So your client has added products or services to his/her cart, entered their shipping details and select to pay by credit card. We know that, at the very least, we are going to have to send an order number and an amount. Most interfaces require much more than that. In fact, the more information you can send, the better the processing gateway can determine mismatches and detect fraud.
How is the data sent? Usually a simple POST to an https page on the payment gateway’s server. Without any authentication, this is open to abuse. A cunning person could easily alter the amount POSTed, which might result in underpayment. Usually the data is encoded (note, not encrypted) with something specific to the payment gateway interface, to avoid abuse. Some payment gateway interfaces require a separate call (think CURL invocation from your server) to return an order specific page (i.e. one with GET variables specific to their order) that the customer is then redirected to. This isn’t really any different but does give the processor a bit more information about absent payments.
Once the customer has landed on the credit card payment page, the system now needs to wait for a result. This can come one of 2 different ways, the subject for tomorrow.