What sets this plugin apart

HPOS-native from day one. Built against WooCommerce’s High-Performance Order Storage from the very first release. All order metadata uses the HPOS-aware $order->update_meta_data() / get_meta() API — never the legacy update_post_meta() / get_post_meta() calls that silently fail on HPOS-enabled stores (the WooCommerce default for new installs since 8.x). Your transaction IDs, support reference IDs, and approval codes are preserved whichever storage mode you run.
Cloudflare-aware. Automatically detects when your store is served through Cloudflare (via the CF-Ray / CF-Connecting-IP request headers) and surfaces the current Cloudflare IPv4 CIDR ranges right in the gateway settings page, ready to copy. You hand them to Euronet Merchant Services so the bank’s callbacks are not blocked at their firewall when they arrive via Cloudflare edge IPs. Live list fetched from cloudflare.com/ips-v4 and cached for 12 hours.
Built-in WAF / callback self-test. A diagnostic button in the gateway settings sends a realistic, declined-transaction-shaped POST to your own callback URL via loopback and reports whether your host’s web-application firewall (cPFence, ModSecurity / OWASP CRS, Imunify360, BitNinja, LiteSpeed WAF) silently blocks it before PHP runs. No real order is created or modified — the synthetic payload carries a WAFTEST- merchant reference that cannot match any order in the database. Catches the class of “callbacks never arrive” problems before they cost you a sale.
Modern admin UI. Card-based layout, dashicons throughout, one-click Copy-to-clipboard for all callback URLs grouped in a single block, environment badge (Test / Live / Production) on the credentials section, collapsible Cloudflare details. Audited against WordPress 7.0’s “Modern” admin theme.
Audited for WordPress 7.0 on release day. Reviewed against the full WordPress 7.0 Field Guide breaking-changes list on 2026-05-20. “Tested up to: 7.0” from the very first stable release. The plugin requires PHP 7.4 (the new WordPress 7.0 minimum) and uses no APIs deprecated in 7.0.
Fully bilingual (EN + EL). All 179 admin and customer-facing strings translated to Greek and shipped as both classic .mo and WordPress 6.5+ performant .l10n.php payloads. The wp.org page itself ships with an English readme.txt that opens with a Greek summary, plus a parallel full Greek readme-el.txt companion file inside the plugin folder for Greek-speaking merchants.

Ελληνικά:

Ανεξάρτητο πρόσθετο πύλης πληρωμής WooCommerce από τη WebHosting4U για
την υπηρεσία ePay Paycenter Redirection της Τράπεζας Πειραιώς /
Euronet Merchant Services. Υλοποιεί πλήρως την επίσημη προδιαγραφή
Redirection v2.9:

Έκδοση μοναδικού εισιτηρίου (TranTicket) μέσω SOAP Ticketing Web
Service με κωδικοποίηση UTF-8.
Αυτόματη ανακατεύθυνση POST στην ασφαλή σελίδα πληρωμής της τράπεζας
(pay.aspx) — τα δεδομένα κάρτας δεν περνούν ποτέ από τον διακομιστή
του καταστήματος.
Πλήρης επαλήθευση HashKey HMAC-SHA256 σε κάθε επιτυχημένη απάντηση
πριν χαρακτηριστεί η παραγγελία ως εξοφλημένη.
Υποστήριξη συναλλαγών Sale και Προέγκρισης (Preauthorization).
Υποστήριξη IRIS Payments (άμεσες πληρωμές μέσω ΔΙΑΣ). Όταν η
Euronet Merchant Services ενεργοποιήσει το IRIS στη σύμβασή σας, η
σελίδα πληρωμής της τράπεζας εμφανίζει στον πελάτη και τις δύο
επιλογές (κάρτα ή IRIS). Το πρόσθετο αναγνωρίζει τις απαντήσεις IRIS,
αποθηκεύει το κανάλι πληρωμής στην παραγγελία, και εμφανίζει
μηνύματα προσαρμοσμένα στα IRIS σενάρια (ακύρωση από την εφαρμογή
τράπεζας, λήξη QR 5 λεπτών, σφάλμα υπηρεσίας IRIS κ.λπ.).
Συμπλήρωση πεδίων 3-D Secure από τη διεύθυνση χρέωσης / αποστολής
του WooCommerce.
Συμβατότητα με HPOS (Custom Order Tables) και WooCommerce Blocks
checkout.

