We regret to inform you that our development partner has ended support for the WooCommerce CardPointe Gateway Payments plugin. Effective February 23rd, 2022, the plugin is no longer available for new integrations.

Current users can continue to use the plugin as-is; however, there will be no new development or fixes to the plugin. CardPointe Support continues to provide support for transaction issues on the CardPointe Gateway; however, we are unable to provide technical support of the WooCommerce plugin and integration with your website.

The WooCommerce CardPointe Gateway Payments plugin allows you to accept Visa, MasterCard, American Express and Discover payments from your WordPress WooCommerce store. The CardPointe Gateway tokenizes sensitive payment data, safeguarding your customers from a data breach, while simultaneously removing the burden of PCI compliance.  

Additionally, the plugin allows customers to securely save payment information to checkout with a saved card for future payments. Customer data is securely saved on CardPointe servers and not on your site.

What's New?

The following topics provide information on recent updates to the plugin.

Version 3.4.9

Version 3.4.9 (and higher) includes important backend security enhancements and fixes.

Additionally, we strongly recommend using the iFrame tokenization method for capturing customer payment card numbers. Select Enable IFRAME API on the WooCommerce> Settings >Payments tab to enable the Hosted iFrame Tokenizer on your checkout form for an additional layer of security.  

See Advanced Tokenization Settings for more information.

Version 3.3.4

Version 3.3.4 (and higher) includes the following new settings to help prevent fraud and carding events carried out by malicious scripts and bots:

The following settings are not configurable.

  • Maximum Credit Card Attempts

    This setting limits the number of authorization attempts for a given payment card. Once the limit is exceeded, the card will be banned from use on the plugin. Must be a value from 3 (default) to 5 attempts.

    Banned cards are displayed in the Currently Banned Card Tokens list. To re-enable a banned card token, you can select it and click Delete Selected Tokenized Card(s) to remove it from the list. The default setting is 3 attempts.

  • Rate limiting 

    This setting limits the number of payments a cardholder can attempt to make in a given amount of time. The default setting requires a minimum of 3 seconds between payments.

  • Maximum order attempts

    This setting limits the number of attempts to submit a payment for a given order. Must be a value from 3 (default) to 10 attempts.

See Configuring the WooCommerce Plugin for more information.

Version 3.3.2

Version 3.3.2 of the plugin includes a mandatory upgrade to Google ReCaptcha v2, which is now required to process transactions using the plug-in. See Configuring The WooCommerce Plugin for more information on setting up ReCaptcha.

Version 3.2.13

Version 3.2.13 of the plugin includes back-end authorization request changes for compliance with the Visa and Mastercard Stored Credential Transaction Framework Mandate.

If you allow your customers to save their payment information, or if use recurring payments for subscription plans, you should update to version 3.2.13 (or later) at your earliest convenience. With this update, applicable transactions using stored profiles will include the necessary data for compliance with this mandate.

Version 3.2.12

Version 3.2.12 of the plugin adds a built-in Google ReCaptcha option, allowing you to add ReCaptcha fraud prevention to your payment form without integrating a standalone plugin.

See Configuring the WooCommerce Plugin for more information.

  • Maximum Total Payments

    The plugin now limits the total number of payment attempts (including failed and successful attempts) within a 30 minute period to 10 attempts. If the user exceeds this limit on your page,  additional attempts are denied with the message "Too many orders attempted in a 30-minute period."

  • Maximum Declined Payments

    The plugin now limits the number of failed payment attempts for a given user to 3 per 48-hour period. If the user exceeds this limit on your page,  additional attempts are denied with the message "Too many attempts for this session."

  • Minimum Payment Amount

    The plugin now limits the minimum payment amount for a given transaction to $5.00. If the user attempts to make a payment for less than $5.00 (for example, if a coupon code reduces the total to an amount less than $5.00) the attempt is denied with the message "Minimum checkout total is $5.00."

If you currently use a standalone reCaptcha plugin, you must disable that plugin before enabling the reCaptcha feature on the CardPointe plugin settings page.

Requirements and Best Practices

To use this plugin, you must have the following software and accounts:

  • WordPress 5.1 or greater
  • WooCommerce 3.2 or greater
  • PHP 7.2 or greater
  • CardPointe merchant account
  • Google ReCaptcha v2

While not required, the following best practices are strongly recommended to ensure the security of your customers' data and to prevent fraud.

  • Secure your checkout page with an SSL (secure socket layer) certificate.
  • Select the Enable IFRAME API option to use the Hosted iFrame Tokenizer to securely capture and tokenize customer card numbers. Using the iFrame ensures that payment card numbers are never exposed to the plugin; instead the card number is immediately tokenized and securely transmitted to the CardPointe Gateway for authorization.

If the security of your webpage becomes compromised, we reserve the right to disable your CardPointe merchant account.

Configuring the WooCommerce Plugin

To configure the plugin settings, log on to your WordPress dashboard and navigate to WooCommerce > Settings > Payments, then click Manage to the right of the CardPointe method.

Configure the following settings to enable payments and configure the plugin:

    Enable/Disable CardPointe PaymentsWhen checked, this enables payments via the CardPointe Gateway on the WooCommerce checkout page.
    TitleThis controls the title header that the user sees on the credit card input form.
    DescriptionControls the an optional description that the user sees on the credit card input form.
    Payment ModeSelect one of the following:
    • Capture Payment - Authorizes and captures the payment.
    • Authorize Only - Authorizes the payment request, but does not capture the payment from the customer. In this mode, you must manually review and capture each transaction in the CardPointe web application.
    SandboxEnable Sandbox Mode to to test your checkout form. No real payments are accepted in Sandbox Mode, and you should not use live payment accounts for testing. When this option is not selected, the plugin is set to Live Mode to process payments.
    Merchant ID (MID), Username, Password and SiteThe Merchant ID (MID), credentials, and site used to process transactions in both Sandbox and Live Mode. 

