WebHosting4U Secure Card Gateway for ePay Paycenter (Piraeus Bank)

by webhosting4ugr

Description

What sets this plugin apart

HPOS-native from day one. Built against WooCommerce’s High-Performance Order Storage from the very first release. All order metadata uses the HPOS-aware $order->update_meta_data() / get_meta() API — never the legacy update_post_meta() / get_post_meta() calls that silently fail on HPOS-enabled stores (the WooCommerce default for new installs since 8.x). Your transaction IDs, support reference IDs, and approval codes are preserved whichever storage mode you run.
Cloudflare-aware. Automatically detects when your store is served through Cloudflare (via the CF-Ray / CF-Connecting-IP request headers) and surfaces the current Cloudflare IPv4 CIDR ranges right in the gateway settings page, ready to copy. You hand them to Euronet Merchant Services so the bank’s callbacks are not blocked at their firewall when they arrive via Cloudflare edge IPs. Live list fetched from cloudflare.com/ips-v4 and cached for 12 hours.
Built-in WAF / callback self-test. A diagnostic button in the gateway settings sends a realistic, declined-transaction-shaped POST to your own callback URL via loopback and reports whether your host’s web-application firewall (cPFence, ModSecurity / OWASP CRS, Imunify360, BitNinja, LiteSpeed WAF) silently blocks it before PHP runs. No real order is created or modified — the synthetic payload carries a WAFTEST- merchant reference that cannot match any order in the database. Catches the class of “callbacks never arrive” problems before they cost you a sale.
Modern admin UI. Card-based layout, dashicons throughout, one-click Copy-to-clipboard for all callback URLs grouped in a single block, environment badge (Test / Live / Production) on the credentials section, collapsible Cloudflare details. Audited against WordPress 7.0’s “Modern” admin theme.
Audited for WordPress 7.0 on release day. Reviewed against the full WordPress 7.0 Field Guide breaking-changes list on 2026-05-20. “Tested up to: 7.0” from the very first stable release. The plugin requires PHP 7.4 (the new WordPress 7.0 minimum) and uses no APIs deprecated in 7.0.
Fully bilingual (EN + EL). All 179 admin and customer-facing strings translated to Greek and shipped as both classic .mo and WordPress 6.5+ performant .l10n.php payloads. The wp.org page itself ships with an English readme.txt that opens with a Greek summary, plus a parallel full Greek readme-el.txt companion file inside the plugin folder for Greek-speaking merchants.

Ελληνικά:

Ανεξάρτητο πρόσθετο πύλης πληρωμής WooCommerce από τη WebHosting4U για
την υπηρεσία ePay Paycenter Redirection της Τράπεζας Πειραιώς /
Euronet Merchant Services. Υλοποιεί πλήρως την επίσημη προδιαγραφή
Redirection v2.9:

Έκδοση μοναδικού εισιτηρίου (TranTicket) μέσω SOAP Ticketing Web
Service με κωδικοποίηση UTF-8.
Αυτόματη ανακατεύθυνση POST στην ασφαλή σελίδα πληρωμής της τράπεζας
(pay.aspx) — τα δεδομένα κάρτας δεν περνούν ποτέ από τον διακομιστή
του καταστήματος.
Πλήρης επαλήθευση HashKey HMAC-SHA256 σε κάθε επιτυχημένη απάντηση
πριν χαρακτηριστεί η παραγγελία ως εξοφλημένη.
Υποστήριξη συναλλαγών Sale και Προέγκρισης (Preauthorization).
Υποστήριξη IRIS Payments (άμεσες πληρωμές μέσω ΔΙΑΣ). Όταν η
Euronet Merchant Services ενεργοποιήσει το IRIS στη σύμβασή σας, η
σελίδα πληρωμής της τράπεζας εμφανίζει στον πελάτη και τις δύο
επιλογές (κάρτα ή IRIS). Το πρόσθετο αναγνωρίζει τις απαντήσεις IRIS,
αποθηκεύει το κανάλι πληρωμής στην παραγγελία, και εμφανίζει
μηνύματα προσαρμοσμένα στα IRIS σενάρια (ακύρωση από την εφαρμογή
τράπεζας, λήξη QR 5 λεπτών, σφάλμα υπηρεσίας IRIS κ.λπ.).
Συμπλήρωση πεδίων 3-D Secure από τη διεύθυνση χρέωσης / αποστολής
του WooCommerce.
Συμβατότητα με HPOS (Custom Order Tables) και WooCommerce Blocks
checkout.

