Ship in weeks, not years
The engineering effort to build a payment gateway from scratch is real — 12+ months of dedicated work before the first live authorisation. Using topropay collapses the time-to-first-payment to weeks pending KYB.
Build vs buy · 18 months faster
A serious in-house payment gateway needs PCI DSS Level 1, per-acquirer integrations, scheme rule tracking, a routing engine, reconciliation across settlement files, and a dispute queue. topropay ships all of that as a platform — one API in front of the connected provider panel. Build the buyer flow, not the plumbing.
What a real build actually contains
Six major work streams that every serious in-house payment gateway build has to deliver. Each one is a multi-quarter engineering effort in its own right.
Build vs buy
Six axes that tend to flip between an in-house build and topropay as the orchestration layer.
Key benefits
Four properties that show up the moment a merchant compares the DIY build effort to the reality of running on an existing orchestration layer.
The engineering effort to build a payment gateway from scratch is real — 12+ months of dedicated work before the first live authorisation. Using topropay collapses the time-to-first-payment to weeks pending KYB.
The parts that actually differentiate the merchant's product — checkout UX, buyer flow, invoicing, receipts — stay in the merchant's codebase. The rails, routing, vault and reconciliation live on the platform.
Instead of the merchant's own engineering team carrying PCI DSS Level 1 scope, sub-merchants inherit topropay's posture. The SAQ scope drops to SAQ A for hosted-checkout, SAQ A-EP for embedded hosted-fields.
Adding a new connected acquirer or PSP on the DIY path is a fresh integration project. On topropay it's a routing-policy change — the merchant's checkout code doesn't move.
How building a payment platform on topropay works
What actually happens between the decision to skip (or partly skip) the DIY build and the first authorisation clearing on topropay.
Whether the merchant has an in-progress build or hasn't started yet, the first step is scoping what parts of a payment gateway they'd actually need — for their vertical, geography and buyer mix.
KYB and underwriting through the topropay dashboard. Most merchants are approved in a few business days; longer for high-risk verticals or complex ownership structures.
One integration against topropay's REST API replaces per-acquirer integrations. Hosted checkout, embedded hosted-fields or low-level SDK — pick the shape that fits the merchant's UX and PCI scope preference.
Per-BIN, per-currency and per-country routing rules rank the connected providers for each authorisation; weights are dashboard-editable and the merchant can override any lane.
Sandbox testing, phased traffic cutover, and per-lane telemetry once live. Routing weights, method mix and integration shape all iterate without re-deploying the merchant's checkout.
Main use cases
Six merchant / PSP shapes where the analysis of building a payment gateway versus using topropay tends to flip decisively toward the platform.
A PSP considering building their own payment gateway can white-label topropay's platform and expose it to downstream merchants — the same unified API, per-merchant routing policies and reseller-branded dashboard.
Instead of building a gateway to power seller payouts and buyer collections, the platform integrates topropay's orchestration layer with per-seller routing policies.
SaaS companies building embedded-payments features skip the PCI L1 and per-acquirer integration effort by riding topropay's platform; monetisation on top of authorisation is fully in the SaaS's hands.
B2B software with invoicing, payouts and multi-currency needs uses topropay's rails so its own engineering focuses on domain logic, not payment scheme rule updates.
DTC brands whose original single-gateway integration is starting to constrain them use topropay to add lanes without re-integrating from scratch.
Merchants in licensed regulated verticals (subscription, ticketing, travel, licensed gaming) get vertical-tuned routing and chargeback tooling without building it themselves.
Platform features
Twelve platform capabilities the merchant would otherwise need to build from scratch. Each is production-grade on day one.
One authorisation endpoint replaces per-acquirer integrations; SDKs for web, mobile and server.
Three integration shapes on the same back-end — picked per merchant's PCI and UI constraints.
Card data captures into the platform vault; PAN never lands on the merchant origin.
Per-BIN, per-currency and per-country scoring across the connected panel; dashboard-editable weights.
Soft declines cascade to the next ranked provider inside the same authorisation — the buyer sees one decision.
VTS and MDES tokens by default; scheme updaters keep saved credentials alive across re-issuance.
Selective challenges per PSD2 exemption logic; frictionless flows pass through.
One queue across providers; evidence-pack templates per vertical; automated representment for select scheme types.
Settlements, fees, refunds and chargebacks normalised into one ledger tagged by provider, scheme and currency.
Refunds require justification; every refund logged with actor identity, reason and timestamp.
PSPs can configure independent routing weights per downstream merchant — reseller-native.
Signed lifecycle events; replay-safe IDs; per-acquirer settlement notifications normalise into one event stream.
Trust & compliance
One audited environment underpins every merchant on the platform. What a DIY build would need to certify and maintain independently, sub-merchants inherit here.