    These values are provided by CardPointe Support during your merchant account setup.

    Card TypesSelect the card types that you are entitled to accept as defined in your Merchant Agreement.
    Saved CardsEnable this option to allow customers to securely store their tokenized payment information for future payments.
    Include these checkout fields in CardPointe transactionsOptionally, select fields from the Billing Details section to include in your transaction details. These fields will be available in CardPointe, for transaction reporting.
    Void on AVS FailureEnable this option to verify the cardholder's billing address and zip code. If the information entered is incorrect, the order will be rejected.
    Void on CVV FailureEnable this option to verify the CVV/CVC2/CID (3 or 4 digit verification code). If the information entered is incorrect, the order will be rejected.
    Google ReCaptcha

    When checked, the payment form will include the ReCaptcha fraud prevention challenge.

    To use the ReCaptcha service, you must sign up and generate the Site Key and Secret Key values, and enter those values on the plugin settings page.


    • This feature requires ReCaptcha v2.
    • If you use a standalone ReCaptcha plugin, you must disable it before enabling this feature.
    ReCaptcha Enable dark ThemeEnable this option to set the ReCaptcha modal's display to dark more.
    Site KeyEnter the ReCaptcha v2 site key provided by Google.
    Secret KeyEnter the ReCaptcha v2 secret key provided by Google.

    Maximum Credit Card Attempts

    Enter the number of authorization attempts to allow for the customer's payment card.

    Once the limit is exceeded, the card will be banned from use on the plugin.

    Must be a value from 3 (default) to 5 attempts.

    Maximum Order Attempts

    Enter the number of payment attempts to allow for a single order.

    Must be a value from 3 (default) to 10 attempts.

    Rate Limiting

    Enter the number of seconds to require between accepting payment attempts from a customer.

    The default setting requires a minimum of 3 seconds between payments.

    Currently Banned Card Tokens

    Displays the tokenized form of each payment card that has been banned due to suspected fraud.

    To re-allow a card for use on your site, select the token from the list and click Delete Selected Tokenized Card(s).

    Advanced Tokenization Settings

    The following settings enable and configure the Hosted iFrame Tokenizer's card input field on the WooCommerce plugin.

    See the Hosted iFrame Tokenizer Developer Guide for detailed information on how the Hosted iFrame Tokenizer secures cardholder data.

    Enable IFRAME API

    Enable this option to use the CardPointe Hosted iFrame Tokenizer to securely capture and tokenize customer payment card numbers on the checkout form. When this option is enabled, the card number field is hosted by CardPointe's secure server, which instantly encrypts and tokenizes the card number.

    This option is strongly recommended to ensure that card account numbers are handled in a secure and PCI-compliant manner, without being exposed to the WooCommerce plugin directly.

    When this option is not enabled, the card number field is hosted on the WooCommerce form, which then transmits the card number for tokenization, via an HTTP request to CardSecure. This exposes the card number to the plugin, increasing the attack surface and probability of fraudulent activity.

    Advanced IFRAME Style Settings

    When you enable the Hosted iFrame Tokenizer, you can use the following settings to customize the look and feel of the field to match your checkout page.
    AutostyleEnable the Autostyle option to automatically style the card number input field to match your checkout page. 
    Custom StyleEnter custom CSS styling rules to manually style the card number field to match your checkout page.

    See iFrame Styling for detailed information.

    Format CC StringEnable this setting to automatically insert spaces into the card number displayed in the input field.
    Process When Inactive

    Enable this setting to improve the checkout experience for users with mobile devices. This setting allows the Hosted iFrame Tokenizer to validate and tokenize the card number input after the user stops typing in or interacting with the input field.

    Use the Timeout setting to configure the amount of time to wait before tokenizing the card.


    Controls the delay (in milliseconds) that the Hosted iFrame Tokenizer will wait to validate and tokenize the card input once the user is no longer entering a card number or interacting with the field.

    The default setting is 500 milliseconds (or 1/2 second).

    Warnings/MessagesDisplays any available messages or warnings logged for your checkout form.

    Sample Payment Form

    The following example illustrates a sample payment form, and the settings used to customize the form:

    Sample Woo Commerce Checkout Form

    Managing Transactions

    From the WordPress dashboard, you can view the status of your pending and completed orders. 

    To view and manage your transactions, navigate to WooCommerce > Orders.

    See the WooCommerce support documentation for detailed information on WooCommerce order statuses.

    Note that the WooCommerce order statuses are generally not linked to the transaction status on the CardPointe Gateway.

    The CardPointe web application provides a complete set of transaction management features, including the ability to void and refund payments, or generate reports to help manage your business.

    Capturing Authorizations

    If you have the plugin's Payment Mode set to Auth Only, then you must use the CardPointe web application to review each transaction and capture the payment from the customer's account.

    See the CardPointe Web App User's Guide for more information on viewing and managing transactions in CardPointe.

    Refunding Orders

    Refunds initiated in WooCommerce will result in the order total amount being credited back to the client. The ”Order Notes” will be updated accordingly with the Approval Code.


    The WooCommerce Subscriptions plugin, supported by the WooCommerce CardPointe Gateway Payments plugin, provides merchants with the ability to offer products and services that require recurring payments. When a subscription product or service is purchased, the customer’s payment information is stored on CardPointe's secure server, while recurring payments are automatically charged according to the frequency set for the subscription. All recurring subscription payments are recorded in the WooCommerce Order Notes.