Προϋπόθεση: πρέπει να έχετε υπογεγραμμένο συμβόλαιο αποδοχής με την
Euronet Merchant Services / Τράπεζα Πειραιώς και να διαθέτετε τα
διαπιστευτήρια AcquirerId, MerchantId, PosId, Username,
Password. Το πρόσθετο δεν παρέχει δικούς του δοκιμαστικούς
λογαριασμούς.

Η πλήρης ελληνική μετάφραση της σελίδας του προσθέτου στο WordPress.org
θα είναι διαθέσιμη μέσω του translate.wordpress.org
μόλις εγκριθεί από την κοινότητα. Δείτε επίσης το συνοδευτικό
readme-el.txt για την ολοκληρωμένη ελληνική τεκμηρίωση.

English:

This plugin integrates WooCommerce with the ePay Paycenter Redirection
service operated by Piraeus Bank / Euronet Merchant Services. It implements
the official Redirection v2.9 specification end to end:

SOAP Ticketing Web Service (IssueNewTicket) with UTF-8 payload.
Auto-submitted HTML form POST redirection to the Paycenter secure
payment page (pay.aspx) so card data never touches your server.
Full HMAC-SHA256 HashKey verification for every successful callback
before marking an order as paid.
Support for Sale and Preauthorization transactions.
IRIS payments (Greek instant payment / DIAS) accepted transparently
when enabled by Euronet Merchant Services on the merchant agreement.
The bank’s hosted page presents card and IRIS as the two payment
options; the plugin recognises the IRIS-specific response payload
(CardType=15, PaymentMethod=IRIS), surfaces IRIS-tailored decline
messages for the IRIS-only ResponseCodes (05 user-cancelled-in-bank-app,
06 service error, 09 pending, 68 5-minute QR timeout, 70 IRIS service
error) and records the channel on the order so card vs IRIS settlements
are distinguishable in your reports.
3-D Secure auxiliary fields populated from the WooCommerce billing /
shipping address.
HPOS (Custom Order Tables) and WooCommerce Blocks checkout support.

You must have signed an acquiring contract with Euronet Merchant
Services / Piraeus Bank and obtained AcquirerId, MerchantId, PosId,
Username and Password credentials before using this plugin. The
plugin does not provide test or sandbox accounts on its own; please
contact Euronet Merchant Services to request one.

Affiliation and trademark notice

This plugin is independent software published by WebHosting4U and is
not affiliated with, endorsed by, sponsored by, or otherwise officially
connected to Piraeus Bank S.A., Euronet Merchant Services, or
Automattic Inc. The third-party names “ePay”, “Paycenter”, “Piraeus Bank”
and “WooCommerce” are trademarks of their respective owners and are
used here in good faith, after the unaffiliation marker “for”, solely
to describe the third-party service this plugin integrates with, in
line with the WordPress.org Detailed Plugin Guidelines on third-party
trademarks. The bundled accepted card brands image
(assets/img/wp-cards.png) is included with the rights-holder’s
authorization for the merchant distribution scope of this plugin.

User tracking and consent

This plugin does not load any analytics, telemetry, advertising,
fingerprinting, profiling or behavioural tracking code, neither on the
storefront nor in the WordPress admin. It does not set cookies on
visitor browsers, does not contact any first-party or third-party
analytics endpoint, and does not collect aggregated or individual
usage statistics from the merchant’s installation. The only outbound
network traffic the plugin generates is the strictly transactional
traffic documented in the External services section below, which
is required to complete a payment the merchant has explicitly
configured the plugin to perform. No user-tracking consent prompt is
therefore required by this plugin (Plugin Review Team Guidelines 7
and 9).

External services

This plugin reaches out to three external services. Two are operated
by Euronet Merchant Services on behalf of Piraeus Bank S.A. for the
“ePay Paycenter” payment redirection product (mandatory for the
plugin’s core function). The third is a publicly available Cloudflare
endpoint used only in the admin panel to help store owners configure
firewall rules for payment callbacks.

