Payment Gateway with MPGS for WooCommerce

Payment Gateway with MPGS for WooCommerce provides a secure, PCI-compliant payment solution for your WooCommerce store through MasterCard Payment Gateway Services (MPGS) Hosted Checkout integration.

Key Features

• 🔒 Enhanced Security – Nonce verification, input sanitization, output escaping
• 🧪 Test Mode – Toggle between test and live credentials for safe testing
• 📝 Debug Logging – Comprehensive WooCommerce logger integration for troubleshooting
• 📊 Transaction Metadata – Store detailed transaction information with every order
• 💳 Card Details – Automatically save card type, brand, and last 4 digits
• ⚡ HPOS Compatible – Full support for WooCommerce High-Performance Order Storage
• 🌐 Multiple API Versions – Supports MPGS API versions 49, 52, 55, 62, 63, and 66
• 🔐 3DS Authentication – Built-in support for 3-D Secure (both 3DS1 and 3DS2)
• 🌍 Translation Ready – Complete internationalization support with French translation included

Two Checkout Modes

1. Payment Page (Redirect) – Customers are securely redirected to MPGS payment gateway page
2. Lightbox (Popup) – Payment form appears in a modal on your website (API v49-62 only)

PCI Compliance

All card data is handled directly by MPGS servers using Hosted Checkout. No sensitive payment information ever touches your server, ensuring PCI DSS compliance without complex certification requirements.

Perfect For

• Online stores requiring MPGS integration
• Merchants with acquiring banks using MPGS
• Businesses needing secure, reliable credit card processing
• Stores requiring 3-D Secure authentication
• International e-commerce sites

Version 2.0.0 Highlights

This major release includes complete security improvements, modern WooCommerce compatibility, and enhanced merchant features:

• Complete security audit and fixes
• HPOS (Custom Order Tables) compatibility
• PHP 8.2+ compatibility
• Test mode for safe development
• Comprehensive debug logging
• Enhanced transaction tracking
• Improved error messages
• Refund documentation for future implementation

Requirements

• WordPress 5.0 or higher
• WooCommerce 4.0 or higher
• PHP 7.2 or higher
• SSL certificate (HTTPS) for production
• MPGS merchant account with API credentials

Support

• Documentation
• Support Forum
• GitHub Repository

Credits

Current Maintainer: Salman Patnee
Original Author: Ali Basheer (v1.0.0 – v1.5.1)

External Services

This plugin connects to MasterCard Payment Gateway Services (MPGS) to process credit and debit card payments securely.

Service Provider

MasterCard Payment Gateway Services (MPGS)
MPGS is MasterCard’s official payment gateway platform that enables merchants to accept credit and debit card payments. This plugin uses the MPGS Hosted Checkout integration method.

• Service Provider: MasterCard International Incorporated
• Service Website: https://www.mastercard.com/
• Terms of Use: https://www.mastercard.com/global/en/vision/terms-of-use.html
• Privacy Policy: https://www.mastercard.com/global/en/vision/corp-responsibility/commitment-to-privacy.html

External Domains Used

This plugin connects to the following MPGS gateway domains (depending on your region):

• https://ap-gateway.mastercard.com/ – Asia Pacific
• https://eu-gateway.mastercard.com/ – Europe
• https://na-gateway.mastercard.com/ – North America
• https://mtf.gateway.mastercard.com/ – Test/Sandbox environment

The specific domain is configured by the merchant in plugin settings based on their acquiring bank’s instructions.

