ArchitectureDiagram.ai logoArchitectureDiagram.ai
Back to blog

Payment Systems Architecture: PCI-DSS Compliance, Gateway Flows & Fraud Prevention (2026)

A complete guide to payment systems architecture diagrams — covering payment gateway flows, PCI-DSS scope boundaries, 3D Secure, tokenization, fraud detection, and chargeback handling. With AI prompt templates.

R
Ryan·Senior AI Engineer
·

Payment systems are among the most architecturally complex components in any product — they touch compliance, fraud, external APIs, async reconciliation, and real-money error handling all at once. A single missed architectural decision can result in PCI-DSS scope creep, failed chargebacks, or silent double-charges that destroy customer trust overnight.

This guide breaks down payment systems architecture into its five essential layers, explains the PCI-DSS scope boundaries you must enforce at the architecture level, and provides ready-to-use AI prompt templates so you can generate accurate payment architecture diagrams in seconds.

The five layers of a payment systems architecture

1. Payment entry (the cardholder data environment boundary)

The most important architectural decision you will make is where card data enters your system. Under PCI-DSS v4.0, any component that stores, processes, or transmits cardholder data (PAN, CVV, expiry) falls inside the Cardholder Data Environment (CDE) and is subject to the full control set of roughly 300 requirements.

The dominant pattern in 2026 is client-side tokenization: a JavaScript SDK from your payment provider (Stripe Elements, Braintree Drop-in UI, Adyen Web Components) renders an iframe that is served from the provider's domain. The customer enters card details directly into the iframe — your servers never see raw PAN data, and your CDE scope shrinks dramatically. In your architecture diagram, draw a hard boundary around everything that receives a token rather than raw card data and label it Out of PCI scope. The iframe itself is In scope (PSP-managed CDE).

2. Payment gateway and processor layer

After tokenization, your backend sends the token (not the card number) to your payment gateway — the API that translates payment intents into instructions for the card networks. The gateway layer has several subcomponents worth showing in your diagram:

  • Payment Intent / Order: Your backend creates a payment intent with amount, currency, customer ID, and metadata before any card entry occurs. This object is the source of truth for the transaction.
  • 3D Secure (3DS2) flow: For SCA-regulated markets (EU PSD2, UK FCA), the gateway triggers a 3DS2 challenge: the card issuer authenticates the customer via their banking app or a one-time code. Show this as a conditional branch in your diagram — high-risk transactions route through the issuer authentication step before the charge is attempted.
  • Authorization vs. capture: Most e-commerce flows separate authorization (reserving funds) from capture (settling them). For shipped goods, capture typically fires at fulfillment. Show this as two distinct async events in your diagram.
  • Retry and fallback routing: Enterprise payment stacks route declined transactions to a secondary processor before returning a failure to the customer. Show the routing logic with labeled branches: primary processor, secondary processor, and decline path.

3. Fraud detection layer

Fraud detection runs synchronously in the authorization path — typically as a pre-authorization gate that scores the transaction before submitting it to the network. The two main approaches are:

  • PSP-native fraud tools: Stripe Radar, Adyen RevenueProtect, and Braintree Kount are ML-based fraud engines built into the payment gateway. They apply device fingerprinting, velocity rules, and network intelligence without requiring additional infrastructure. In your diagram, show the fraud score as an output of the gateway before the authorization attempt.
  • Custom fraud pipeline: Larger merchants add a standalone fraud layer (Sift, Signifyd, Forter, or custom ML) that receives the pre-payment event, applies rules (device fingerprint match, shipping-to-billing mismatch, velocity limits, IP geolocation), and returns an ALLOW / REVIEW / BLOCK decision. Show this as a separate service with input from your session data store and output flowing to the payment gateway.

In your diagram, annotate the fraud layer with its decision outputs and the latency budget (pre-auth fraud checks must complete in under 200 ms to avoid increasing checkout latency).