1. ePay Paycenter Ticketing Web Service

What it is: a SOAP / ASMX endpoint published by Euronet Merchant
Services that issues a single-use TranTicket for each card
payment attempt. The ticket is then handed to the customer’s
browser as a hidden form field that POSTs to the secure payment
page, so cardholder data never touches the merchant server.
Endpoint: https://paycenter.piraeusbank.gr/services/tickets/issuer.asmx
What is sent: the merchant credentials provided by Euronet Merchant
Services (AcquirerId, MerchantId, PosId, Username and an MD5 hash
of the Password), the order’s MerchantReference (numeric WooCommerce
order id with a short random suffix), the transaction amount and
ISO 4217 numeric currency code, the request type (Sale or
Preauthorization), and the 3-D Secure auxiliary fields populated
from the WooCommerce order: billing email, cardholder name,
billing address (city / lines / post code / state / ISO 3166
numeric country code), shipping address when present, and the
customer’s mobile phone number formatted as CC-Number. No
cardholder data, no PAN, no CVV, no expiry, and no analytics
identifier is ever transmitted; cardholder data is collected
exclusively on the bank’s secure payment page.
When it is sent: once per successful checkout submission, at the
moment WooCommerce hands control to the gateway’s
Pay for order page, immediately before the customer is
auto-redirected to the bank.

2. ePay Paycenter Redirection page

What it is: the bank-hosted secure payment page where the customer
enters card details and completes the 3-D Secure challenge. The
plugin renders an auto-submitted HTML form whose action attribute
is the URL below.
Endpoint: https://paycenter.piraeusbank.gr/redirection/pay.aspx
What is sent: the merchant identifiers (AcquirerId, MerchantId,
PosId, User), the language code, the MerchantReference issued
during ticketing, and a per-order ParamBackLink so the bank’s
Cancel button returns the customer to the correct WordPress
endpoint. The TranTicket itself is read by the customer’s
browser from the hidden form field; the merchant server is not
the originator of the redirect POST.
When it is sent: once per checkout, immediately after the
Ticketing call above succeeds.
Inbound counterpart: Paycenter posts a signed transaction
response (HMAC-SHA256 HashKey) back to the plugin’s WC-API
callback URL on the merchant site
(https://<merchant-site>/?wc-api=epay_paycenter). This is the
same service – the merchant site is the Notification / Success /
Failure / Backlink target the merchant configures in the
Euronet portal. No data leaves the merchant server on this
inbound leg; the plugin only reads, verifies, and acts on the
response.

Service operator and legal links

Both endpoints above are operated by Euronet Merchant Services
(epay) for Piraeus Bank S.A.. Before activating the gateway,
merchants must review and agree to the operator’s terms and
privacy policy:

Service homepage: https://epayworldwide.com/ (Euronet Merchant
Services / epay corporate site)
Greek market homepage: https://www.epaygreece.gr/
Terms of Service: https://www.epaygreece.gr/oroi-xrisis/
Privacy Policy: https://www.epaygreece.gr/politiki-aporritou/
Piraeus Bank corporate site: https://www.piraeusbank.gr/
Piraeus Bank Privacy Policy: https://www.piraeusbank.gr/en/idiwtes/protection-of-personal-data

If any of the above URLs change after publication, please consult
the live operator websites for the current version of the relevant
document. The plugin’s behaviour is not affected by such updates
because the operator’s terms apply to the merchant’s relationship
with Euronet Merchant Services / Piraeus Bank, not to the plugin
itself. Merchants remain responsible for keeping their own
privacy policy and terms aligned with the data flows documented
above (notably the transmission of billing / shipping address
fields and customer email / phone to the bank for 3-D Secure
authentication).

3. Cloudflare IPv4 list

What it is: a publicly available plain-text file published by
Cloudflare, Inc. that lists the current IPv4 CIDR ranges used by
Cloudflare’s edge network. The plugin fetches this file once every
12 hours (or 15 minutes on failure) via wp_safe_remote_get() and
caches the result in a WordPress transient.
Endpoint: https://www.cloudflare.com/ips-v4/
What is sent: a standard HTTP GET request with no personal data,
no order information, no credentials, and no cookies. The only
identifying information in the request is the plugin’s User-Agent
string (secure-card-gateway-for-epay-paycenter-piraeus-bank/VERSION).
Why: when the plugin’s admin settings page detects that the
WordPress site is served through Cloudflare (via the CF-Ray /
CF-Connecting-IP / CDN-Loop request headers), it displays the
current Cloudflare IPv4 ranges so the store owner can copy them
into an email to Euronet Merchant Services to whitelist them for
payment callbacks. Without this list, callbacks routed through
Cloudflare edge IPs may be rejected by the bank’s firewall.
When: only when an administrator views the gateway’s WooCommerce
settings page and Cloudflare is detected on the incoming request.
It is never triggered on the storefront or by guest/customer visits.
Cloudflare service homepage: https://www.cloudflare.com/
Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
Cloudflare Terms of Service: https://www.cloudflare.com/terms/

No data is sent to any third party other than the three endpoints
listed above.

