Build vs buy · 18 months faster

Building a payment gateway is 18–36 months of engineering. Or one integration.

A serious in-house payment gateway needs PCI DSS Level 1, per-acquirer integrations, scheme rule tracking, a routing engine, reconciliation across settlement files, and a dispute queue. topropay ships all of that as a platform — one API in front of the connected provider panel. Build the buyer flow, not the plumbing.

Merchant checkout MERCHANT SCOPE API + vault TOPROPAY Routing engine TOPROPAY Acquirer connectors TOPROPAY Reconciliation TOPROPAY DIY: 12+ months of engineering to replicate Scope avoided by using topropay is highlighted.
Highlighted scope shifts to the platform. Merchant keeps the top-left box.
18–36 mo
typical in-house gateway build timeline
PCI L1
certification effort avoided when using topropay
20+
acquirer / scheme integrations needed on the DIY path
1
unified API when using topropay instead

What a real build actually contains

The scope of building payment gateway infrastructure from scratch

Six major work streams that every serious in-house payment gateway build has to deliver. Each one is a multi-quarter engineering effort in its own right.

01 PCI DSS Level 1 posture
Card vault, tokenisation, HSM key management, network segmentation, quarterly ASV scans and an annual on-site QSA assessment. Multi-quarter engineering effort plus ongoing operational cost.
02 Acquirer integrations
Per-acquirer schemas, ISO 8583 / 20022 message formats, EMV auth flows, capture, refund, dispute file ingestion. Every additional acquirer is a fresh integration.
03 Scheme rules
Visa VDMP / VAMP / VFMP, Mastercard ECP / EFMP, scheme-programme registrations, network token orchestration (VTS, MDES), EMV 3DS2 / SCA integration.
04 Routing engine
Per-BIN routing, cascade on soft decline, per-currency and per-country policy editor, live scoring on device / geo / velocity signals — plus a way to change routing without deploying code.
05 Reconciliation feed
Normalising settlement files from every connected provider, matching captures to settlements, fee decomposition per scheme and currency, chargeback lifecycle across provider portals.
06 Operator surface
Merchant dashboard, refund controls, dispute queue, audit log, role-based access, KYB / KYC pipelines, per-merchant routing policy editor, reporting exports.

Build vs buy

Building a payment system in-house vs orchestration on topropay

Six axes that tend to flip between an in-house build and topropay as the orchestration layer.

Axis DIY build topropay platform
Time to first payment 9–18 months of engineering before first live authorisation Sandbox live in hours; production in weeks pending KYB
Team size 5–15 engineers plus compliance and finance operations One integration engineer plus finance for reconciliation
PCI DSS posture Merchant carries full PCI DSS Level 1 scope internally Sub-merchants inherit topropay's PCI L1 posture; SAQ A scope
Adding acquirers Per-acquirer integration project (weeks to months each) Routing-policy change; no re-integration
Scheme rule updates Ongoing engineering to track Visa / Mastercard scheme releases Platform-side; merchants inherit updates
Ongoing compliance cost Annual QSA, ASV scans, HSM lifecycle, key rotation, audits Included in the platform contract

Key benefits

Why building your own payment gateway loses to orchestration for most merchants

Four properties that show up the moment a merchant compares the DIY build effort to the reality of running on an existing orchestration layer.

Ship in weeks, not years

The engineering effort to build a payment gateway from scratch is real — 12+ months of dedicated work before the first live authorisation. Using topropay collapses the time-to-first-payment to weeks pending KYB.

Own the differentiation, not the plumbing

The parts that actually differentiate the merchant's product — checkout UX, buyer flow, invoicing, receipts — stay in the merchant's codebase. The rails, routing, vault and reconciliation live on the platform.

Inherit the compliance posture

Instead of the merchant's own engineering team carrying PCI DSS Level 1 scope, sub-merchants inherit topropay's posture. The SAQ scope drops to SAQ A for hosted-checkout, SAQ A-EP for embedded hosted-fields.

Grow the panel without new integrations

Adding a new connected acquirer or PSP on the DIY path is a fresh integration project. On topropay it's a routing-policy change — the merchant's checkout code doesn't move.

How building a payment platform on topropay works

From scoping the build to first live authorisation in five steps

What actually happens between the decision to skip (or partly skip) the DIY build and the first authorisation clearing on topropay.

  1. 01

    Scope the current stack

    Whether the merchant has an in-progress build or hasn't started yet, the first step is scoping what parts of a payment gateway they'd actually need — for their vertical, geography and buyer mix.

  2. 02

    Onboard and KYB

    KYB and underwriting through the topropay dashboard. Most merchants are approved in a few business days; longer for high-risk verticals or complex ownership structures.

  3. 03

    Integrate the unified API

    One integration against topropay's REST API replaces per-acquirer integrations. Hosted checkout, embedded hosted-fields or low-level SDK — pick the shape that fits the merchant's UX and PCI scope preference.

  4. 04

    Configure the routing policy

    Per-BIN, per-currency and per-country routing rules rank the connected providers for each authorisation; weights are dashboard-editable and the merchant can override any lane.