4. Webhook and reconciliation layer

Payment outcomes are delivered asynchronously. After a charge attempt, your gateway fires webhooks for events like payment_intent.succeeded, payment_intent.payment_failed, and charge.dispute.created. Your architecture diagram must show:

  • The webhook receiver endpoint — a dedicated API route that verifies the gateway's HMAC signature before processing.
  • A message queue (SQS, Pub/Sub) that decouples receipt from processing, ensuring webhook delivery doesn't block.
  • The idempotency layer — a database table or Redis key storing processed event IDs to prevent double-processing on retried webhooks.
  • The order fulfillment trigger — the downstream event that fires when payment is confirmed (ship order, provision license, unlock feature).
  • The reconciliation job — a scheduled process (nightly or hourly) that compares your internal payment records against the gateway's settlement report to catch discrepancies.

5. Chargeback and refund handling

Chargebacks are initiated by the cardholder's issuing bank and delivered to your merchant account via a webhook. Your diagram should show the chargeback lifecycle: dispute created → evidence collection window (7–21 days depending on card network) → evidence submission → outcome (merchant wins or loses). Show the internal workflow: who is notified (ops team alert), what data is assembled (order record, delivery confirmation, fraud score), and where the evidence response is constructed (manual via dashboard, or automated via a dispute management service like Chargebacks911 or Stripe's built-in evidence API).

PCI-DSS scope diagram: what to annotate

A PCI-DSS scope diagram is a specialized architecture diagram that identifies which systems are in-scope for PCI requirements. It must show:

ComponentPCI ScopeNotes
Payment provider iframe (Stripe Elements)PSP-managed CDEYour SAQ A applies
Frontend application serverIn-scope (connected)Must pass annual ASV scan
Backend API (handles tokens only)Reduced scopeTokens are not cardholder data
Order database (stores token + last 4)Reduced scopeLast 4 digits are allowed
Logging pipelineIn-scope if logs contain PANMask all card numbers in logs
Analytics and data warehouseOut of scopeNever route raw PAN here

Prompt templates for payment architecture diagrams

Standard SaaS checkout flow

"Payment architecture for a B2B SaaS product using Stripe. Frontend (Next.js) renders a Stripe Elements iframe — card data never touches our servers. On submit, the frontend calls our API Gateway with a Stripe PaymentMethod ID and plan selection. Our API (Node.js on AWS Lambda) creates a Stripe Subscription, attaches the customer and payment method, and returns a client secret for 3DS2 confirmation if required. On success, Stripe fires a webhook to our /api/webhooks/stripe endpoint. The webhook receiver verifies the Stripe signature, writes the event ID to a Redis deduplication store, enqueues the event to SQS, and returns 200. An SQS consumer Lambda processes the event: activates the subscription in our PostgreSQL database, fires a Resend email confirmation, and triggers a Segment track event. Show the PCI-DSS boundary: the Stripe iframe is inside Stripe's CDE; our Lambda and PostgreSQL are outside PCI scope because we only handle tokens. Draw the 3DS2 conditional path as a dashed branch. Show the idempotency check against Redis."

Marketplace split-payment architecture

"Marketplace payment architecture with Stripe Connect. A buyer pays on our platform (Stripe Payment Intent with application_fee_amount). Stripe routes the payment to the seller's connected Stripe account and deducts our platform fee automatically. Our backend (Python/FastAPI on ECS) receives the charge.succeeded webhook, records the split (buyer amount, seller amount, platform fee) in our PostgreSQL ledger table with idempotency on the Stripe event ID. For refunds: our refund API calls Stripe to reverse the charge — the platform fee is refunded first, then the seller payout is reversed. Show all Stripe account types: our platform account, seller connected accounts (Express model). Annotate the fee split percentages on the payment flow arrows. Show the nightly reconciliation job that compares our ledger against Stripe's Transfer report via the Stripe API."