When Data is Sent

The plugin communicates with MPGS servers in two scenarios:

1. Session Creation (at checkout):
   When a customer clicks “Place Order”, the plugin sends a POST request to create a payment session:
   POST https://[gateway-domain]/api/rest/version/[XX]/merchant/[merchant-id]/session

2. Transaction Verification (after payment):
   When the customer returns from payment, the plugin verifies the transaction:
   GET https://[gateway-domain]/api/rest/version/[XX]/merchant/[merchant-id]/order/[order-id]

What Data is Sent

During Session Creation:
* Order ID and reference number
* Order total amount and currency
* Order description
* Customer name, email, and phone (if provided)
* Return URL for payment completion
* Merchant credentials (server-side only, never exposed to browser)

During Transaction Verification:
* Order ID
* Merchant credentials (server-side only)

Important: Credit card numbers, CVV, and expiry dates are NEVER sent through this plugin. Customers enter card details directly on MPGS-hosted secure pages.

Data Protection

• PCI DSS Compliance: MPGS is PCI DSS Level 1 certified
• Encryption: All API communication uses HTTPS with TLS 1.2+
• No Local Storage: Card data is never stored on your server

No User Tracking

This plugin does NOT:
* Track user behavior or analytics
* Store payment card data locally
* Share data with third parties (except MPGS for payment processing)
* Use cookies for tracking

Required Setup

To use this plugin, you must obtain MPGS credentials from your acquiring bank:
1. Merchant ID
2. Authentication Password
3. Gateway URL (region-specific)

Configure these in: WooCommerce → Settings → Payments → MPGS

Automatic Installation

1. Log into your WordPress admin panel
2. Go to Plugins > Add New
3. Search for “Payment Gateway with MPGS for WooCommerce”
4. Click Install Now and then Activate
5. Navigate to WooCommerce > Settings > Payments > MPGS
6. Configure your MPGS credentials and settings

Manual Installation

1. Download the plugin ZIP file
2. Log into WordPress admin panel
3. Navigate to Plugins > Add New > Upload Plugin
4. Choose the ZIP file and click Install Now
5. Click Activate Plugin
6. Go to WooCommerce > Settings > Payments > MPGS to configure

Configuration

After activation, configure the gateway:

1. Go to WooCommerce > Settings > Payments
2. Click MPGS to open settings
3. Enter your MPGS credentials:
   • MPGS URL – Your gateway URL (e.g., https://ap-gateway.mastercard.com/)
   • API Version – Choose your API version (66 recommended)
   • Merchant ID – Provided by your bank
   • Authentication Password – Generate in MPGS admin portal
4. Configure optional settings:
   • Test Mode – Enable for testing (recommended initially)
   • Debug Log – Enable for troubleshooting
   • Title – Payment method name shown to customers
   • Checkout Interaction – Choose Lightbox or Payment Page
5. Click Save changes

Important: Ensure your MPGS URL ends with a trailing slash!

Does this plugin store credit card information?

No. All card data is processed directly by MPGS using Hosted Checkout. No card information ever touches your server, ensuring PCI compliance.

What is Test Mode and how do I use it?

Test Mode allows you to test payments using sandbox credentials without processing real transactions. Always enable Test Mode during development and testing. You’ll need separate test credentials from your acquiring bank or MPGS.

How do I get MPGS credentials?

Contact your acquiring bank or payment service provider to set up an MPGS merchant account. They will provide:
* MPGS Gateway URL
* Merchant ID
* Access to MPGS admin portal to generate API credentials

How do I generate the Authentication Password?

1. Log into your MPGS merchant admin portal (credentials from your bank)
2. Go to Admin > Integration Settings
3. Click Generate Authentication Password
4. Copy the password and paste it in the plugin settings

Note: This is NOT your MPGS login password!

What format should the MPGS URL be in?

The URL must end with a trailing slash. Correct format:
https://ap-gateway.mastercard.com/

Do NOT include /checkout/version/*/checkout.js – use only the base URL.

Why are my transactions failing with “Invalid request”?

Common causes:
1. Currency mismatch – Your MPGS merchant account currency must match your WooCommerce store currency
2. Incorrect MPGS URL – Must end with trailing slash
3. Wrong credentials – Verify Merchant ID and Authentication Password
4. API version mismatch – Ensure your MPGS account supports the selected API version

Enable Debug Logging to see detailed error messages.

