"Just add bKash to the website" sounds like a one-line request, but it is one of the most consequential technical decisions an e-commerce project makes. Get it right and checkout feels instant and trustworthy. Get it wrong and you end up with silent failed transactions, angry customers who paid but never got an order confirmation, and reconciliation headaches every single day.
This guide walks through the real options for payment gateway integration in Bangladesh — direct mobile financial services APIs, aggregator gateways, and cash on delivery — with honest trade-offs for each, plus the security and reconciliation basics that separate a reliable checkout from a fragile one.
The core decision: integrate directly with bKash and Nagad for lower fees and full control, or go through an aggregator like SSLCommerz for a single integration that covers multiple payment methods at once.
The Three Ways to Accept Online Payments in Bangladesh
Direct MFS Merchant API
Integrating directly with bKash or Nagad's merchant API gives full control over the checkout experience and typically the most favorable transaction fees, in exchange for a separate application, approval, and integration process per provider.
Aggregator Gateways
Services like SSLCommerz, ShurjoPay, and AamarPay integrate once and expose multiple mobile financial services and card payment options behind a single API, trading a slightly higher per-transaction fee for significantly faster setup.
Cash on Delivery as a Fallback
Even stores with a fully working online payment option should keep COD available for most product categories — as covered in our e-commerce startup guide, removing it entirely tends to cost more in lost conversions than it saves in delivery-refusal risk.
Comparing the Three Approaches
| Method | Setup | Fees | Control | Best For |
|---|---|---|---|---|
| Direct MFS API (bKash/Nagad) | Moderate — separate merchant approval + API integration per provider | Lowest, but varies by negotiated merchant agreement | Full control over checkout flow and branding | Higher-volume stores that can justify separate integrations |
| Aggregator gateway (SSLCommerz, etc.) | Fast — one integration covers multiple payment methods | Slightly higher per-transaction fee for the convenience | Checkout page often hosted by the aggregator | New or smaller stores that want speed to launch |
| Cash on Delivery only | Instant — no integration required | No gateway fee, but higher return/refusal risk | Full control, zero technical dependency | Early-stage stores validating demand before adding online payment |
What Approval Actually Involves
bKash Merchant Account
Applying requires business registration documents and a bank account in the business's name. Depending on the integration type — a hosted checkout page versus a fully tokenized, embedded flow — the technical approval process and testing period varies, so confirming which integration type a developer is quoting for matters before committing to a timeline.
Nagad Merchant Account
Nagad's process follows a broadly similar shape to bKash's — documentation, approval, sandbox testing, then production access — with its own separate developer portal and fee schedule that should be confirmed directly with Nagad rather than assumed to match bKash's.
Security & Compliance Basics
Never Store Card Data Yourself
Card numbers should only ever pass through a PCI-DSS compliant gateway's own hosted page or tokenization flow — never touch or log them on your own servers.
Verify Webhooks, Don't Trust the Redirect Alone
A successful redirect back to your site is not proof of payment. Every transaction should be confirmed server-side via the gateway's verification API or a signed webhook before marking an order as paid.
Always Test in Sandbox First
Every gateway provides a sandbox environment specifically so failure states — declined payments, timeouts, partial refunds — can be tested before real money and real customers are involved.
Force HTTPS Everywhere
Payment pages, callback URLs, and any page handling transaction data must run over HTTPS without exception — most gateways will refuse to connect to a non-HTTPS callback URL anyway.
Common Integration Mistakes
- Only testing the "happy path" where payment always succeeds, and never simulating declines, timeouts, or a customer closing the app mid-payment.
- Relying solely on a browser redirect to confirm payment instead of verifying server-side, which breaks the moment a customer closes their browser before the redirect completes.
- No retry or alerting logic when a webhook fails to arrive, leaving a paid order stuck in "pending" indefinitely with nobody notified.
- Skipping daily reconciliation between gateway settlement reports and internal order records, so mismatches accumulate silently for weeks.
Frequently Asked Questions
Should a new e-commerce business start with a direct bKash integration or an aggregator like SSLCommerz?
Most new stores start with an aggregator because it bundles several payment methods behind one integration and gets a store accepting payments faster. Direct API integration usually makes sense once volume is high enough that the slightly lower aggregator fees add up to a meaningful difference.
Is cash on delivery still necessary if I accept online payments?
For most product categories in Bangladesh, yes. A large share of customers still prefer to pay on delivery, and removing COD entirely tends to reduce conversion rate more than it saves in payment failure or fraud handling.
What happens if a customer's payment succeeds on bKash but the order fails to save on my site?
This is exactly why webhook verification and a reconciliation process matter — a transaction ID from the gateway needs to be checked against your own order records regularly, so a payment that succeeded but did not create an order gets caught and resolved instead of silently lost.
Do I need a merchant account before I can integrate bKash or Nagad?
Yes. Both require a registered merchant account with the respective provider before any API access is granted, and approval can take from a few days to a few weeks depending on documentation completeness.
Is it safe to store customer card numbers on my own server?
No — this should never be done. Card details should only ever pass through a PCI-DSS compliant gateway's hosted checkout page or tokenization system, never touch or get stored on your own servers.
A Reliable Checkout Is Worth the Extra Care
The technical difference between a payment integration that quietly loses orders and one that doesn't usually comes down to a handful of decisions made in the first week: proper webhook verification, sandbox testing of failure states, and a reconciliation habit from day one. None of it is exotic — it just has to actually be done.
Building or fixing a checkout flow? BengalTech Solutions builds e-commerce websites with proper bKash, Nagad, and gateway integration from day one. Tell us about your store.