Ready to skip the 18-month build
A 30-minute build-vs-buy review scopes what a serious in-house gateway would need for your merchant / PSP shape, and what shifts to topropay. Sandbox access follows before any commercial commitment.
Frequently asked
Scope, hybrid setups, migration options, TCO comparison and the practicalities of build-vs-buy for merchants and PSPs.
Building a payment gateway from scratch is a valid path for very-large-scale merchants and financial institutions that need bespoke behaviour the market doesn't offer. For most merchants and PSPs the effort — PCI DSS Level 1, per-acquirer integrations, scheme rule tracking, routing engine, reconciliation, dispute queue — is 12–36 months of engineering work before the first live authorisation. topropay collapses that into an integration against one API.
Building payment gateway effort typically breaks into: (1) PCI DSS Level 1 posture (vault, HSM, ASV scans, QSA), (2) per-acquirer integrations (ISO 8583 / 20022, capture, refund, dispute), (3) scheme rule tracking (Visa / Mastercard programme releases, EMV 3DS2, network tokens), (4) routing / cascade engine, (5) reconciliation across settlement files, (6) operator surface (dashboard, refund controls, dispute queue, audit log).
Building a payment system is broader — it includes the gateway plus the wider fabric around it: KYB / KYC, merchant onboarding, sub-merchant model, ledger / accounting integration, payouts and, for some merchants, in-person acceptance. topropay covers the gateway layer plus most of the surrounding system; the merchant's own product covers the buyer-facing surface.
Building a payment platform is aggregator-scale work: sub-merchant onboarding, KYB pipelines, per-merchant routing policies, reseller / PSP hierarchy, per-merchant reconciliation and dispute queues, and reseller-branded dashboards. topropay's PSP-facing configuration provides most of this out of the box, letting a reseller focus on their merchant relationship rather than the platform plumbing.
Merchants set on building your own payment gateway sometimes end up using topropay for the parts they don't want to build (the vault, cross-acquirer routing, reconciliation feed) while keeping their own bespoke checkout and buyer flow. The unified API is designed to be composable, not all-or-nothing.
Yes. Hybrid setups are common: a merchant might run their own direct-MID card acquiring through their in-house gateway and use topropay for the alternative-payment-methods, ACH / SEPA rails, or the crypto side. The reconciliation feed can be configured to normalise topropay-side receipts into the merchant's own ledger.
A DIY routing engine typically starts as static BIN-to-acquirer rules and grows into a scoring engine over years as the merchant discovers edge cases. topropay's engine ships with per-BIN, per-currency, per-country, risk-signal and dispute-programme scoring on day one, plus dashboard-editable weights and per-merchant overrides — the state of the art rather than a v1 implementation.
No. Network tokens via Visa Token Service (VTS) and Mastercard Digital Enablement Service (MDES) are provisioned by topropay at first authorisation; scheme updaters keep the tokens alive across card re-issuance. The merchant's code doesn't need to know how the tokens are managed — the vault handles it.
That phrasing is unrelated to payments-industry gateways — it refers to portable-buildings (modular structures / sheds / cabins) manufacturers taking online payments for their products. If a portable-buildings merchant wants to accept payments on their website, topropay's standard online acceptance flow works exactly the same as for any DTC merchant; the 'gateway' in that context is the payments gateway on the storefront, not a bespoke build.
Merchant data on topropay is isolated per merchant record; the platform vault holds card tokens rather than PAN; every dashboard action is logged with actor identity and timestamp. Cross-merchant data isolation is enforced at the API and database layer. A DIY build has to design and implement all of this from scratch.
Yes. topropay's unified API and vault token format are designed to be portable. If a merchant reaches a scale where a bespoke build is justified, vault tokens can be migrated to a merchant-owned vault, and per-provider settlement files can be delivered directly. The platform doesn't lock in the merchant to a proprietary format.
No. topropay's connected panel includes acquirers that serve licensed high-risk verticals (subscription, ticketing, travel, licensed gaming); vertical-tuned routing weights and dispute programme monitoring come with the platform. The merchant doesn't need to build a separate high-risk gateway.
Visa and Mastercard release scheme rule updates on a regular cadence (typically twice yearly). topropay tracks and implements these platform-side; merchants inherit the updates without engineering effort. A DIY build has to allocate engineering time to every scheme release.
TCO for a DIY build typically breaks down into: dedicated engineering team (5–15 headcount ongoing), compliance operations (2–4 headcount plus annual QSA and ASV costs), HSM and key management infrastructure, ongoing scheme rule work, plus the multi-year opportunity cost of not building product features. topropay replaces most of this with a per-transaction platform contract.
topropay handles the vault, tokenisation, routing, cascade, reconciliation, dispute queue, PCI L1 posture and connected provider panel. The merchant handles their own checkout UX, buyer identity, product catalogue, order management and any bespoke commercial logic. The API surface is designed so the merchant never has to touch scheme-level details.
Related