Installation

Upload the plugin ZIP through Plugins Add New Upload Plugin,
or extract it into wp-content/plugins/wh4u-secure-card-gateway-for-epay-paycenter-piraeus-bank/.
Activate the plugin.
Go to WooCommerce Settings Payments and enable
ePay Paycenter (Piraeus Bank).
Enter your AcquirerId, MerchantId, PosId, Username and Password
exactly as provided by Euronet Merchant Services.
Set the environment (Test / Live), language, and transaction type.
Provide Euronet Merchant Services with the following URLs for your
merchant record:
- Referrer URL: your shop checkout page.
- Success URL: https://your-site.tld/wc-api/epay_paycenter/
- Failure URL: https://your-site.tld/wc-api/epay_paycenter/
- Backlink URL: https://your-site.tld/wc-api/epay_paycenter/
- IP address: the outbound IP of your web server.
- Response method: POST (recommended).
Execute the mandatory test cases documented in Section 7 of the
Redirection v2.9 manual before requesting live credentials.

Screenshots

ePay Paycenter gateway entry in WooCommerce → Settings → Payments with editable title and description shown to the customer. / Καταχώρηση πύλης ePay Paycenter στο WooCommerce → Ρυθμίσεις → Πληρωμές με επεξεργάσιμο τίτλο και περιγραφή.
Gateway settings page: Merchant credentials (AcquirerId, MerchantId, PosId, Username, Password) above Bank integration data with the Success / Failure / Backlink URLs grouped into a single grey block with a one-click Copy button. / Σελίδα ρυθμίσεων πύλης: Στοιχεία πρόσβασης εμπόρου πάνω από τα Στοιχεία σύνδεσης με την τράπεζα, με τα Success / Failure / Backlink URLs σε ενιαίο γκρι πεδίο και κουμπί αντιγραφής με ένα κλικ.

Faq

Which cards are supported?

Visa, Mastercard, Maestro, and (subject to agreement with Euronet
Merchant Services) Diners / Discover and American Express.

Does the plugin support IRIS payments?

Yes. When IRIS is enabled on your merchant agreement by Euronet Merchant
Services, customers can choose between card and IRIS directly on the
bank’s hosted payment page — the plugin does not need a separate setting
to “turn IRIS on” because the choice is made server-side at the bank,
not in your checkout. The plugin recognises IRIS responses (CardType=15
or PaymentMethod=IRIS in the bank’s HMAC-verified callback), shows
IRIS-tailored messages for the IRIS-only decline scenarios (user
cancelled in their banking app, 5-minute QR timeout, IRIS service error,
etc.) and records the payment channel on the order so card and IRIS
transactions are distinguishable in your reports.

Per Piraeus Bank policy, IRIS payments do not support installments
(the full amount is charged) and refunds are not supported for IRIS
transactions (ResponseCode 9167). These restrictions are enforced by
the bank, not by the plugin.

Does the plugin store any card data?

No. Cardholder data is entered exclusively on the Paycenter secure
payment page and never transits your server. The plugin stores only
non-sensitive metadata such as approval code, response code and
SupportReferenceID for reconciliation.

What happens if the HashKey cannot be verified?

The order is set to On hold and a notice is logged. Verification is
mandatory before an order is marked paid; a mismatching HashKey is
treated as a potentially forged callback.

Is this plugin GDPR-compatible?

The plugin transmits only the minimum data required for the transaction
(order total, currency, merchant reference, and 3-D Secure auxiliary
fields such as billing email and address). No analytics or telemetry is
collected.

My host’s WAF (cPFence, ModSecurity, Imunify360, BitNinja, LiteSpeed) is blocking the bank callback. What do I do?

Shared-hosting firewalls sometimes flag Paycenter’s decline-callback
payload because it contains patterns (dash-only TransactionDateTime,
empty HashKey on declined transactions, Greek ResponseDescription
text) that overlap with default attack signatures. Symptoms: callbacks
for failed transactions never arrive and orders get stuck in pending
payment.

