Pay4All Age Verification
Pay4All Age Verification blocks any order containing age-restricted products until the customer has uploaded a valid ID (recto + verso) and/or two selfies. Photos are captured either directly on the customer’s desktop or, more commonly, through a QR code that hands off to their smartphone.
The plugin plugs into Pay4All Shop (pay4all-form). Install it alongside Pay4All Shop and it will only surface where a form contains an age-restricted product.
WooCommerce support
For WooCommerce stores that want the complete verification flow : including a QR-code checkout panel and a product-level checkbox — the WooCommerce integration is available in the paid Pay4All Pro add-on, distributed through pay4all.ch and not through WordPress.org.
How it works
- Merchant ticks Requires age verification on any product edit screen (Pay4All Shop product).
- When a customer adds such a product to their form, a panel appears in the KYC step showing a QR code.
- Customer scans the QR with their phone -> the mobile capture page opens -> they take the required photos with their phone camera.
- The desktop form polls the server every 4 seconds and unlocks automatically when every required slot is filled — no page refresh needed.
- On order submit, the encrypted photos are moved from the session bucket to the order-scoped bucket, and are only decrypted on demand by an admin from the order edit screen.
Security
- Photos are encrypted with AES-256-GCM using a per-order (or per-user) subkey derived via HMAC-SHA256 from a master key.
- Ciphertexts live in a private folder guarded, so they are never web-servable.
- Admin decryption endpoint is nonce-protected and requires the
edit_userscapability. - Photos are auto-purged when the order (or user) is permanently deleted.
WPML / Polylang
Multilingual-aware : when the Requires age verification flag is set on a source product, every translation is treated as age-restricted too — even if the flag hasn’t been mirrored to the translation.
Available languages
Français (fr_FR), Deutsch (de_DE), Italiano (it_IT), English (en_US).
External services
This plugin does not connect to any external service. Everything runs on the site: photo capture, encryption, storage and admin decryption are all local. No data is sent to any third-party server.
Source code
The complete, non-minified source of this plugin is bundled inside the ZIP itself. Every PHP, CSS and JavaScript file is human-readable and directly editable. No compiler, transpiler or bundler is required to work on this plugin.