How Payment Processing Works

Understanding the basics of how card payments work helps you troubleshoot issues and answer customer questions with confidence. This page explains the payment flow in simple terms — it applies whether you use NMI, Authorize.net, or both.

The Payment Flow

Every time a customer ~~swipes~~pays aby ~~card,~~card ~~taps~~— ~~their~~whether in person, over the phone, or ~~types in a card number~~ on your ~~website,~~website ~~a series of steps happens behind~~— the ~~scenes~~payment togoes ~~move~~through ~~money~~three ~~from their account to yours. This page explains how that process works in plain English — no finance degree required.~~

The Payment Flow: Three Steps to Getting Paid

~~Think of every credit or debit card transaction as a three-step process:~~steps:

Authorization — ~~"Is~~The payment processor asks the ~~money~~customer's ~~there?"~~
~~When a customer hands you their card to pay for a Glock 19, your system instantly contacts their bank and asks:~~bank: "~~Does~~Is this card valid, and does the customer have ~~$549~~enough ~~available?~~money?" The bank ~~checks~~says ~~and sends back either an approval~~yes or ~~a decline.~~no. If ~~approved,~~yes, ~~that~~the ~~$549~~funds are put on hold. Think of it like opening a bar tab — the money is ~~held~~reserved ~~(reserved) on the customer's card. The money~~but hasn't actually moved ~~yet — it's just set aside so it can't be spent elsewhere.~~yet.
Capture — ~~"Go ahead and take it."~~
~~Capture~~This is ~~the step where you confirm~~when you actually ~~want to collect~~charge the ~~money.~~card. In most ~~CloudFFL~~cases, ~~setups,~~this ~~authorization~~happens ~~and~~automatically ~~capture~~right ~~happen~~after atauthorization. ~~the same time — the customer pays, and the charge is finalized in one step. However, for~~For special orders or ~~layaway situations (say a customer orders a custom Cerakote rifle),~~layaway, you might authorize ~~the card up front~~now and capture later ~~when~~once the item arrives.
Settlement — ~~"Send the money."~~
At the end of ~~each business~~the day, all ~~your~~ captured transactions are batched together and sent to the bank infor afinal ~~batch. This is called settlement.~~processing. The ~~funds~~money ~~are then transferred~~moves from ~~your~~the ~~customers'~~customer's ~~banks~~bank ~~into~~to your merchant account. ~~Settlement~~This ~~typically~~usually takes 1–2 business ~~days, which is why you don't see the money in your bank account the instant someone pays.~~days.

~~Think~~In ofplain ~~it like a bar tab.~~English: Authorization ~~opens~~= "Can they pay?" → Capture = "Charge them." → Settlement = "Move the ~~tab~~money." ~~(reserving~~For ~~the~~most ~~funds).~~counter ~~Capture~~sales, isall ~~when~~three ~~you~~happen ~~close~~within ~~out the tab (confirming the final amount). Settlement is when the bar actually gets paid by the credit card company.~~seconds.

Card-Present vs Card-Not-Present

Payment processors treat transactions differently depending on whether the physical card is in front of ~~you or not:~~you:

Card-~~Present (CP)~~present — The customer is ~~standing~~ at your counter and ~~physically~~ inserts, taps, or swipes their physical card on a terminal. Example: a customer ~~walks into your shop and buys~~buying a ~~box~~Glock ~~of 9mm ammo using the chip reader~~19 at ~~your~~the register. These transactions are more secure (the chip proves the card is real) and typically have lower processing ~~fees because the risk of fraud is much lower.~~fees.
Card-~~Not-Present (CNP)~~not-present — The card number is ~~not physically~~typed in ~~front~~manually of— ~~you.~~either ~~This includes online orders on your website, phone orders where~~by you ~~type~~(phone inorder) or by the ~~card~~customer ~~number,~~(online ~~and invoices paid remotely.~~purchase). Example: a customer calls in to pre-pay for a special-order ~~suppressor~~suppressor, ~~and~~or ~~reads~~places ~~their~~an ~~card~~order ~~number~~on ~~over~~your ~~the phone.~~website. These transactions ~~have~~carry slightly higher ~~processing~~ fees because there's ano ~~greater~~physical ~~risk~~card ofto ~~fraud.~~verify.

Always use the chip reader when the customer is in ~~the~~front ~~store.~~of you. ~~Typing~~Chip (EMV) transactions are more secure and have lower fees than manually typing in athe card ~~number manually when the customer is standing right there (called "key-in") costs you more in processing fees and increases your fraud liability.~~number. Only use key-in when you're taking a ~~card~~phone ~~when~~order ~~you~~or ~~have~~the noterminal ~~other~~isn't ~~option.~~working.

