Payment providers for your online shop — secure, fair, and lock-in free
Table of contents 11 sections
- 01How secure paying on a website really works
- 02PCI-DSS and the card-data question
- 03Platform payment versus external provider — the two routes
- 04Fee models honestly compared
- 05Which payment methods Austrian customers actually expect
- 06Contract, payout, chargebacks — the items next to the fee
- 07GDPR with payment service providers — what you need to know
- 08When platform payment is enough and when an external provider is better
- 09How to avoid being locked into an expensive option
- 10What really matters in provider selection
- 11What to check today
How secure paying on a website really works
Paying on the internet feels self-evident today — and technically is not. Behind every click on a payment button stands a chain of interfaces, banks, and security standards that has been refined for over twenty years. Anyone integrating an online shop or a booking system with a payment function takes on part of this responsibility — and chooses which part to delegate to an external provider.
The most important principle first: card data has no business being on your own server. Anyone processing or even storing credit card numbers, expiry dates, or security codes on their own website enters a compliance area that is neither professionally nor commercially sensible for SMEs. The entire modern payment industry has organised itself around this separation: your shop forwards amounts, the payment provider does the rest.
Andrea, owner of a 38-room hotel in the Carinthian mountains, went through this last year. Her direct-booking process ran via the in-house payment function of the booking system — convenient, but expensive and with limited payment methods. With the switch to an external provider she saved 1.2 percent in fees per booking, gained Apple Pay, EPS, and Klarna as additional methods, and no longer needed to see or manage any card information herself. The switch cost two half-days and has been paying off since the first month.
PCI-DSS and the card-data question
PCI-DSS sounds like bureaucracy and is the central rule for paying by card. The standard — Payment Card Industry Data Security Standard — defines which technical and organisational measures everyone who comes into contact with card data must meet.
For SMEs in practice that means: anyone who does not see card data themselves and does not process it themselves falls into a low PCI tier that is handled with a simple self-assessment. Anyone who loads card data even briefly onto their own server — for instance via a self-built form — falls into a considerably higher tier with annual audits, technical minimum requirements, and liability risks in the event of data incidents.
The consequence: every reputable payment provider works with "hosted payment pages" or iframe-based input fields. You either redirect the customer to the provider for card entry (you never see the data), or you embed a provider-hosted form whose fields stand on your page but technically send directly to the provider. In both cases you remain PCI-compliant with minimal effort.
Platform payment versus external provider — the two routes
When you set up an online shop or booking system, you have essentially two routes to connect the payment.
The first route is the platform-owned payment function. Many kit-builder providers and shop systems bring their own payment module that is activated with a click. Advantage: minimal setup, everything from one source, one invoice. Disadvantage: the platform provider sits between you and your money, with its own margin on fees, its own payout terms, and usually a limited method offering.
The second route is an external payment service. Stripe, Mollie, Adyen, PayPal, Klarna — every one of these providers specialises in the payment interface and integrates via prefabricated plugins into practically every shop and booking system. Advantage: often lower fees, more payment methods, separate terms, direct payout to your account. Disadvantage: two contracts instead of one, somewhat more setup effort, somewhat more bookkeeping.
For most SMEs with serious sales intentions, the external provider pays off from the second or third month. The platform-owned payment function is the right choice when the shop is a side project and annual turnover stays below five figures.
Fee models honestly compared
Most comparison tables on the net compare apples to pears. An honest overview separates four items that all enter the total price separately.
First, the transaction fee. Common ranges for European providers in 2026: 1.5 to 2.9 percent of turnover plus 0.25 to 0.35 euros fixed fee per transaction. Cards from outside the EEA usually cost considerably more (3.5 to 4.5 percent); Apple Pay and Google Pay sit in the range of the card fees of the underlying method[1].
Second, method-specific surcharges. Klarna instalments cost differently from Klarna instant payment. PayPal has a different table than Stripe. EPS, instant transfer, and SEPA direct debit are often cheaper than cards because they technically take different routes.
Third, monthly or annual fixed costs. Some providers charge a minimum monthly fee (Adyen from a certain contract tier), others work purely transaction-based (Stripe, Mollie, PayPal). At small volumes transaction-based is cheaper; from five-figure monthly volumes, volume tariffs are often worthwhile.
