WebHosting4U Secure Card Gateway for ePay Paycenter (Piraeus Bank)

What sets this plugin apart

• HPOS-native from day one. Built against WooCommerce’s High-Performance Order Storage from the very first release. All order metadata uses the HPOS-aware $order->update_meta_data() / get_meta() API — never the legacy update_post_meta() / get_post_meta() calls that silently fail on HPOS-enabled stores (the WooCommerce default for new installs since 8.x). Your transaction IDs, support reference IDs, and approval codes are preserved whichever storage mode you run.

• Cloudflare-aware. Automatically detects when your store is served through Cloudflare (via the CF-Ray / CF-Connecting-IP request headers) and surfaces the current Cloudflare IPv4 CIDR ranges right in the gateway settings page, ready to copy. You hand them to Euronet Merchant Services so the bank’s callbacks are not blocked at their firewall when they arrive via Cloudflare edge IPs. Live list fetched from cloudflare.com/ips-v4 and cached for 12 hours.

• Built-in WAF / callback self-test. A diagnostic button in the gateway settings sends a realistic, declined-transaction-shaped POST to your own callback URL via loopback and reports whether your host’s web-application firewall (cPFence, ModSecurity / OWASP CRS, Imunify360, BitNinja, LiteSpeed WAF) silently blocks it before PHP runs. No real order is created or modified — the synthetic payload carries a WAFTEST- merchant reference that cannot match any order in the database. Catches the class of “callbacks never arrive” problems before they cost you a sale.

• Modern admin UI. Card-based layout, dashicons throughout, one-click Copy-to-clipboard for all callback URLs grouped in a single block, environment badge (Test / Live / Production) on the credentials section, collapsible Cloudflare details. Audited against WordPress 7.0’s “Modern” admin theme.

• Audited for WordPress 7.0 on release day. Reviewed against the full WordPress 7.0 Field Guide breaking-changes list on 2026-05-20. “Tested up to: 7.0” from the very first stable release. The plugin requires PHP 7.4 (the new WordPress 7.0 minimum) and uses no APIs deprecated in 7.0.

• Fully bilingual (EN + EL). All 179 admin and customer-facing strings translated to Greek and shipped as both classic .mo and WordPress 6.5+ performant .l10n.php payloads. The wp.org page itself ships with an English readme.txt that opens with a Greek summary, plus a parallel full Greek readme-el.txt companion file inside the plugin folder for Greek-speaking merchants.

Ελληνικά:

Ανεξάρτητο πρόσθετο πύλης πληρωμής WooCommerce από τη WebHosting4U για την υπηρεσία ePay Paycenter Redirection της Τράπεζας Πειραιώς / Euronet Merchant Services. Υλοποιεί πλήρως την επίσημη προδιαγραφή Redirection v2.9:

• Έκδοση μοναδικού εισιτηρίου (TranTicket) μέσω SOAP Ticketing Web Service με κωδικοποίηση UTF-8.
• Αυτόματη ανακατεύθυνση POST στην ασφαλή σελίδα πληρωμής της τράπεζας (pay.aspx) — τα δεδομένα κάρτας δεν περνούν ποτέ από τον διακομιστή του καταστήματος.
• Πλήρης επαλήθευση HashKey HMAC-SHA256 σε κάθε επιτυχημένη απάντηση πριν χαρακτηριστεί η παραγγελία ως εξοφλημένη.
• Υποστήριξη συναλλαγών Sale και Προέγκρισης (Preauthorization).
• Υποστήριξη IRIS Payments (άμεσες πληρωμές μέσω ΔΙΑΣ). Όταν η Euronet Merchant Services ενεργοποιήσει το IRIS στη σύμβασή σας, η σελίδα πληρωμής της τράπεζας εμφανίζει στον πελάτη και τις δύο επιλογές (κάρτα ή IRIS). Το πρόσθετο αναγνωρίζει τις απαντήσεις IRIS, αποθηκεύει το κανάλι πληρωμής στην παραγγελία, και εμφανίζει μηνύματα προσαρμοσμένα στα IRIS σενάρια (ακύρωση από την εφαρμογή τράπεζας, λήξη QR 5 λεπτών, σφάλμα υπηρεσίας IRIS κ.λπ.).
• Συμπλήρωση πεδίων 3-D Secure από τη διεύθυνση χρέωσης / αποστολής του WooCommerce.
• Συμβατότητα με HPOS (Custom Order Tables) και WooCommerce Blocks checkout.

