Reviewed by the SEOPointz team · Last reviewed June 2026. Gateway fees and PCI rules change often, so we re-checked the current published rates and compliance tiers before publishing. SEOPointz may earn a commission from some links; it never changes what we recommend.
Building the site is the easy part. The moment you want to actually take money, a second set of questions appears: which payment gateway, how the fees stack up, and — the one most guides skip — what your hosting has to do to keep card data safe. The gateway and the host are two different jobs that have to work together, and getting that handoff right is the difference between a checkout that converts and one that quietly leaks sales (or worse, leaks data). Here’s how the pieces fit.
Where your host ends and the gateway begins
Your web host stores your site, serves your pages, and keeps the connection encrypted. It does not move money. That job belongs to a payment gateway — Stripe, PayPal, Square and the like — which securely passes card details to the card networks and your bank. The cleanest setups keep card data off your own server entirely: the shopper either lands on a hosted payment page, or the card fields are loaded inside an iframe served by the gateway. Your hosting’s job is to deliver that checkout fast, over HTTPS, without dropping under load. The gateway’s job is to handle the sensitive part. Confusing the two is how merchants end up storing card numbers they were never supposed to touch.
PCI compliance is the part nobody warns you about
Any business handling card payments falls under the PCI DSS (Payment Card Industry Data Security Standard). The good news: how much of it lands on you depends entirely on your integration. If you use a hosted payment page or a gateway-served iframe, card data never reaches your systems, which puts most small merchants in the lightest tier — SAQ A, a self-assessment of roughly 22 requirements focused on keeping your site connection secure. Build a custom checkout that captures card fields on your own pages and your scope balloons. The practical takeaway: unless you have a compliance budget, let the gateway host the sensitive step and keep yourself in SAQ A territory.
Comparing the main gateways
For most websites the choice comes down to three names. Pricing below reflects standard published US online rates; international and specialty products differ, so confirm your exact plan before committing.
| Gateway | Typical online rate | Monthly fee | Best for |
|---|---|---|---|
| Stripe | 2.9% + $0.30 per transaction | $0 | Developers, SaaS, subscriptions, custom checkouts |
| PayPal | Roughly 2.9%–3.5% + a fixed fee, depending on product (higher cross-border) | $0 | Buyer trust and one-click familiarity at checkout |
| Square | 2.9% + $0.30 per online transaction | $0 | Businesses that also sell in person and want one system |
None of these charge a monthly fee on their entry tiers, so the real cost is the per-transaction percentage. Stripe wins on flexibility and clean APIs; PayPal earns its place because offering it as an option alongside cards measurably lifts checkout completion for shoppers who already trust it; Square is the pick if your storefront and your website need to share one ledger.
What your hosting actually needs to provide
You don’t need exotic hosting to take payments, but a few things are non-negotiable. A valid SSL/TLS certificate is mandatory — the checkout must run over HTTPS, and most decent hosts now bundle a free certificate. You want reliable uptime, because every minute the checkout is down is a sale lost. And if you run WooCommerce or a similar platform, confirm your host supports the gateway plugins you plan to use and can handle the database load of a busy cart. A cheap, oversold shared plan that crawls under traffic will cost you far more in abandoned checkouts than you save on hosting.
Avoiding the fees that quietly add up
The headline rate is rarely the whole bill. Cross-border and currency-conversion surcharges can add a percent or more on international sales. Chargebacks usually carry a flat fee per dispute on top of the lost revenue, so clear product descriptions and recognizable billing names matter. And watch for “instant payout” charges if you cash out daily instead of on the standard schedule. Read the fee schedule for the specific product you’re enabling — gateways often have several, and the friendly 2.9% number isn’t always the one you end up on.
Frequently asked questions
Do I need a separate merchant account?
Usually not. Stripe, PayPal and Square are aggregators that bundle the merchant account into their service, so you can start taking payments without applying for one separately. High-volume sellers sometimes graduate to a dedicated merchant account for better rates.
Will using a hosted checkout hurt my brand or conversions?
Modern hosted pages and embedded iframes can be styled to match your site, so most shoppers never notice the handoff — and the lighter PCI scope is well worth it for small teams.
Is an SSL certificate enough to be “secure”?
It’s required but not sufficient. SSL encrypts the connection; PCI compliance, tokenisation and keeping card data off your server are what actually protect the payment.
If you’re still choosing the foundation underneath your store, our guide to the best web hosting for WordPress websites covers the platforms that pair best with WooCommerce, and our web hosting price comparison helps you weigh what you’re actually paying for.
