Payment gateway referrals breaking attribution in Google Analytics is one of the oldest e-commerce tracking bugs — and one that never went away through the UA → GA4 migration. When a customer is redirected through a bank's 3D Secure page or a payment intermediary (Przelewy24, PayU, Stripe Checkout, BLIK), GA4 starts a new session on return, attributing the transaction to the gateway instead of your real traffic source. This guide explains the 2026 GA4 fix.
Why the problem happens
Each external redirect breaks the session in GA4 because:
- Cross-domain navigation triggers a new GA4 session by default
- No referrer tag means the source becomes
(direct) / (none)— or worse, the bank's domain - 3DS + BLIK + redirect-based wallets all introduce the same pattern
- Result: revenue gets attributed to "online.mbank.pl" instead of Google Ads, organic, or Meta
GA4 solution: Unwanted Referrals
GA4 replaced Universal Analytics' "Referral Exclusions List" with "List unwanted referrals" — same concept, different UI. Configuration steps:
- Admin → Data Streams → click your web stream
- Configure tag settings → Show all → List unwanted referrals
- Add condition —
Referral domain containsorReferral domain matches regex - Enter each gateway domain (one per row or use regex)
- Save — GA4 applies the rule to future traffic only (no historical recompute)
Recommended exclusion list (2026)
This list is curated from Polish + international payment infrastructure. Adapt to your stack — a domain you don't actually use should not be on your list (false positives can mask real referral problems).
Polish payment intermediaries
secure.przelewy24.plgo.przelewy24.plsecure.payu.compaypo.pltpay.comsecure.tpay.compaynow.plimoje.plblue-media.plpay.autopay.com
Polish banks (BLIK + 3DS flow)
online.mbank.plm.mbank.pl3dsecure.mbank.pllogin.ingbank.plonline.santander.plipko.plpekao24.plsystem.aliorbank.plbankmillennium.plca24.credit-agricole.pllogin.nestbank.ple-bank.credit-agricole.plcloud.ideabank.plbosbank24.pl
Global payment processors
checkout.stripe.comwww.paypal.comconnect.klarna.compay.amazon.comcheckout.shopify.compay.google.comapplepay.apple.com
One catch-all regex example
If you prefer regex over an explicit list:
^(.*\.)?(przelewy24|payu|tpay|paynow|imoje|stripe|paypal|klarna)\.(com|pl)$
What happens when you exclude a gateway
After the rule applies:
- Original session source is preserved through the payment redirect
- Conversions attribute correctly to Google Ads / Meta Ads / organic / direct
- The gateway domain never appears in your Acquisition → Traffic acquisition report
- Important side-effect: if a customer legitimately arrives via a real link from that domain (e.g. a partner referral from
paypal.com), it now shows as(direct)
UTM tagging as a safety net
For paid + email + influencer traffic, never rely on referrer detection alone. Tag every campaign URL with UTM parameters:
?utm_source=google&utm_medium=cpc&utm_campaign=pmax-shopping&utm_content=catalog_ads
This guarantees the attribution survives any referral break, including:
- Payment gateway redirects
- Email client redirects (
l.instagram.com,outlook.office.com) - Mobile app browsers (Facebook, Instagram in-app)
- iOS Mail Privacy Protection
Use Google's Campaign URL Builder or your own template.
Server-side tracking + Conversion APIs
In 2026, the best fix for attribution decay is not just referral exclusions — it's server-side conversion APIs:
- Meta Conversions API (CAPI) — server-to-server event tracking, immune to ad blockers + iOS 14.5 ATT
- Google Ads Enhanced Conversions — hashed first-party data sent server-side
- GA4 Measurement Protocol — fire events directly from your backend
This combination + Unwanted Referrals = end-to-end attribution accuracy.
Common mistakes
- Excluding domains you don't use — pollutes the rule + adds maintenance debt
- Forgetting BLIK domains — Polish e-commerce specifically affected
- No UTM tagging for paid traffic — referral exclusions can't save you if there's no upstream signal
- Excluding payment domains but not the bank 3DS pages —
3dsecure.mbank.plis a separate domain fromonline.mbank.pl - Expecting historical recompute — GA4 applies new exclusions forward only
FAQ
Does GA4 have referral exclusions like Universal Analytics did?
Yes — the feature was renamed to "List unwanted referrals" and lives under Admin → Data Streams → Configure tag settings → Show all. The mechanism is identical: matching referrer domains are stripped from the session source, preserving the original acquisition source.
What about cross-domain tracking for my own subdomains?
Use Configure your domains (in the same tag settings panel) for first-party subdomains (shop.example.com, checkout.example.com). This is separate from unwanted referrals — cross-domain handles your own properties; unwanted referrals handles third-party redirect breakages.
Will excluding PayPal break legitimate referrals from PayPal?
Yes — that's the trade-off. If you genuinely get traffic from a PayPal link (e.g. an affiliate post mentioning you), it will appear as (direct) after exclusion. Always tag affiliate links with UTM parameters so they're never reliant on referrer detection.
Does this apply to Server-Side GTM?
Server-Side GTM doesn't fix the session-source issue by itself — that's a client-side GA4 concept. You still need the referral exclusion rule. What SSGTM does fix is ad-blocker bypass + iOS 14.5 attribution gaps through CAPI + Enhanced Conversions.
Can I use regex in the GA4 unwanted referrals list?
Yes — choose Referral domain matches regex from the dropdown. Useful when you have dozens of bank domains. Test the regex with the GA4 DebugView before saving.