Προϋπόθεση: πρέπει να έχετε υπογεγραμμένο συμβόλαιο αποδοχής με την Euronet Merchant Services / Τράπεζα Πειραιώς και να διαθέτετε τα διαπιστευτήρια AcquirerId, MerchantId, PosId, Username, Password. Το πρόσθετο δεν παρέχει δικούς του δοκιμαστικούς λογαριασμούς.

Η πλήρης ελληνική μετάφραση της σελίδας του προσθέτου στο WordPress.org θα είναι διαθέσιμη μέσω του translate.wordpress.org μόλις εγκριθεί από την κοινότητα. Δείτε επίσης το συνοδευτικό readme-el.txt για την ολοκληρωμένη ελληνική τεκμηρίωση.

English:

This plugin integrates WooCommerce with the ePay Paycenter Redirection service operated by Piraeus Bank / Euronet Merchant Services. It implements the official Redirection v2.9 specification end to end:

• SOAP Ticketing Web Service (IssueNewTicket) with UTF-8 payload.
• Auto-submitted HTML form POST redirection to the Paycenter secure payment page (pay.aspx) so card data never touches your server.
• Full HMAC-SHA256 HashKey verification for every successful callback before marking an order as paid.
• Support for Sale and Preauthorization transactions.
• IRIS payments (Greek instant payment / DIAS) accepted transparently when enabled by Euronet Merchant Services on the merchant agreement. The bank’s hosted page presents card and IRIS as the two payment options; the plugin recognises the IRIS-specific response payload (CardType=15, PaymentMethod=IRIS), surfaces IRIS-tailored decline messages for the IRIS-only ResponseCodes (05 user-cancelled-in-bank-app, 06 service error, 09 pending, 68 5-minute QR timeout, 70 IRIS service error) and records the channel on the order so card vs IRIS settlements are distinguishable in your reports.
• 3-D Secure auxiliary fields populated from the WooCommerce billing / shipping address.
• HPOS (Custom Order Tables) and WooCommerce Blocks checkout support.

You must have signed an acquiring contract with Euronet Merchant Services / Piraeus Bank and obtained AcquirerId, MerchantId, PosId, Username and Password credentials before using this plugin. The plugin does not provide test or sandbox accounts on its own; please contact Euronet Merchant Services to request one.

Affiliation and trademark notice

This plugin is independent software published by WebHosting4U and is not affiliated with, endorsed by, sponsored by, or otherwise officially connected to Piraeus Bank S.A., Euronet Merchant Services, or Automattic Inc. The third-party names “ePay”, “Paycenter”, “Piraeus Bank” and “WooCommerce” are trademarks of their respective owners and are used here in good faith, after the unaffiliation marker “for”, solely to describe the third-party service this plugin integrates with, in line with the WordPress.org Detailed Plugin Guidelines on third-party trademarks. The bundled accepted card brands image (assets/img/wp-cards.png) is included with the rights-holder’s authorization for the merchant distribution scope of this plugin.

User tracking and consent

This plugin does not load any analytics, telemetry, advertising, fingerprinting, profiling or behavioural tracking code, neither on the storefront nor in the WordPress admin. It does not set cookies on visitor browsers, does not contact any first-party or third-party analytics endpoint, and does not collect aggregated or individual usage statistics from the merchant’s installation. The only outbound network traffic the plugin generates is the strictly transactional traffic documented in the External services section below, which is required to complete a payment the merchant has explicitly configured the plugin to perform. No user-tracking consent prompt is therefore required by this plugin (Plugin Review Team Guidelines 7 and 9).

External services

This plugin reaches out to three external services. Two are operated by Euronet Merchant Services on behalf of Piraeus Bank S.A. for the “ePay Paycenter” payment redirection product (mandatory for the plugin’s core function). The third is a publicly available Cloudflare endpoint used only in the admin panel to help store owners configure firewall rules for payment callbacks.