The plugin’s settings page includes a Test callback URL diagnostic
that POSTs a realistic declined-transaction payload to your own callback
URL via loopback and reports whether a host WAF intercepts it. Run it
once before going live. If a WAF is intercepting, ask your hosting
provider to whitelist the URL /?wc-api=epay_paycenter (callback-URL
scope only — never disable rules server-wide). CDN-level WAFs
(Cloudflare, Sucuri, Akamai) must be configured separately at the CDN —
the in-admin diagnostic only exercises the origin server’s WAF.

My customer sees only “-1” after the bank return. What happened?

The literal -1 comes from WooCommerce core’s WC_API handler. For
this plugin it usually means one of three things:

The callback URL in the Euronet portal does not match the plugin’s
URL. Use exactly https://<your-site>/?wc-api=epay_paycenter (no
trailing slash, no extra path). Copy it from the gateway settings
page where the plugin displays the canonical form.
A host WAF intercepted the callback before it reached PHP (see the
WAF FAQ above).
The plugin handled the callback but a downstream redirect target
suppressed the notice. Since 1.0.14 decline messages survive
cross-origin redirect cookie stripping, so this is rare on current
versions.

Check WooCommerce Status Logs for epay-paycenter-* entries
around the transaction timestamp. The Callback envelope INFO line is
written on every callback that reaches PHP, so its presence or absence
distinguishes WAF-level blocks from plugin-level rejects.

Reviews

Changelog

1.0.31

Docs: readme Description trimmed to fit the wp.org 2,500-word limit (the 1.0.30 release was truncated on the public plugin page). The standalone == WAF compatibility == section was rolled into two FAQ entries that cover the same operator scenarios (WAF blocking callbacks, “-1” troubleshooting) without per-vendor configuration snippets — those move to support docs. No code change; the in-admin “Test callback URL” diagnostic, callback envelope logging and URL normalisation features previously documented in that section all remain.

1.0.30

Feature: IRIS payments support per Redirection Manual v2.9. When Euronet Merchant Services enables IRIS on your merchant account, the bank’s hosted page lets customers pay by IRIS instead of card; the plugin now recognises the IRIS response payload (CardType=15 / PaymentMethod=IRIS), stores the payment channel on the order, and surfaces IRIS-tailored messages for the IRIS-only ResponseCodes 05 (user cancelled in their bank app), 06 (service error), 09 (initiated but not confirmed), 68 (5-minute QR-code timeout) and 70 (IRIS service unexpected error). HMAC-SHA256 HashKey verification applies to IRIS callbacks identically (the empty AuthStatus / PackageNo / TraceID fields are concatenated as empty strings per the manual). No payment-flow or callback-handler change for existing card transactions.
Feature: customer-selectable installments on the classic WooCommerce checkout. The gateway now renders an “Installments (interest-free)” dropdown when installments are enabled and the cart total qualifies; the picked value is captured at order creation, persisted as _epay_installments order meta, and sent as the Installments parameter in the Ticketing request to Piraeus Bank.
Feature: tiered max-installments by amount via a new admin setting “Tiered max installments by amount (interest-free)”. Format amount:max,amount:max,... (e.g. 50:3, 100:6, 200:12). Overrides the flat “Maximum installments” when set. Per Piraeus Bank policy all installments via this gateway are interest-free for the customer; the merchant absorbs the bank commission.
Security: the customer-side dropdown is treated as untrusted. process_payment() always re-clamps the picked value against the merchant’s tier policy evaluated for the live order total, and the SOAP ticket request re-clamps a second time as defence-in-depth. Tier-string parsing uses a strict regex; malformed segments are silently dropped instead of throwing.
Internal: the existing installments checkbox + max_installments + min_amount_for_installments settings, previously cosmetic (the Ticketing request was hard-coded to Installments=0), are now wired up. _epay_installments order meta carries the value through the bank round-trip. Success order note now branches by payment channel — IRIS rows omit the empty PackageNo / TraceID columns that have no analogue in the DIAS instant-payment flow.
Docs: readme Description, FAQ and Greek readme-el.txt companion updated with IRIS coverage; new section “What sets this plugin apart” surfaces the technical differentiators (HPOS-native, Cloudflare detection, WAF self-test, WP 7.0 audit, bilingual readme).
Known limitation: the installments customer picker ships for classic WC checkout only. WooCommerce Blocks Checkout customers default to one-time payment (Installments=1, the bank’s canonical “no installments” per Redirection Manual v2.9 §4); the Blocks picker is scheduled for a follow-up release.