  5. 05

    Go live and iterate

    Sandbox testing, phased traffic cutover, and per-lane telemetry once live. Routing weights, method mix and integration shape all iterate without re-deploying the merchant's checkout.

Main use cases

Where the build-vs-buy question earns a decisive answer

Six merchant / PSP shapes where the analysis of building a payment gateway versus using topropay tends to flip decisively toward the platform.

  • PSP

    PSPs contemplating a gateway build

    A PSP considering building their own payment gateway can white-label topropay's platform and expose it to downstream merchants — the same unified API, per-merchant routing policies and reseller-branded dashboard.

  • Plat

    Marketplaces and platform companies

    Instead of building a gateway to power seller payouts and buyer collections, the platform integrates topropay's orchestration layer with per-seller routing policies.

  • SaaS

    SaaS with embedded payments ambitions

    SaaS companies building embedded-payments features skip the PCI L1 and per-acquirer integration effort by riding topropay's platform; monetisation on top of authorisation is fully in the SaaS's hands.

  • B2B

    B2B software with pay-in / pay-out needs

    B2B software with invoicing, payouts and multi-currency needs uses topropay's rails so its own engineering focuses on domain logic, not payment scheme rule updates.

  • DTC

    Growth-stage DTC skipping a gateway rewrite

    DTC brands whose original single-gateway integration is starting to constrain them use topropay to add lanes without re-integrating from scratch.

  • Risk

    Merchants with vertical-specific risk

    Merchants in licensed regulated verticals (subscription, ticketing, travel, licensed gaming) get vertical-tuned routing and chargeback tooling without building it themselves.

Platform features

Capabilities merchants inherit instead of building

Twelve platform capabilities the merchant would otherwise need to build from scratch. Each is production-grade on day one.

  • Unified REST API

    One authorisation endpoint replaces per-acquirer integrations; SDKs for web, mobile and server.

  • Hosted, embedded & SDK surfaces

    Three integration shapes on the same back-end — picked per merchant's PCI and UI constraints.

  • PCI DSS Level 1 vault

    Card data captures into the platform vault; PAN never lands on the merchant origin.

  • Smart routing engine

    Per-BIN, per-currency and per-country scoring across the connected panel; dashboard-editable weights.

  • Cascade & retry

    Soft declines cascade to the next ranked provider inside the same authorisation — the buyer sees one decision.

  • Network tokens & updaters

    VTS and MDES tokens by default; scheme updaters keep saved credentials alive across re-issuance.

  • EMV 3DS2 / SCA orchestration

    Selective challenges per PSD2 exemption logic; frictionless flows pass through.

  • Unified dispute queue

    One queue across providers; evidence-pack templates per vertical; automated representment for select scheme types.

  • One reconciliation feed

    Settlements, fees, refunds and chargebacks normalised into one ledger tagged by provider, scheme and currency.

  • Operator-side refund controls

    Refunds require justification; every refund logged with actor identity, reason and timestamp.

  • Per-merchant routing policies

    PSPs can configure independent routing weights per downstream merchant — reseller-native.

  • Signed webhooks

    Signed lifecycle events; replay-safe IDs; per-acquirer settlement notifications normalise into one event stream.

Trust & compliance

Compliance posture inherited on topropay

One audited environment underpins every merchant on the platform. What a DIY build would need to certify and maintain independently, sub-merchants inherit here.

PCI DSS Level 1
Annual on-site assessment plus quarterly ASV scans; sub-merchants inherit the posture without carrying their own PCI L1 environment.
Scheme programmes
Visa VDMP / VAMP / VFMP and Mastercard ECP / EFMP positions surfaced per connected acquirer; routing weights can rotate around at-risk lanes.
SCA & PSD2
Selective EMV 3DS2 on the authorisation path keeps approval high in Europe without skipping the SCA bar.
Bank-rail mandate posture
NACHA authorisations for ACH, SEPA mandate IDs for SEPA Direct Debit; captured and retained per scheme rules.
Sanctions & AML alignment
Sanctions screening on onboarding; AML monitoring tuned per merchant vertical, volume and country mix.
Licensed verticals only
Licensed gaming, regulated financial services and other compliance-bound verticals supported only where current operating licences exist. Grey and black-market verticals are out of scope regardless of build shape.

Ready to skip the 18-month build

Skip the build. Ship the payments feature.

A 30-minute build-vs-buy review scopes what a serious in-house gateway would need for your merchant / PSP shape, and what shifts to topropay. Sandbox access follows before any commercial commitment.

Frequently asked

Buyer questions about building a payment gateway

Scope, hybrid setups, migration options, TCO comparison and the practicalities of build-vs-buy for merchants and PSPs.

  1. 01

    Should our team actually be building a payment gateway from scratch?

    Building a payment gateway from scratch is a valid path for very-large-scale merchants and financial institutions that need bespoke behaviour the market doesn't offer. For most merchants and PSPs the effort — PCI DSS Level 1, per-acquirer integrations, scheme rule tracking, routing engine, reconciliation, dispute queue — is 12–36 months of engineering work before the first live authorisation. topropay collapses that into an integration against one API.

  2. 02

    What does building payment gateway effort break down into on the DIY path?