1. ePay Paycenter Ticketing Web Service

• What it is: a SOAP / ASMX endpoint published by Euronet Merchant Services that issues a single-use TranTicket for each card payment attempt. The ticket is then handed to the customer’s browser as a hidden form field that POSTs to the secure payment page, so cardholder data never touches the merchant server.
• Endpoint: https://paycenter.piraeusbank.gr/services/tickets/issuer.asmx
• What is sent: the merchant credentials provided by Euronet Merchant Services (AcquirerId, MerchantId, PosId, Username and an MD5 hash of the Password), the order’s MerchantReference (numeric WooCommerce order id with a short random suffix), the transaction amount and ISO 4217 numeric currency code, the request type (Sale or Preauthorization), and the 3-D Secure auxiliary fields populated from the WooCommerce order: billing email, cardholder name, billing address (city / lines / post code / state / ISO 3166 numeric country code), shipping address when present, and the customer’s mobile phone number formatted as CC-Number. No cardholder data, no PAN, no CVV, no expiry, and no analytics identifier is ever transmitted; cardholder data is collected exclusively on the bank’s secure payment page.
• When it is sent: once per successful checkout submission, at the moment WooCommerce hands control to the gateway’s Pay for order page, immediately before the customer is auto-redirected to the bank.

2. ePay Paycenter Redirection page

• What it is: the bank-hosted secure payment page where the customer enters card details and completes the 3-D Secure challenge. The plugin renders an auto-submitted HTML form whose action attribute is the URL below.
• Endpoint: https://paycenter.piraeusbank.gr/redirection/pay.aspx
• What is sent: the merchant identifiers (AcquirerId, MerchantId, PosId, User), the language code, the MerchantReference issued during ticketing, and a per-order ParamBackLink so the bank’s Cancel button returns the customer to the correct WordPress endpoint. The TranTicket itself is read by the customer’s browser from the hidden form field; the merchant server is not the originator of the redirect POST.
• When it is sent: once per checkout, immediately after the Ticketing call above succeeds.
• Inbound counterpart: Paycenter posts a signed transaction response (HMAC-SHA256 HashKey) back to the plugin’s WC-API callback URL on the merchant site (https://<merchant-site>/?wc-api=epay_paycenter). This is the same service – the merchant site is the Notification / Success / Failure / Backlink target the merchant configures in the Euronet portal. No data leaves the merchant server on this inbound leg; the plugin only reads, verifies, and acts on the response.

Service operator and legal links

Both endpoints above are operated by Euronet Merchant Services (epay) for Piraeus Bank S.A.. Before activating the gateway, merchants must review and agree to the operator’s terms and privacy policy:

• Service homepage: https://epayworldwide.com/ (Euronet Merchant Services / epay corporate site)
• Greek market homepage: https://www.epaygreece.gr/
• Terms of Service: https://www.epaygreece.gr/oroi-xrisis/
• Privacy Policy: https://www.epaygreece.gr/politiki-aporritou/
• Piraeus Bank corporate site: https://www.piraeusbank.gr/
• Piraeus Bank Privacy Policy: https://www.piraeusbank.gr/en/idiwtes/protection-of-personal-data

If any of the above URLs change after publication, please consult the live operator websites for the current version of the relevant document. The plugin’s behaviour is not affected by such updates because the operator’s terms apply to the merchant’s relationship with Euronet Merchant Services / Piraeus Bank, not to the plugin itself. Merchants remain responsible for keeping their own privacy policy and terms aligned with the data flows documented above (notably the transmission of billing / shipping address fields and customer email / phone to the bank for 3-D Secure authentication).

3. Cloudflare IPv4 list

• What it is: a publicly available plain-text file published by Cloudflare, Inc. that lists the current IPv4 CIDR ranges used by Cloudflare’s edge network. The plugin fetches this file once every 12 hours (or 15 minutes on failure) via wp_safe_remote_get() and caches the result in a WordPress transient.
• Endpoint: https://www.cloudflare.com/ips-v4/
• What is sent: a standard HTTP GET request with no personal data, no order information, no credentials, and no cookies. The only identifying information in the request is the plugin’s User-Agent string (secure-card-gateway-for-epay-paycenter-piraeus-bank/VERSION).
• Why: when the plugin’s admin settings page detects that the WordPress site is served through Cloudflare (via the CF-Ray / CF-Connecting-IP / CDN-Loop request headers), it displays the current Cloudflare IPv4 ranges so the store owner can copy them into an email to Euronet Merchant Services to whitelist them for payment callbacks. Without this list, callbacks routed through Cloudflare edge IPs may be rejected by the bank’s firewall.
• When: only when an administrator views the gateway’s WooCommerce settings page and Cloudflare is detected on the incoming request. It is never triggered on the storefront or by guest/customer visits.
• Cloudflare service homepage: https://www.cloudflare.com/
• Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
• Cloudflare Terms of Service: https://www.cloudflare.com/terms/

No data is sent to any third party other than the three endpoints listed above.