Προϋπόθεση: πρέπει να έχετε υπογεγραμμένο συμβόλαιο αποδοχής με την
Euronet Merchant Services / Τράπεζα Πειραιώς και να διαθέτετε τα
διαπιστευτήρια AcquirerId, MerchantId, PosId, Username,
Password. Το πρόσθετο δεν παρέχει δικούς του δοκιμαστικούς
λογαριασμούς.

Η πλήρης ελληνική μετάφραση της σελίδας του προσθέτου στο WordPress.org
θα είναι διαθέσιμη μέσω του translate.wordpress.org
μόλις εγκριθεί από την κοινότητα. Δείτε επίσης το συνοδευτικό
readme-el.txt για την ολοκληρωμένη ελληνική τεκμηρίωση.

English:

This plugin integrates WooCommerce with the ePay Paycenter Redirection
service operated by Piraeus Bank / Euronet Merchant Services. It implements
the official Redirection v2.9 specification end to end:

SOAP Ticketing Web Service (IssueNewTicket) with UTF-8 payload.
Auto-submitted HTML form POST redirection to the Paycenter secure
payment page (pay.aspx) so card data never touches your server.
Full HMAC-SHA256 HashKey verification for every successful callback
before marking an order as paid.
Support for Sale and Preauthorization transactions.
IRIS payments (Greek instant payment / DIAS) accepted transparently
when enabled by Euronet Merchant Services on the merchant agreement.
The bank’s hosted page presents card and IRIS as the two payment
options; the plugin recognises the IRIS-specific response payload
(CardType=15, PaymentMethod=IRIS), surfaces IRIS-tailored decline
messages for the IRIS-only ResponseCodes (05 user-cancelled-in-bank-app,
06 service error, 09 pending, 68 5-minute QR timeout, 70 IRIS service
error) and records the channel on the order so card vs IRIS settlements
are distinguishable in your reports.
3-D Secure auxiliary fields populated from the WooCommerce billing /
shipping address.
HPOS (Custom Order Tables) and WooCommerce Blocks checkout support.

You must have signed an acquiring contract with Euronet Merchant
Services / Piraeus Bank and obtained AcquirerId, MerchantId, PosId,
Username and Password credentials before using this plugin. The
plugin does not provide test or sandbox accounts on its own; please
contact Euronet Merchant Services to request one.

Affiliation and trademark notice

This plugin is independent software published by WebHosting4U and is
not affiliated with, endorsed by, sponsored by, or otherwise officially
connected to Piraeus Bank S.A., Euronet Merchant Services, or
Automattic Inc. The third-party names “ePay”, “Paycenter”, “Piraeus Bank”
and “WooCommerce” are trademarks of their respective owners and are
used here in good faith, after the unaffiliation marker “for”, solely
to describe the third-party service this plugin integrates with, in
line with the WordPress.org Detailed Plugin Guidelines on third-party
trademarks. The bundled accepted card brands image
(assets/img/wp-cards.png) is included with the rights-holder’s
authorization for the merchant distribution scope of this plugin.

User tracking and consent

This plugin does not load any analytics, telemetry, advertising,
fingerprinting, profiling or behavioural tracking code, neither on the
storefront nor in the WordPress admin. It does not set cookies on
visitor browsers, does not contact any first-party or third-party
analytics endpoint, and does not collect aggregated or individual
usage statistics from the merchant’s installation. The only outbound
network traffic the plugin generates is the strictly transactional
traffic documented in the External services section below, which
is required to complete a payment the merchant has explicitly
configured the plugin to perform. No user-tracking consent prompt is
therefore required by this plugin (Plugin Review Team Guidelines 7
and 9).

External services

This plugin reaches out to three external services. Two are operated
by Euronet Merchant Services on behalf of Piraeus Bank S.A. for the
“ePay Paycenter” payment redirection product (mandatory for the
plugin’s core function). The third is a publicly available Cloudflare
endpoint used only in the admin panel to help store owners configure
firewall rules for payment callbacks.

1. ePay Paycenter Ticketing Web Service

What it is: a SOAP / ASMX endpoint published by Euronet Merchant
Services that issues a single-use TranTicket for each card
payment attempt. The ticket is then handed to the customer’s
browser as a hidden form field that POSTs to the secure payment
page, so cardholder data never touches the merchant server.
Endpoint: https://paycenter.piraeusbank.gr/services/tickets/issuer.asmx
What is sent: the merchant credentials provided by Euronet Merchant
Services (AcquirerId, MerchantId, PosId, Username and an MD5 hash
of the Password), the order’s MerchantReference (numeric WooCommerce
order id with a short random suffix), the transaction amount and
ISO 4217 numeric currency code, the request type (Sale or
Preauthorization), and the 3-D Secure auxiliary fields populated
from the WooCommerce order: billing email, cardholder name,
billing address (city / lines / post code / state / ISO 3166
numeric country code), shipping address when present, and the
customer’s mobile phone number formatted as CC-Number. No
cardholder data, no PAN, no CVV, no expiry, and no analytics
identifier is ever transmitted; cardholder data is collected
exclusively on the bank’s secure payment page.
When it is sent: once per successful checkout submission, at the
moment WooCommerce hands control to the gateway’s
Pay for order page, immediately before the customer is
auto-redirected to the bank.

