PAY-GWPayments

Third-Party Payment Gateway Outage

External payment processor (e.g. Stripe, Adyen, Worldline) returns 5xx or is completely unreachable, blocking all card-present and card-not-present transactions for the financial entity's customers.

Root Cause & Remediation

Third-party provider incident (infrastructure failure, DDoS, or bad deployment on the PSP side). The financial entity has no direct control. Incidents may compound with the entity's own retry storms causing secondary rate-limiting.

Remediation steps

1Immediately switch to the failover PSP if one is configured in the payment orchestration layer.
2Display a user-facing maintenance notice to reduce support volume.
3Monitor the PSP's public status page and establish a direct bridge call with their enterprise support line.
4Document the detection timestamp and PSP incident reference — this is your DORA reporting clock start.
5Once resolved, run reconciliation jobs to identify any transactions in an ambiguous or pending state.

DORA Risk Matrix

Typical classification

MAJOR INCIDENT

Likelihood: Medium
Blast radius: 100% of payment-dependent user journeys are blocked. May affect multiple EU member states simultaneously if the PSP operates cross-border.
CIF impact: Payment initiation and card processing — almost always a Critical or Important Function (CIF). Triggers economic loss threshold rapidly.
Analyst notes: Under DORA Art. 18, third-party ICT incidents are reportable when they cause a major incident for the financial entity itself. Over 30% of major ICT incidents reported to ESAs in 2025 involved third-party providers. The 4-hour clock starts when *your* team classifies the impact — not when the PSP acknowledges it.

Ready to classify this incident?

Use the DoraPulse Triage Calculator to instantly determine if this event breaches DORA materiality thresholds and generate a ready-to-file regulatory draft for your internal compliance team.

Open Triage Calculator — Pre-filled for Third-Party Payment Gateway Outage