Hosted payment pages

Hosted payment pages for secure, fast-launch checkout

A hosted payment page is a secure, gateway-hosted checkout where customers enter their card details on the gateway instead of your website — so cardholder data never touches your servers. It is the shortest path to PCI SAQ A compliance, a launch measured in days, and built-in tokenization, recurring billing, and 3DS2 fraud protection. Supported on NMI, Authorize.net, and FluidPay for low-risk and high-risk merchants alike. 99% of qualified applications approved, $0 setup, decision in 24–48 hours.

The basics

What is a hosted payment page?

A hosted payment page is a checkout page served by your payment gateway rather than by your own website. When a customer is ready to pay, they are handed off to a secure page on the gateway’s environment, enter their card details there, and return to your site once payment completes. The key consequence: card data is captured on the gateway, never on your servers.

That single design choice is why hosted pages are the fastest, lowest-risk way to accept cards online. There is no card form for you to build, harden, or certify, and no cardholder data flowing through your infrastructure to protect. It is the default checkout for most ecommerce payment processing setups precisely because it removes the hardest parts of taking payments securely.

Gray Merchants provisions hosted checkout on the gateway that fits your business and connects it to a dedicated MID placed through our 70+ acquirer relationships — with a 99% approval rate for qualified files, a $0 setup fee, 24–48 hour decisions, and interchange-plus pricing disclosed in writing.

Compliance

Card data never touches your servers

The biggest advantage of a hosted payment page is a smaller PCI footprint. Because cardholder data is entered directly into the gateway’s PCI-validated environment and never passes through or is stored on your systems, you typically qualify for SAQ A — the shortest PCI self-assessment questionnaire — instead of the far more demanding SAQ D that applies when card data flows through your servers.

Less scope means less audit burden, lower breach exposure, and a faster path to going live. For high-risk merchants especially, keeping card data off your infrastructure removes a whole category of liability while you focus on growing the business.

What you get

Everything a hosted checkout includes

A gateway-hosted page is more than a form — it is the security, storage, and billing engine your checkout runs on.

SAQ A PCI scope

Card data is captured on the gateway’s PCI-validated environment and never touches your servers, so you qualify for the shortest self-assessment questionnaire instead of the demanding SAQ D.

Fast launch

No card form to build, harden, or certify. Point your checkout button at the hosted page and you can start accepting payments in days, not the weeks a full API build takes.

Tokenization & vaults

The gateway stores a secure token in place of the real card number. Charge the token for repeat purchases and renewals without ever holding or storing card data yourself.

Recurring billing

Run subscriptions, installments, and autoship charges against stored tokens through the gateway’s recurring engine — card data stays out of your systems on every rebill.

Mobile-ready checkout

Hosted pages are responsive and optimized for phones and tablets out of the box, with support for digital wallets, so mobile shoppers convert without a clunky keyed form.

3DS2, AVS & CVV

The full card-not-present control stack: 3-D Secure 2 for issuer authentication and liability shift, AVS for billing-address matching, and CVV to confirm the card is in hand.

Running subscriptions? Tokenized hosted pages are the backbone of recurring billing, and pair with our chargeback defense to keep dispute ratios low.

Hosted vs direct API

Hosted page vs. direct API integration

A direct API integration gives you full control of the checkout form but pulls your servers into the widest PCI scope. A hosted page trades some styling control for a much smaller compliance footprint and a faster launch.

ConsiderationDirect API integrationHosted payment page
Card data locationPasses through your serversCaptured on the gateway, never on yours
PCI scopeSAQ D (widest, most audit)SAQ A (shortest questionnaire)
Time to launchWeeks of build and certificationDays — point-and-go
Checkout stylingFull control on your own formGateway-styled, brandable
Recurring & tokensYou manage the vaultGateway vault handles it

Prefer a fully embedded checkout? See our integrations for API and gateway-hosted-field options that keep more of the flow on your own site.

Supported gateways

Hosted pages on the gateways we place

NMI

A gateway-agnostic platform with a hosted checkout, Customer Vault tokenization, recurring billing, and 3DS2/AVS/CVV controls that connect to your dedicated MID.

