I don't know why it would redirect to someone else's cart, but from ssgumby's list, you can perform steps 7 through 12 without the visitor leaving your site through what's called silent post (or, one of the names for it.)
To throw a buzzword into the mix, the interface set up by the gateway for you to process transactions is called an API.
On 'nix systems there is a program called curl. What it does is goes out and gets a page, or in this case posts data to a page/location, and acquires a response.
An SSL cert is required for Authorize.net, LinkPoint, NetBilling, and other processors to use curl with their API. It will be rejected and will not respond if you don't "curl" a response over SSL.
So when the customer hits submit, your programming executes a curl command to send the submitted data to the gateway, and gets a response; although other data is returned, the main thing you listen for is the response code (approved, declined, etc.) You will also use other aspects of the response to limit fraud, etc. - billing address/zip match, etc. Based on the response, you return a success response page or return to the form with an appropriate message - never telling them EXACTLY what went wrong, as this reveals info to potential hackers.
curl is supported by most languages since it's executed via command line, I use it n Perl and PHP.