2. ePay Paycenter Redirection page

What it is: the bank-hosted secure payment page where the customer
enters card details and completes the 3-D Secure challenge. The
plugin renders an auto-submitted HTML form whose action attribute
is the URL below.
Endpoint: https://paycenter.piraeusbank.gr/redirection/pay.aspx
What is sent: the merchant identifiers (AcquirerId, MerchantId,
PosId, User), the language code, the MerchantReference issued
during ticketing, and a per-order ParamBackLink so the bank’s
Cancel button returns the customer to the correct WordPress
endpoint. The TranTicket itself is read by the customer’s
browser from the hidden form field; the merchant server is not
the originator of the redirect POST.
When it is sent: once per checkout, immediately after the
Ticketing call above succeeds.
Inbound counterpart: Paycenter posts a signed transaction
response (HMAC-SHA256 HashKey) back to the plugin’s WC-API
callback URL on the merchant site
(https://<merchant-site>/?wc-api=epay_paycenter). This is the
same service – the merchant site is the Notification / Success /
Failure / Backlink target the merchant configures in the
Euronet portal. No data leaves the merchant server on this
inbound leg; the plugin only reads, verifies, and acts on the
response.

Service operator and legal links

Both endpoints above are operated by Euronet Merchant Services
(epay) for Piraeus Bank S.A.. Before activating the gateway,
merchants must review and agree to the operator’s terms and
privacy policy:

Service homepage: https://epayworldwide.com/ (Euronet Merchant
Services / epay corporate site)
Greek market homepage: https://www.epaygreece.gr/
Terms of Service: https://www.epaygreece.gr/oroi-xrisis/
Privacy Policy: https://www.epaygreece.gr/politiki-aporritou/
Piraeus Bank corporate site: https://www.piraeusbank.gr/
Piraeus Bank Privacy Policy: https://www.piraeusbank.gr/en/idiwtes/protection-of-personal-data

If any of the above URLs change after publication, please consult
the live operator websites for the current version of the relevant
document. The plugin’s behaviour is not affected by such updates
because the operator’s terms apply to the merchant’s relationship
with Euronet Merchant Services / Piraeus Bank, not to the plugin
itself. Merchants remain responsible for keeping their own
privacy policy and terms aligned with the data flows documented
above (notably the transmission of billing / shipping address
fields and customer email / phone to the bank for 3-D Secure
authentication).

3. Cloudflare IPv4 list

What it is: a publicly available plain-text file published by
Cloudflare, Inc. that lists the current IPv4 CIDR ranges used by
Cloudflare’s edge network. The plugin fetches this file once every
12 hours (or 15 minutes on failure) via wp_safe_remote_get() and
caches the result in a WordPress transient.
Endpoint: https://www.cloudflare.com/ips-v4/
What is sent: a standard HTTP GET request with no personal data,
no order information, no credentials, and no cookies. The only
identifying information in the request is the plugin’s User-Agent
string (secure-card-gateway-for-epay-paycenter-piraeus-bank/VERSION).
Why: when the plugin’s admin settings page detects that the
WordPress site is served through Cloudflare (via the CF-Ray /
CF-Connecting-IP / CDN-Loop request headers), it displays the
current Cloudflare IPv4 ranges so the store owner can copy them
into an email to Euronet Merchant Services to whitelist them for
payment callbacks. Without this list, callbacks routed through
Cloudflare edge IPs may be rejected by the bank’s firewall.
When: only when an administrator views the gateway’s WooCommerce
settings page and Cloudflare is detected on the incoming request.
It is never triggered on the storefront or by guest/customer visits.
Cloudflare service homepage: https://www.cloudflare.com/
Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
Cloudflare Terms of Service: https://www.cloudflare.com/terms/

No data is sent to any third party other than the three endpoints
listed above.

WebHosting4U Secure Card Gateway for ePay Paycenter (Piraeus Bank)