and without the right tooling, merchants pay both the lost revenue and the dispute fees. See ConvesioPay’s advanced fraud rules for how rule-based fraud controls work in practice.
8. Fraud Patterns and When They Happen
Fraud doesn’t distribute evenly across the day. ConvesioPay Q1 2026 data from approximately one million analyzed transactions identifies 2 AM – 4 AM EST as the primary window for credential-testing activity — automated scripts running stolen card numbers against low-friction checkouts to identify valid cards before using them for larger purchases.
Velocity controls and rate limiting during this window are a baseline protection. More sophisticated processors apply machine learning models that flag behavioral anomalies regardless of time of day, unusual device fingerprints, mismatched billing and shipping geographies, and card details appearing across multiple accounts.
Understanding that fraud is a pattern problem, not just a transaction problem, changes how you evaluate processors. A processor that surfaces fraud data and lets you build rules around it is categorically different from one that just declines transactions reactively.
9. What WooCommerce Merchants Should Look for in a Processor
Beyond basic card acceptance, a payment processor for a WooCommerce store needs to support the operational realities of running an online store:
- Hosted or embedded checkout — reduces your PCI DSS scope by keeping card data off your server. A hosted checkout widget (like ConvesioPay’s) means you’re likely in SAQ A territory, the lowest compliance burden for ecommerce merchants.
- Subscription and recurring billing — native support for WooCommerce Subscriptions, including dunning management for failed payments and automatic card updating.
- Multiple payment methods — cards, Apple Pay, Google Pay, and buy-now-pay-later options. Apple Pay represented 13.7% of all settled transactions on the ConvesioPay network in Q1 2026, merchants not offering it are leaving a meaningful share of mobile conversions on the table.
- Built-in fraud tooling — not a third-party add-on, but native rules you can configure around your specific order patterns.
- Transparent pricing — ideally interchange++ so you can see exactly what you’re paying and to whom.
- Human support — when a payment integration breaks at 11 PM on a Friday before a sale, automated email queues are not adequate.
ConvesioPay is built specifically for this use case, a WooCommerce-native integration running on Adyen’s payment infrastructure, with interchange++ pricing, built-in 3DS, Apple Pay optimization at product page, cart, and checkout, and direct support from Convesio’s team from integration through to payout.
For merchants currently on Stripe or PayPal who are scaling past the point where flat-rate pricing and automated support are adequate, see how chargeback dispute responses work and what fraud rule configuration looks like in practice before evaluating a switch.
Based on anonymized, aggregated transaction data from ConvesioPay merchants processed in Q1 2026 (January 1 – March 31, 2026). No individual customer, card, store, or order data is included or identifiable.