High-volume fraud detection pipeline

"Payment fraud detection architecture. Pre-authorization: when a user clicks 'Pay', our frontend sends device fingerprint (Sift.js SDK) and session data to our Risk API (Go microservice on Cloud Run). The Risk API calls Sift Science with device fingerprint, user ID, email, shipping address, and cart value. Sift returns a risk score (0-100). Scores above 75 are blocked; scores 50-75 trigger a soft decline with a 3DS2 hard challenge; below 50 proceed directly. The Risk API response (decision + score) is attached to the payment intent metadata before submission to Stripe. Post-payment: Stripe fires charge.succeeded and charge.dispute.created webhooks. Disputes trigger our chargeback automation: pull order details, shipping confirmation, fraud score, and device fingerprint from our database; submit evidence to Stripe via API within 6 hours. Show the latency budget annotation: the entire pre-authorization fraud check must complete under 300 ms."

Common payment architecture mistakes

  • Logging raw card data: Application logs often capture full request bodies during debugging. Any log line that includes a PAN puts your logging pipeline in PCI scope. Implement log scrubbing at the application layer and enforce it with automated scanning in your CI pipeline.
  • No webhook idempotency: Payment gateways retry webhooks when your endpoint returns a non-200 or times out. Without idempotency keys, a retry can fulfill an order twice or charge a customer twice. Store processed event IDs in Redis or a database before processing.
  • Mixing payment and analytics data: Streaming payment events to your analytics data warehouse without redacting the card token and customer PII pulls those systems into compliance scope. Apply a transformation layer before any payment data reaches analytics.
  • Missing the authorization/capture split: For physical goods, charging at order creation and capturing at shipment requires explicit capture calls. Failing to model this in your architecture means charges are auto-captured (immediately settled) even when fulfillment fails.
  • Synchronous chargeback handling: Chargeback disputes have hard deadlines (7–21 days). Without an automated alert when charge.dispute.created fires, your team may miss the evidence submission window, resulting in an automatic loss and a fee.

Frequently asked questions

What is a payment systems architecture diagram?

A payment systems architecture diagram visualizes every component involved in accepting and processing a payment: the checkout UI, payment gateway integration, fraud detection, order fulfillment trigger, webhook processing, and reconciliation pipeline. It annotates PCI-DSS scope boundaries, data flows (what card data or tokens flow where), and the async vs. synchronous boundaries between components. These diagrams are required for PCI-DSS compliance assessments, vendor security questionnaires, and engineering design reviews.

How do I reduce PCI-DSS scope in my architecture?

The most effective PCI scope reduction technique is client-side tokenization: render a payment provider's iframe (Stripe Elements, Braintree Drop-in UI, Adyen Web Components) so that card data never reaches your servers. Your backend handles only a token — a reference ID that the provider maps to the card internally. With this architecture, most merchants qualify for SAQ A, the simplest PCI self-assessment questionnaire. Additional scope reduction: never log payment tokens in plaintext, avoid storing CVV at any point (it cannot be stored even post-authorization under PCI), and ensure your analytics pipeline receives masked data only.

What is the difference between a payment gateway and a payment processor?

A payment gateway is the API layer that accepts payment instructions from your application and routes them to the appropriate card network and issuing bank. A payment processor is the institution that handles the settlement of funds between the acquiring bank (your bank) and the issuing bank (the customer's bank). In modern SaaS stacks, tools like Stripe and Adyen bundle both functions — they act as gateway, processor, and acquiring bank under one API. In enterprise or high-volume setups, these roles are often separated: a gateway like Spreedly or Checkout.com routes to multiple processors for redundancy and cost optimization.

What tool should I use to diagram payment system architecture?

ArchitectureDiagram.ai generates payment system architecture diagrams from natural language descriptions. Describe your payment gateway integration, PCI-DSS scope boundaries, fraud detection pipeline, and webhook handling and the AI produces a professional architecture diagram exportable as Mermaid, draw.io XML, or an image. The prompt templates above are ready to paste directly into the tool.

Related guides: Fintech architecture diagrams, SOC 2 architecture diagrams, E-commerce architecture diagrams, and zero trust architecture diagrams.

Ready to try it yourself?

Start Creating - Free