Authorize.net

A widely supported gateway offering a hosted payment page (Accept Hosted), Customer Information Manager token vault, and full recurring and fraud-control tooling.

FluidPay

A modern gateway with hosted payment pages, tokenized vaulting, recurring billing, and 3DS2 support, built to route across dedicated and multi-MID structures.

How it works here

From application to a live hosted checkout

Four steps from applying to taking your first card on a gateway-hosted page, in SAQ A scope from day one.

01

Place your MID

We underwrite and place a dedicated merchant account through our 70+ acquirer relationships, matched to your industry and volume — most qualified files decide in 24–48 hours.

02

Connect the gateway

We provision your hosted checkout on NMI, Authorize.net, or FluidPay and link it to your MID, so every payment routes through your own account.

03

Configure security

We enable 3DS2, AVS, and CVV, set up the tokenization vault, and turn on recurring billing if you need it — all on the gateway side, off your servers.

04

Go live

Point your checkout button or cart at the hosted page. Cards are captured in SAQ A scope from day one, and you can begin processing the same day the account is live.

High-risk online sellers can pair a hosted page with a high-risk merchant account and, at scale, a multi-MID structure for redundancy across acquirers.

FAQ

Hosted payment pages FAQ

What is a hosted payment page?

A hosted payment page is a checkout page hosted by your payment gateway rather than on your own website. When a customer is ready to pay, they are directed to a secure page served by the gateway, enter their card details there, and are returned to your site once payment completes. Because the card data is captured on the gateway’s environment, it never touches your servers — which dramatically simplifies your PCI compliance and speeds up launch.

How does a hosted payment page reduce PCI scope?

With a hosted page, cardholder data is entered directly into the gateway’s PCI-validated environment and never passes through, or is stored on, your own systems. That typically qualifies you for the shortest PCI self-assessment questionnaire, SAQ A, instead of the far more demanding SAQ D that applies when card data flows through your servers. Less scope means less audit burden, lower breach exposure, and a faster path to processing.

Can a hosted payment page handle recurring billing and subscriptions?

Yes. Hosted pages support tokenization, so the gateway stores a secure token (a vault reference) in place of the real card number. You charge that token for renewals, subscriptions, and one-click repeat purchases without ever holding the card yourself. Combined with the gateway’s recurring-billing engine, a hosted page runs subscription and installment charges while keeping card data entirely out of your environment.

How is a hosted page different from a direct API integration?

A direct (API) integration captures card details in your own checkout form and posts them through your servers to the gateway — giving you full design control but pulling you into the widest PCI scope (SAQ D). A hosted page trades some styling control for a much smaller compliance footprint (SAQ A), a faster launch, and no card data on your infrastructure. Many merchants blend the two, using a hosted page or gateway-hosted fields for card entry while keeping the rest of checkout on their own site.

What security and verification does a hosted page support?

Hosted pages support the full card-not-present control stack: 3-D Secure 2 (3DS2) for issuer-side cardholder authentication and liability shift, AVS to match the billing address, and CVV to confirm the card is in hand. Enabling all three filters fraudulent orders before they settle and, with 3DS2, can shift fraud-chargeback liability to the issuer on qualifying transactions.

Which gateways support hosted payment pages here?

We support hosted payment pages through the major gateways we place accounts on — NMI, Authorize.net, and FluidPay. Each offers a gateway-hosted checkout, tokenization vault, recurring billing, and 3DS2/AVS/CVV controls, and each connects to your dedicated MID. Most qualified accounts are approved in 24–48 hours with a $0 setup fee and interchange-plus pricing disclosed in writing.

Talk to a specialist

Tell us about your business

Share a few details and a specialist reviews your industry, volume, and processing history, then comes back with the right path — no obligation.

  • Underwriting decision in 24–48 hours
  • $0 setup fee, dedicated MID
  • Specialist replies within 4 business hours
  • Every term disclosed in writing before you sign

Request a call from a specialist

Are you currently processing?

No obligation. A specialist replies within 4 business hours, Mon–Fri 9:00–18:00 EST.