Hosted payment pages for secure, fast-launch checkout
A hosted payment page is a secure, gateway-hosted checkout where customers enter their card details on the gateway instead of your website — so cardholder data never touches your servers. It is the shortest path to PCI SAQ A compliance, a launch measured in days, and built-in tokenization, recurring billing, and 3DS2 fraud protection. Supported on NMI, Authorize.net, and FluidPay for low-risk and high-risk merchants alike. 99% of qualified applications approved, $0 setup, decision in 24–48 hours.
What is a hosted payment page?
A hosted payment page is a checkout page served by your payment gateway rather than by your own website. When a customer is ready to pay, they are handed off to a secure page on the gateway’s environment, enter their card details there, and return to your site once payment completes. The key consequence: card data is captured on the gateway, never on your servers.
That single design choice is why hosted pages are the fastest, lowest-risk way to accept cards online. There is no card form for you to build, harden, or certify, and no cardholder data flowing through your infrastructure to protect. It is the default checkout for most ecommerce payment processing setups precisely because it removes the hardest parts of taking payments securely.
Gray Merchants provisions hosted checkout on the gateway that fits your business and connects it to a dedicated MID placed through our 70+ acquirer relationships — with a 99% approval rate for qualified files, a $0 setup fee, 24–48 hour decisions, and interchange-plus pricing disclosed in writing.
Card data never touches your servers
The biggest advantage of a hosted payment page is a smaller PCI footprint. Because cardholder data is entered directly into the gateway’s PCI-validated environment and never passes through or is stored on your systems, you typically qualify for SAQ A — the shortest PCI self-assessment questionnaire — instead of the far more demanding SAQ D that applies when card data flows through your servers.
Less scope means less audit burden, lower breach exposure, and a faster path to going live. For high-risk merchants especially, keeping card data off your infrastructure removes a whole category of liability while you focus on growing the business.
Everything a hosted checkout includes
A gateway-hosted page is more than a form — it is the security, storage, and billing engine your checkout runs on.
SAQ A PCI scope
Card data is captured on the gateway’s PCI-validated environment and never touches your servers, so you qualify for the shortest self-assessment questionnaire instead of the demanding SAQ D.
Fast launch
No card form to build, harden, or certify. Point your checkout button at the hosted page and you can start accepting payments in days, not the weeks a full API build takes.
Tokenization & vaults
The gateway stores a secure token in place of the real card number. Charge the token for repeat purchases and renewals without ever holding or storing card data yourself.
Recurring billing
Run subscriptions, installments, and autoship charges against stored tokens through the gateway’s recurring engine — card data stays out of your systems on every rebill.
Mobile-ready checkout
Hosted pages are responsive and optimized for phones and tablets out of the box, with support for digital wallets, so mobile shoppers convert without a clunky keyed form.
3DS2, AVS & CVV
The full card-not-present control stack: 3-D Secure 2 for issuer authentication and liability shift, AVS for billing-address matching, and CVV to confirm the card is in hand.
Running subscriptions? Tokenized hosted pages are the backbone of recurring billing, and pair with our chargeback defense to keep dispute ratios low.
Hosted page vs. direct API integration
A direct API integration gives you full control of the checkout form but pulls your servers into the widest PCI scope. A hosted page trades some styling control for a much smaller compliance footprint and a faster launch.
| Consideration | Direct API integration | Hosted payment page |
|---|---|---|
| Card data location | Passes through your servers | Captured on the gateway, never on yours |
| PCI scope | SAQ D (widest, most audit) | SAQ A (shortest questionnaire) |
| Time to launch | Weeks of build and certification | Days — point-and-go |
| Checkout styling | Full control on your own form | Gateway-styled, brandable |
| Recurring & tokens | You manage the vault | Gateway vault handles it |
Prefer a fully embedded checkout? See our integrations for API and gateway-hosted-field options that keep more of the flow on your own site.
Hosted pages on the gateways we place
NMI
A gateway-agnostic platform with a hosted checkout, Customer Vault tokenization, recurring billing, and 3DS2/AVS/CVV controls that connect to your dedicated MID.
Authorize.net
A widely supported gateway offering a hosted payment page (Accept Hosted), Customer Information Manager token vault, and full recurring and fraud-control tooling.
FluidPay
A modern gateway with hosted payment pages, tokenized vaulting, recurring billing, and 3DS2 support, built to route across dedicated and multi-MID structures.
From application to a live hosted checkout
Four steps from applying to taking your first card on a gateway-hosted page, in SAQ A scope from day one.
Place your MID
We underwrite and place a dedicated merchant account through our 70+ acquirer relationships, matched to your industry and volume — most qualified files decide in 24–48 hours.
Connect the gateway
We provision your hosted checkout on NMI, Authorize.net, or FluidPay and link it to your MID, so every payment routes through your own account.
Configure security
We enable 3DS2, AVS, and CVV, set up the tokenization vault, and turn on recurring billing if you need it — all on the gateway side, off your servers.
Go live
Point your checkout button or cart at the hosted page. Cards are captured in SAQ A scope from day one, and you can begin processing the same day the account is live.
High-risk online sellers can pair a hosted page with a high-risk merchant account and, at scale, a multi-MID structure for redundancy across acquirers.
Hosted payment pages FAQ
What is a hosted payment page?
A hosted payment page is a checkout page hosted by your payment gateway rather than on your own website. When a customer is ready to pay, they are directed to a secure page served by the gateway, enter their card details there, and are returned to your site once payment completes. Because the card data is captured on the gateway’s environment, it never touches your servers — which dramatically simplifies your PCI compliance and speeds up launch.
How does a hosted payment page reduce PCI scope?
With a hosted page, cardholder data is entered directly into the gateway’s PCI-validated environment and never passes through, or is stored on, your own systems. That typically qualifies you for the shortest PCI self-assessment questionnaire, SAQ A, instead of the far more demanding SAQ D that applies when card data flows through your servers. Less scope means less audit burden, lower breach exposure, and a faster path to processing.
Can a hosted payment page handle recurring billing and subscriptions?
Yes. Hosted pages support tokenization, so the gateway stores a secure token (a vault reference) in place of the real card number. You charge that token for renewals, subscriptions, and one-click repeat purchases without ever holding the card yourself. Combined with the gateway’s recurring-billing engine, a hosted page runs subscription and installment charges while keeping card data entirely out of your environment.
How is a hosted page different from a direct API integration?
A direct (API) integration captures card details in your own checkout form and posts them through your servers to the gateway — giving you full design control but pulling you into the widest PCI scope (SAQ D). A hosted page trades some styling control for a much smaller compliance footprint (SAQ A), a faster launch, and no card data on your infrastructure. Many merchants blend the two, using a hosted page or gateway-hosted fields for card entry while keeping the rest of checkout on their own site.
What security and verification does a hosted page support?
Hosted pages support the full card-not-present control stack: 3-D Secure 2 (3DS2) for issuer-side cardholder authentication and liability shift, AVS to match the billing address, and CVV to confirm the card is in hand. Enabling all three filters fraudulent orders before they settle and, with 3DS2, can shift fraud-chargeback liability to the issuer on qualifying transactions.
Which gateways support hosted payment pages here?
We support hosted payment pages through the major gateways we place accounts on — NMI, Authorize.net, and FluidPay. Each offers a gateway-hosted checkout, tokenization vault, recurring billing, and 3DS2/AVS/CVV controls, and each connects to your dedicated MID. Most qualified accounts are approved in 24–48 hours with a $0 setup fee and interchange-plus pricing disclosed in writing.