What API version should I use?

We recommend API version 66 as it’s the most recent and tested. However, the plugin supports versions 49, 52, 55, 62, 63, and 66. Check with your bank which versions your account supports.

Can I use the Lightbox (popup) payment mode?

Lightbox mode is only available with API versions 49-62. If you’re using API version 63 or higher, you must use Payment Page (redirect) mode.

Does this plugin support refunds?

Refunds are not yet supported through the WooCommerce admin interface. You can process refunds through your MPGS merchant portal. Refund support is planned for a future release.

Is this plugin HPOS compatible?

Yes! Version 2.0.0 fully supports WooCommerce High-Performance Order Storage (HPOS/Custom Order Tables).

How do I troubleshoot payment issues?

1. Enable Test Mode in gateway settings
2. Enable Debug Log in gateway settings
3. Attempt a test payment
4. Go to WooCommerce > Status > Logs
5. Find the log file with source salmanpatnee-mpgs-for-woocommerce
6. Review log messages for errors

Where can I find transaction details?

For each order paid via MPGS:
1. Go to WooCommerce > Orders
2. Open the order
3. Check Order Notes for transaction details including:
* Transaction Receipt
* Transaction ID
* Gateway Response Code
* Card Type and Last 4 Digits

2.0.0 – 2025-12-18

Major Release – Complete Rewrite

New Features:
* Test mode toggle for safe development and testing
* Debug logging system with WooCommerce logger integration
* Enhanced transaction metadata storage (ID, receipt, card details, gateway codes)
* Improved error messages with specific details and codes
* Test mode indicator in admin settings
* Comprehensive refund documentation for future implementation

Security Enhancements:
* Added nonce verification for all MPGS callbacks
* Input sanitization for all user inputs and request data
* Output escaping for all HTML/JavaScript output
* CSRF protection on payment processing
* Enhanced payment verification logic

Improvements:
* HPOS (High-Performance Order Storage) compatibility
* PHP 8.2+ compatibility (removed deprecated utf8_decode)
* Complete code quality improvements with PHPDoc comments
* Better error handling and user feedback
* Enhanced order notes with full transaction details
* Improved admin interface with test mode badge
* Better logging at all payment flow stages

Bug Fixes:
* Fixed sprintf() bug causing null order descriptions
* Fixed PHP 8.2 deprecated function warnings
* Fixed double semicolon syntax error
* Fixed missing translation wrappers

Changes:
* Plugin renamed to “MPGS Payment Gateway for WooCommerce” (WordPress.org compliance)
* Text domain changed to salmanpatnee-mpgs-for-woocommerce
* Function prefix changed to mpgs_
* Gateway ID changed to mpgs
* Minimum PHP version raised to 7.2
* Minimum WordPress version raised to 5.0
* Minimum WooCommerce version raised to 4.0

Documentation:
* Comprehensive README.md
* Updated installation instructions
* Enhanced FAQ section
* API version compatibility table
* Troubleshooting guide

1.5.1 – 2021-12-15

• Fix MSO error

1.5.0 – 2021-08-20

• Support latest API version 66
• Provide support for both 3DS1 and 3-D Secure authentication version 2 (3DS2)

1.4.0 – 2020-12-10

• Added filter to allow customization on the session request
• Added transaction reference to support some special MID setups

1.3.0 – 2020-06-15

• Support latest API version 55
• Allow admin orders even without customer info
• Translations support
• Access order properties through get functions instead of deprecated direct access

1.2.0 – 2019-11-20

• Fix bug with some American Express cards related to handling JSON response
• Allow admin to create orders for customers
• Remove transaction ID logging and keep only transaction receipt

1.1.0 – 2019-08-10

• Multisite support
• Fix redirection after payment
• Enhanced error handling
• Enhanced payment verification checking

1.0.1 – 2019-06-05

• Option to edit payment icon
• Add order notes on error for better debugging

1.0.0 – 2019-05-01

• Initial release