    Building payment gateway effort typically breaks into: (1) PCI DSS Level 1 posture (vault, HSM, ASV scans, QSA), (2) per-acquirer integrations (ISO 8583 / 20022, capture, refund, dispute), (3) scheme rule tracking (Visa / Mastercard programme releases, EMV 3DS2, network tokens), (4) routing / cascade engine, (5) reconciliation across settlement files, (6) operator surface (dashboard, refund controls, dispute queue, audit log).

  3. 03

    Is building a payment system the same as building a payment gateway?

    Building a payment system is broader — it includes the gateway plus the wider fabric around it: KYB / KYC, merchant onboarding, sub-merchant model, ledger / accounting integration, payouts and, for some merchants, in-person acceptance. topropay covers the gateway layer plus most of the surrounding system; the merchant's own product covers the buyer-facing surface.

  4. 04

    How does building a payment platform differ from a single gateway?

    Building a payment platform is aggregator-scale work: sub-merchant onboarding, KYB pipelines, per-merchant routing policies, reseller / PSP hierarchy, per-merchant reconciliation and dispute queues, and reseller-branded dashboards. topropay's PSP-facing configuration provides most of this out of the box, letting a reseller focus on their merchant relationship rather than the platform plumbing.

  5. 05

    What if we're set on building your own payment gateway anyway?

    Merchants set on building your own payment gateway sometimes end up using topropay for the parts they don't want to build (the vault, cross-acquirer routing, reconciliation feed) while keeping their own bespoke checkout and buyer flow. The unified API is designed to be composable, not all-or-nothing.

  6. 06

    Does topropay support hybrid setups where a merchant runs some rails in-house and some through the platform?

    Yes. Hybrid setups are common: a merchant might run their own direct-MID card acquiring through their in-house gateway and use topropay for the alternative-payment-methods, ACH / SEPA rails, or the crypto side. The reconciliation feed can be configured to normalise topropay-side receipts into the merchant's own ledger.

  7. 07

    How does the routing engine compare with what a DIY build produces?

    A DIY routing engine typically starts as static BIN-to-acquirer rules and grows into a scoring engine over years as the merchant discovers edge cases. topropay's engine ships with per-BIN, per-currency, per-country, risk-signal and dispute-programme scoring on day one, plus dashboard-editable weights and per-merchant overrides — the state of the art rather than a v1 implementation.

  8. 08

    What about network tokens and account updaters — do we still need to build those?

    No. Network tokens via Visa Token Service (VTS) and Mastercard Digital Enablement Service (MDES) are provisioned by topropay at first authorisation; scheme updaters keep the tokens alive across card re-issuance. The merchant's code doesn't need to know how the tokens are managed — the vault handles it.

  9. 09

    Some queries mention 'portable building payment gateway' — does that apply here?

    That phrasing is unrelated to payments-industry gateways — it refers to portable-buildings (modular structures / sheds / cabins) manufacturers taking online payments for their products. If a portable-buildings merchant wants to accept payments on their website, topropay's standard online acceptance flow works exactly the same as for any DTC merchant; the 'gateway' in that context is the payments gateway on the storefront, not a bespoke build.

  10. 10

    How is the merchant's data protected on the platform vs a DIY build?

    Merchant data on topropay is isolated per merchant record; the platform vault holds card tokens rather than PAN; every dashboard action is logged with actor identity and timestamp. Cross-merchant data isolation is enforced at the API and database layer. A DIY build has to design and implement all of this from scratch.

  11. 11

    Can we start with topropay and switch to a DIY build later if scale justifies it?

    Yes. topropay's unified API and vault token format are designed to be portable. If a merchant reaches a scale where a bespoke build is justified, vault tokens can be migrated to a merchant-owned vault, and per-provider settlement files can be delivered directly. The platform doesn't lock in the merchant to a proprietary format.

  12. 12

    What about high-risk verticals — do we need to build our own routing for them?

    No. topropay's connected panel includes acquirers that serve licensed high-risk verticals (subscription, ticketing, travel, licensed gaming); vertical-tuned routing weights and dispute programme monitoring come with the platform. The merchant doesn't need to build a separate high-risk gateway.

  13. 13

    How does the platform handle scheme rule updates?

    Visa and Mastercard release scheme rule updates on a regular cadence (typically twice yearly). topropay tracks and implements these platform-side; merchants inherit the updates without engineering effort. A DIY build has to allocate engineering time to every scheme release.

  14. 14

    What's the total cost of ownership difference?

    TCO for a DIY build typically breaks down into: dedicated engineering team (5–15 headcount ongoing), compliance operations (2–4 headcount plus annual QSA and ASV costs), HSM and key management infrastructure, ongoing scheme rule work, plus the multi-year opportunity cost of not building product features. topropay replaces most of this with a per-transaction platform contract.

  15. 15

    Where does topropay stop and the merchant's own build begin?

    topropay handles the vault, tokenisation, routing, cascade, reconciliation, dispute queue, PCI L1 posture and connected provider panel. The merchant handles their own checkout UX, buyer identity, product catalogue, order management and any bespoke commercial logic. The API surface is designed so the merchant never has to touch scheme-level details.