Fourth, payout modalities. Stripe pays out daily by default, PayPal is immediately available in the PayPal account, Klarna with longer hold cycles. If you need liquidity, look here at least as carefully as at the percentage.
For a realistic total calculation, add the transaction fee plus fixed fee for your typical basket and multiply by the expected number of transactions. Anyone not running these numbers is comparing marketing promises.
Which payment methods Austrian customers actually expect
A pure credit-card route deters part of the buyers in Austria. National expectations look different from the major markets.
Three methods are practically mandatory in Austria for a usable conversion picture in the online shop.
EPS transfer — the online banking instant transfer of Austrian banks. Low fee for the merchant (typically a fixed 0.90 to 1.90 euros), high trust effect with the customer. If you have a relevant share of domestic buyers, you do not leave EPS out.
PayPal — even though the fees are not the lowest, PayPal in Austria is the most common "if I do not have anything else, then this" anchor. Studies have shown for years significantly higher abandonment rates in shops without PayPal as an option.
Klarna or similar buy-now-pay-later methods. On baskets above 80 euros the option of paying in instalments or only after receipt noticeably reduces the purchase abandonment rate. Klarna carries the risk assessment itself; you receive your money independently of whether the customer later pays.
Cards (Visa, Mastercard, Amex) are obvious. Apple Pay and Google Pay as convenience methods boost mobile conversion and cost technically little additional effort. Both run via the stored card or bank account.
For an average Austrian SME shop strategy, a combination of cards, PayPal, EPS, and Klarna is enough in most cases. If you deliver across the DACH region, you add Sofortüberweisung (for Germany) and possibly Twint (for Switzerland).
Contract, payout, chargebacks — the items next to the fee
What does not appear in the advertising flyer, but in the contract.
Payout hold times. Stripe often holds back the first payouts for new accounts for seven to thirty days, until a risk profile has settled in. Klarna pays with some methods with two- to three-week delays. If you start with thin liquidity, plan that in.
Reserve balances. Some providers retain a percentage share of payouts as a security against possible chargebacks — typically 10 percent, released after 90 days. At high turnover these reserves tie up not inconsiderable funds.
Chargeback fees. If a customer successfully disputes a card payment, that costs you not only the original amount but also a processing fee of typically 15 to 25 euros — even if the chargeback was unjustified. If you work in an industry with a high chargeback rate (travel, high-priced consumer goods), you quickly get higher total fees.
Contract duration and termination. Pure online providers (Stripe, Mollie, PayPal) work without fixed terms, terminable monthly. Older acquirer models often have contract terms of 12 or 24 months, with penalties for early termination. Read before you sign — not only when you want to switch.
GDPR with payment service providers — what you need to know
Every payment provider is a processor under the GDPR. You need a data processing agreement (DPA) with each, which the payment provider must provide to you. With the major international providers (Stripe, PayPal), that is a standardised online agreement you accept during onboarding.
Where it gets specific: some large US providers transfer data to the US. Since the EU–US Data Privacy Framework, there is a legally tenable basis for this again, but the configuration must be documented on your side appropriately. In the data-protection declaration of your site, every payment provider belongs in its own section with processing purpose and recipient country.
European providers (Mollie from the Netherlands, Klarna from Sweden, some smaller DACH providers) solve the third-country discussion more easily. For sites with high GDPR sensitivity — sites in industries such as law, consultancy, therapy — that can be a selection criterion in itself.
What applies regardless of provider: payment security is part of your overall website security, and the two topics are more closely connected than they seem in everyday life. If the fundamentals of website security are not in place, even the most secure payment provider helps little.
When platform payment is enough and when an external provider is better
Three setups in which platform payment is the calmer choice.
First, when you have very low turnover (under 5,000 euros per year in the shop) and the administrative overhead of an external contract is not proportional. Here you pay somewhat higher fees for considerably lower setup effort.
Second, when your booking or shop system has a very tight integration with a particular payment provider, and breaks would be expensive. With some industry-specific systems (for example for hospitality, event organisers) the platform-owned payment is deeply intertwined and a switch needs external knowledge.
Third, when you need absolute simplicity in bookkeeping and tax reporting and actively want to avoid an additional data source.