Tokenization:Tokenization — Why Card Numbers Aren'tAre Never Stored

~~You might wonder — when~~When a customer ~~pays,~~pays ~~does~~by ~~CloudFFL~~card ~~save~~in CloudFFL, their ~~credit~~actual card ~~number?~~number is ~~No,~~never ~~and~~stored ~~that's~~in byyour ~~design.~~

system.

~~Here's what actually happens: when a customer enters their card details (either by swiping at a terminal or typing their number online),~~Instead, the payment ~~system immediately~~processor replaces the ~~real~~ card number with a random code called a token. ~~That~~This token ~~looks~~can ~~something~~be ~~like~~used tk_8f3a9b2c1dto —charge ~~meaningless~~the same card again (for future orders or refunds) but is worthless to anyone who ~~sees~~might steal it.

This is why you'll sometimes see a returning customer's card listed as something like "Visa ending in 4242" — CloudFFL ~~stores~~only knows the last four digits and the token, not the ~~card~~full number. ~~If you need to charge that customer again (for a backorder, a recurring payment, or a refund), the system uses the token to reference the original card without ever exposing the actual number.~~

~~If someone broke into your database, they'd find useless tokens — not real card numbers~~ ~~You don't have to worry about storing sensitive card data on your own systems~~ This keeps you inPCI-compliant ~~compliance~~and ~~with~~protects ~~PCI-DSS~~your ~~(the security rules that all businesses accepting cards must follow)~~ customers.

Payment Gateway vs Payment Processor

You'll sometimes hear these two terms aused ~~lot,~~interchangeably, ~~and~~but ~~they're~~they ~~easy~~mean toslightly ~~mix~~different ~~up. Here's the simple version:~~things:

Payment ~~Gateway~~gateway — The ~~software~~technology that securely ~~collects the~~sends card details ~~and~~from ~~sends~~your ~~them~~system to the ~~right place.~~processor. Think of it as the ~~"front~~secure ~~door"~~tunnel —between ~~it's~~CloudFFL ~~what~~and ~~your~~the ~~website~~bank. orNMI ~~terminal talks to. Examples: NMI,~~and Authorize.~~net.~~net are both payment gateways.
Payment ~~Processor~~processor — The company that actually moves the money between banks. ~~Think~~Your ofgateway ittalks asto the ~~"highway"~~processor behind the ~~money travels on. Examples: First Data, TSYS, Worldpay. Your processor is usually set up by your merchant services provider.~~scenes.

InAs ~~everyday~~a ~~terms:~~dealer, ~~the~~ ~~gateway~~ ~~takes the order, and the~~ ~~processor~~ ~~delivers the package. You interact with the gateway (through CloudFFL); the processor works in the background.~~

~~You~~you don't need to ~~pick~~worry amuch ~~processor~~about ~~separately.~~this ~~When~~distinction. ~~you~~Just ~~sign~~know ~~up with a gateway like NMI or Authorize.net through your merchant services provider, the processor is included.~~that CloudFFL connects to ~~the~~your ~~gateway,~~gateway (NMI or Authorize.net), and the gateway handles ~~the~~everything ~~rest.~~else.

CloudFFL's

WhatSupported CloudFFLPayment SupportsGateways

CloudFFL ~~integrates with~~supports two payment ~~gateways:~~

gateways.

~~NMI (Network Merchants Inc.)~~ ~~— A full-featured gateway with support for physical card terminals at your counter, manual card entry, and online payments. This is the most popular choice for FFL dealers with a retail storefront.~~ ~~Authorize.net~~ ~~— A widely-used gateway that handles online card payments and ACH/eCheck transactions. This is a good option for dealers who sell primarily online or want to accept bank transfers.~~

You can use one or both, depending on your ~~business.~~needs:

~~The~~

NMI — Supports physical card terminals at the POS, manual card entry (key-in), and website payments. Best for dealers with a retail counter. Authorize.net — Supports online card payments and ACH/eCheck (bank transfers). Best for online-only dealers or as a secondary gateway. No physical terminal support.

See the next ~~page~~page, inNMI ~~this~~vs ~~chapter~~Authorize.net ~~covers~~— ~~the~~Choosing ~~differences~~Your inProvider, ~~detail~~for a detailed comparison to help you ~~decide.~~decide which one (or both) to set up.