We regret to inform you that our development partner has ended support for the WooCommerce CardPointe Gateway Payments plugin. Effective February 23rd, 2022, the plugin is no longer available for new integrations.
Current users can continue to use the plugin as-is; however, there will be no new development or fixes to the plugin. CardPointe Support continues to provide support for transaction issues on the CardPointe Gateway; however, we are unable to provide technical support of the WooCommerce plugin and integration with your website.
The WooCommerce CardPointe Gateway Payments plugin allows you to accept Visa, MasterCard, American Express and Discover payments from your WordPress WooCommerce store. The CardPointe Gateway tokenizes sensitive payment data, safeguarding your customers from a data breach, while simultaneously removing the burden of PCI compliance.
Additionally, the plugin allows customers to securely save payment information to checkout with a saved card for future payments. Customer data is securely saved on CardPointe servers and not on your site.
The following topics provide information on recent updates to the plugin.
Version 3.4.9 (and higher) includes important backend security enhancements and fixes.
Additionally, we strongly recommend using the iFrame tokenization method for capturing customer payment card numbers. Select Enable IFRAME API on the WooCommerce> Settings >Payments tab to enable the Hosted iFrame Tokenizer on your checkout form for an additional layer of security.
Version 3.3.4 (and higher) includes the following new settings to help prevent fraud and carding events carried out by malicious scripts and bots:
The following settings are not configurable.
Maximum Credit Card Attempts
This setting limits the number of authorization attempts for a given payment card. Once the limit is exceeded, the card will be banned from use on the plugin. Must be a value from 3 (default) to 5 attempts.
Banned cards are displayed in the Currently Banned Card Tokens list. To re-enable a banned card token, you can select it and click Delete Selected Tokenized Card(s) to remove it from the list. The default setting is 3 attempts.
This setting limits the number of payments a cardholder can attempt to make in a given amount of time. The default setting requires a minimum of 3 seconds between payments.
Maximum order attempts
This setting limits the number of attempts to submit a payment for a given order. Must be a value from 3 (default) to 10 attempts.
Version 3.3.2 of the plugin includes a mandatory upgrade to Google ReCaptcha v2, which is now required to process transactions using the plug-in. See Configuring The WooCommerce Plugin for more information on setting up ReCaptcha.
If you allow your customers to save their payment information, or if use recurring payments for subscription plans, you should update to version 3.2.13 (or later) at your earliest convenience. With this update, applicable transactions using stored profiles will include the necessary data for compliance with this mandate.
Version 3.2.12 of the plugin adds a built-in Google ReCaptcha option, allowing you to add ReCaptcha fraud prevention to your payment form without integrating a standalone plugin.
The plugin now limits the total number of payment attempts (including failed and successful attempts) within a 30 minute period to 10 attempts. If the user exceeds this limit on your page, additional attempts are denied with the message "Too many orders attempted in a 30-minute period."
Maximum Declined Payments
The plugin now limits the number of failed payment attempts for a given user to 3 per 48-hour period. If the user exceeds this limit on your page, additional attempts are denied with the message "Too many attempts for this session."
Minimum Payment Amount
The plugin now limits the minimum payment amount for a given transaction to $5.00. If the user attempts to make a payment for less than $5.00 (for example, if a coupon code reduces the total to an amount less than $5.00) the attempt is denied with the message "Minimum checkout total is $5.00."
If you currently use a standalone reCaptcha plugin, you must disable that plugin before enabling the reCaptcha feature on the CardPointe plugin settings page.
Requirements and Best Practices
To use this plugin, you must have the following software and accounts:
WordPress 5.1 or greater
WooCommerce 3.2 or greater
PHP 7.2 or greater
CardPointe merchant account
Google ReCaptcha v2
While not required, the following best practices are strongly recommended to ensure the security of your customers' data and to prevent fraud.
Secure your checkout page with an SSL (secure socket layer) certificate.
Select the Enable IFRAME API option to use the Hosted iFrame Tokenizer to securely capture and tokenize customer card numbers. Using the iFrame ensures that payment card numbers are never exposed to the plugin; instead the card number is immediately tokenized and securely transmitted to the CardPointe Gateway for authorization.
If the security of your webpage becomes compromised, we reserve the right to disable your CardPointe merchant account.
Configuring the WooCommerce Plugin
To configure the plugin settings, log on to your WordPress dashboard and navigate to WooCommerce > Settings > Payments, then click Manage to the right of the CardPointe method.
Configure the following settings to enable payments and configure the plugin:
Enable/Disable CardPointe Payments
When checked, this enables payments via the CardPointe Gateway on the WooCommerce checkout page.
This controls the title header that the user sees on the credit card input form.
Controls the an optional description that the user sees on the credit card input form.
Select one of the following:
Capture Payment - Authorizes and captures the payment.