1.0.28

Compatibility: tested with WordPress 7.0 (released 2026-05-20). Verified that the gateway works on the new Modern admin theme, the iframed post editor changes do not affect WooCommerce Blocks checkout integration, and PHP 7.4+ requirement already meets the new core minimum.
Docs: screenshot captions in readme corrected to match the actual images (bilingual EN/EL).

1.0.27

UX: settings screen reordered — the “Merchant credentials” section now appears above the “Bank integration data” section, matching the natural onboarding flow (enter the credentials from Euronet first, then send the technical data back).
UX: “Bank integration data” card and its Cloudflare detection sub-block are now collapsible (closed by default) to keep the settings screen compact after onboarding.
UX: the five callback URLs (Website, Referrer, Success, Failure, Backlink) are consolidated into a single grey block with one “Copy” button, replacing the per-URL row layout.
i18n: Greek translation added for the new “Copy callback URLs to clipboard” aria-label.
Internal: aligned EPAY_PAYCENTER_VERSION constant with the plugin header (was lagging at 1.0.25, used by asset cache-busting and outbound User-Agent strings).

1.0.26

Compliance: invalid Plugin URI header removed per Plugin Review Team feedback. The URI is an optional header (https://developer.wordpress.org/plugins/plugin-basics/header-requirements/) and the previously declared page was not public. Author URI (https://webhosting4u.gr/) is unchanged and reachable.

1.0.22

Fix: plugin folder and main file renamed to secure-card-gateway-for-epay-paycenter-piraeus-bank to match WP.org slug; resolves Plugin Check TextDomainMismatch on all i18n calls.
Fix: UTF-8 BOM properly stripped from all PHP files (previous fix re-encoded U+FEFF as a BOM on write; correct method skips the 3 BOM bytes before decoding).

1.0.21

Fix (critical): TranTicket was missing from the redirect form POST to pay.aspx — every payment attempt would be rejected by the bank. Added to form_fields in output_receipt_page().
Fix: apply_filters( epay_paycenter_icon ) pre-escaped the default URL violating escape-late; escaping now happens only at output.
Fix: printf() with HTML link replaced with echo wp_kses_post( sprintf() ).
Fix: is_cloudflare_proxied() now uses isset() + is_scalar() guards on CF_RAY / CF_CONNECTING_IP.
Fix: phpcs:ignore added to dbDelta() SQL interpolation in create_tables().
Cleanup: removed orphaned docblock for deleted collect_attempt_stats().

1.0.20

Compliance: text domain corrected from wh4u-* to secure-card-gateway-for-epay-paycenter-piraeus-bank to match WP.org slug. All 179 i18n strings updated; language files renamed.
Compliance: echo generate_settings_html() kept as phpcs:ignore with explanatory comment; wp_kses_post() wrap broke WooCommerce form attributes.
Security: enqueue_admin_settings_assets() now checks current_user_can( manage_woocommerce ) before reading args.
External services: Cloudflare IPv4 fetch documented in readme with terms / privacy links.

1.0.19

Compliance: plugin renamed to WebHosting4U Secure Card Gateway for ePay Paycenter (Piraeus Bank); slug wh4u-* per Guideline 17. External services section fully documented with terms / privacy links. Deprecated libxml_disable_entity_loader() removed.

1.0.18

UI: checkout icon changed from piraeus.svg to responsive wp-cards.png. Block checkout now shows card brands. Front-end CSS enqueued on checkout.

1.0.17

Localisation: Greek translation backfilled with all strings from 1.0.10-1.0.16. POT regenerated.

1.0.16

Fix: decline notice not appearing after bank redirect. Hook priority collision with WooCommerce core resolved (priority 5 vs core 10).

1.0.15

Compliance: failure handler aligned row-by-row with Redirection Manual v2.9 section 5 scenario table. Fixes misleading ResultCode 1048 message; widens 50x matching to 500-599.

1.0.14

Fix: decline message lost after bank redirect due to SameSite=Lax session-cookie stripping. Notices now queued as order-scoped transients (session-independent delivery).

1.0.13

Fix: -1 body when Success/Failure URL is doubled in the Euronet portal. Malformed wc-api values normalised at parse_request.

1.0.12

Declined-transaction handling per Redirection Manual v2.9 section 5. Failure redirect now targets pay-for-order URL. Fixes -1 body via plugins_loaded binding.

1.0.11

Admin diagnostics: Test callback URL button detects host WAF interception before live payments.

1.0.10

Logging: Callback envelope INFO line written on every callback reach for WAF/plugin-reject disambiguation.

1.0.0

Initial release.