In all other cases, the external provider pays off. Lower fees, more payment methods, direct payout, no platform-provider margin on your money. With hotels at five-figure monthly direct bookings, with shops from 10,000 euros annual turnover, with consultancy or course providers with single tickets over 50 euros — everywhere here the external provider is measurably cheaper and more flexible.
How to avoid being locked into an expensive option
Lock-in rarely arises from bad intent and usually from missing caution. Three points to check before choosing a provider.
First, data portability. In an emergency, will you get an export file with all customer data, transaction histories, payout histories. With the major providers (Stripe, Mollie) that is standard, with smaller platforms not a given.
Second, recurring logic. If you use subscriptions or recurring payments, card tokens hang at the provider. When switching to another provider, you would have to ask customers in many cases for card data again — with measurable abandonment rates. Stripe and Mollie offer data portability for tokens, other providers do not.
Third, the integration depth in your shop system. Plugins that only support a single provider create lock-in. Anyone betting on plugin ecosystems that allow several providers in parallel keeps the choice open. WooCommerce, Shopify, and similar usually support the major four to six providers without additional development.
What really matters in provider selection
An honest priorities list for most SME setups.
Security is the foundation but no longer a differentiator. All reputable providers are PCI-compliant, all work with modern encryption standards. Anyone who does not keep up here would long since be off the market.
The actual selection criterion is the combination of payment methods, total fees over your typical basket, and payout speed. These three together determine whether your online sales at the end of the month earn what you expected — or a noticeably smaller slice that seeps away between provider margin and hidden items.
Andrea made her decision after three comparison calculations: per booking typical basket, monthly mix of 60 percent card and 40 percent other methods, average payout frequency. She chose Stripe — not because it was the cheapest, but because it was the most transparent. Every fee stood in advance in the dashboard, every payout came on the promised date, every support question was answered cleanly within days. This transparency is the underestimated value of a payment provider.
Frequently Asked Questions
Which payment provider is most secure for my online shop?
All PCI-DSS-compliant providers (Stripe, Mollie, PayPal, Klarna, Adyen, major platform payments) meet comparably high security standards. Security depends less on the provider than on whether you process card data correctly only through provider-hosted forms or redirects. Anyone seeing or storing card data themselves has a problem regardless of provider.
What does a typical payment process cost in Austria 2026?
Realistic ranges: 1.5 to 2.9 percent of turnover plus 0.25 to 0.35 euros fixed fee per transaction. Cards from outside the EU cost 3.5 to 4.5 percent. EPS, SEPA, and Sofortüberweisung often sit cheaper (0.90 to 1.90 euros fixed, depending on provider). Klarna and similar "pay later" methods move at the upper end of the scale (2.99 to 3.5 percent).
Which payment methods does an online shop in Austria need at minimum?
Cards (Visa, Mastercard), PayPal, and EPS online transfer cover the most common expectations. Klarna or a similar "pay later" method noticeably boosts conversion at higher baskets. Apple Pay and Google Pay are technically easy to add and improve the mobile payment rate.
Is my shop's platform-owned payment function enough?
At very low turnover (under 5,000 euros annual shop turnover) the platform-owned function is often the simpler variant. From five-figure annual turnover or with regular bookings, an external provider pays off measurably — through lower fees, more payment methods, and direct payout without platform-provider margin.
Do I have to mention card data in the GDPR data-protection declaration?
Yes, every payment provider is a processor and belongs in your data-protection declaration with processing purpose, recipient country, and legal basis. With US providers additionally the note on the EU–US Data Privacy Framework. Most providers supply standard texts you can adopt or adapt.
How quickly do I get my money paid out by the payment provider?
With Stripe and Mollie daily by default, with new accounts with an initial hold period of 7 to 30 days. PayPal holds the money in the PayPal account; from there you transfer it to your bank account (1 to 3 business days). Klarna pays out depending on the method with two- to three-week delays. If you need liquidity, choose a provider with daily payout.
What to check today
Calculate the total price of your current payment setup once: take the typical basket, multiply by percentage plus fixed fee, compare with an alternative calculation at an external provider. If the difference is greater than two half-days of setup effort, you have the answer. For the wider picture, the overview of what a website costs in Austria ties payment fees together with maintenance, hosting, and follow-up items.