Authorize Only - Authorizes the payment request, but does not capture the payment from the customer. In this mode, you must manually review and capture each transaction in the CardPointe web application.
Enable Sandbox Mode to to test your checkout form. No real payments are accepted in Sandbox Mode, and you should not use live payment accounts for testing. When this option is not selected, the plugin is set to Live Mode to process payments.
Merchant ID (MID), Username, Password and Site
The Merchant ID (MID), credentials, and site used to process transactions in both Sandbox and Live Mode.
These values are provided by CardPointe Support during your merchant account setup.
Select the card types that you are entitled to accept as defined in your Merchant Agreement.
Enable this option to allow customers to securely store their tokenized payment information for future payments.
Include these checkout fields in CardPointe transactions
Optionally, select fields from the Billing Details section to include in your transaction details. These fields will be available in CardPointe, for transaction reporting.
Void on AVS Failure
Enable this option to verify the cardholder's billing address and zip code. If the information entered is incorrect, the order will be rejected.
Void on CVV Failure
Enable this option to verify the CVV/CVC2/CID (3 or 4 digit verification code). If the information entered is incorrect, the order will be rejected.
When checked, the payment form will include the ReCaptcha fraud prevention challenge.
To use the ReCaptcha service, you must sign up and generate the Site Key and Secret Key values, and enter those values on the plugin settings page.
This feature requires ReCaptcha v2.
If you use a standalone ReCaptcha plugin, you must disable it before enabling this feature.
ReCaptcha Enable dark Theme
Enable this option to set the ReCaptcha modal's display to dark more.
Enter the ReCaptcha v2 site key provided by Google.
Enter the ReCaptcha v2 secret key provided by Google.
Maximum Credit Card Attempts
Enter the number of authorization attempts to allow for the customer's payment card.
Once the limit is exceeded, the card will be banned from use on the plugin.
Must be a value from 3 (default) to 5 attempts.
Maximum Order Attempts
Enter the number of payment attempts to allow for a single order.
Must be a value from 3 (default) to 10 attempts.
Enter the number of seconds to require between accepting payment attempts from a customer.
The default setting requires a minimum of 3 seconds between payments.
Currently Banned Card Tokens
Displays the tokenized form of each payment card that has been banned due to suspected fraud.
To re-allow a card for use on your site, select the token from the list and click Delete Selected Tokenized Card(s).
Advanced Tokenization Settings
The following settings enable and configure the Hosted iFrame Tokenizer's card input field on the WooCommerce plugin.
Enable this option to use the CardPointe Hosted iFrame Tokenizer to securely capture and tokenize customer payment card numbers on the checkout form. When this option is enabled, the card number field is hosted by CardPointe's secure server, which instantly encrypts and tokenizes the card number.
This option is strongly recommended to ensure that card account numbers are handled in a secure and PCI-compliant manner, without being exposed to the WooCommerce plugin directly.
When this option is not enabled, the card number field is hosted on the WooCommerce form, which then transmits the card number for tokenization, via an HTTP request to CardSecure. This exposes the card number to the plugin, increasing the attack surface and probability of fraudulent activity.
Advanced IFRAME Style Settings
When you enable the Hosted iFrame Tokenizer, you can use the following settings to customize the look and feel of the field to match your checkout page.
Enable the Autostyle option to automatically style the card number input field to match your checkout page.
Enter custom CSS styling rules to manually style the card number field to match your checkout page.
Enable this setting to automatically insert spaces into the card number displayed in the input field.
Process When Inactive
Enable this setting to improve the checkout experience for users with mobile devices. This setting allows the Hosted iFrame Tokenizer to validate and tokenize the card number input after the user stops typing in or interacting with the input field.
Use the Timeout setting to configure the amount of time to wait before tokenizing the card.
Controls the delay (in milliseconds) that the Hosted iFrame Tokenizer will wait to validate and tokenize the card input once the user is no longer entering a card number or interacting with the field.
The default setting is 500 milliseconds (or 1/2 second).
Displays any available messages or warnings logged for your checkout form.
Sample Payment Form
The following example illustrates a sample payment form, and the settings used to customize the form:
From the WordPress dashboard, you can view the status of your pending and completed orders.
To view and manage your transactions, navigate to WooCommerce > Orders.
Refunds initiated in WooCommerce will result in the order total amount being credited back to the client. The ”Order Notes” will be updated accordingly with the Approval Code.
The WooCommerce Subscriptions plugin, supported by the WooCommerce CardPointe Gateway Payments plugin, provides merchants with the ability to offer products and services that require recurring payments. When a subscription product or service is purchased, the customer’s payment information is stored on CardPointe's secure server, while recurring payments are automatically charged according to the frequency set for the subscription. All recurring subscription payments are recorded in the WooCommerce Order Notes.