Payment Integrations Intro
Payment methods have very different requirements.
For example, some payment methods - like the built-in Check / Money Order - can work completely within Magento. They do not require contacting an external Payment Service Provider (PSP) because no credit card data is collected.
In Magento, such payment methods sometimes are referred to as "offline payment methods".
Nowadays offline payment methods are an exception - most eCommerce transactions use a credit card.
Collecting credit card data requires compliance with high-security standards. Keeping credit card data and personally identifiable information safe is the purpose of PCI-DSS compliance (Payment Card Industry Data Security Standard).
This is why payment methods collecting credit card information are built by integrating external Payment Service Providers.
On Magento, such payment methods are sometimes called "gateway" payment methods.
They delegate the actual collection of card data to the PSP and only operate with result information provided by the Payment Service Provider API.
How a Magento Payment method delegates a customer to the PSP to collect the required data from customers varies.
Some PSPs may require the customer to leave the Magento website and complete steps on their website, after which the customer is redirected back to the Magento checkout.
If the payment was successful, an authorization token is passed to Magento, either when the customer is redirected back or via a side channel webhook or API request.
Other PSPs might display an iframe with a form to collect credit card information in the checkout, and pass the authorization token to the Magento page via JavaScript after the payment succeeds, using window.postMessage()
.
The validity of payment tokens will always have to be confirmed on the Server Side in PHP at the time the order is placed since all frontend Browser validation is easy to bypass for a skilled developer/hacker.
Such a payment token means the credit card data was valid, and it authorizes the token holder (that is, Magento) to capture the given amount.
These payment tokens usually are only valid for a single capture within a limited amount of time.
Capturing the payment with the token may happen when the order is placed, or it may happen later, for example when the order is shipped.
This depends on the business process of the merchant.
There are many other scenarios how PSP integrations can be implemented besides the ones described above.