WPRuby Logo WPRuby
Log in Get started
  • Plugins
  • Docs
  • Blog
    • eCommerce
    • Plugins
    • How to
    • Coding
  • Affiliate Area
  • Contact Us
  • About Us
  • Plugins
  • Docs
  • Blog
    • eCommerce
    • Plugins
    • How to
    • Coding
  • Affiliate Area
  • Contact Us
  • About Us

WPRuby Account

4
  • How to upgrade your license
  • How to renew your license
  • How to change your plugin’s license domain
  • How to cancel your subscription.

WooCommerce Australia Post Shipping Method Pro

17
  • Installation
  • How to activate your plugin license
  • How to Upgrade from Free to Pro
  • Australia Post Zone Settings
  • Australia Post Global Settings
  • Australia Post Tracking
  • Pre-Paid Satchels
  • How to Mark a Product to be Shipped individually?
  • TroubleShooting and Common issues
  • Available WordPress Actions and Filters
  • [Labels Pro] How to connect the plugin with your MyPost Business account
  • [Labels Pro] How to connect Labels Pro with your eParcel account
  • [Labels Pro] How to create shipping labels?
  • [Labels Pro] How to print labels and create shipping orders.
  • [Labels Pro] Label Printing & Contracted Prices Credentials
  • [Labels Pro] How to Mark a Product as Containing Hazardous Materials?
  • Step by Step Guide on how to migrate to Shipping Zones

WooCommerce Custom Payment Gateway Pro

11
  • Getting Started
  • Custom Payment Gateway Settings
  • Custom Checkout Field Builder
  • Conditional Display Rules
  • Sending Payment Data to an External API
  • How to Create a Pay by Invoice Payment Method
  • How to Create a Manual Payment Link or Review-Based Payment Method
  • Troubleshooting
  • Frequently Asked Questions
  • Security and Sensitive Payment Data
  • How to Upgrade from Free to Pro

WooCommerce Royal Mail Shipping Calculator Pro

4
  • Installation
  • Settings
  • TroubleShooting and Common issues
  • How to activate your plugin license

Controlled Admin Access Pro

3
  • Available Actions for a Restricted Admin
  • Installation
  • Settings

WooCommerce Simple Table Rates Pro

8
  • Installation
  • Settings
  • Rules and Actions
  • How to Setup Weight Based Shipping
  • How To Setup Shipping By Shipping Class
  • How to Setup Shipping by Cart Total
  • How to Setup Shipping by Product
  • How to Setup Shipping by Product Category

WooCommerce Pack IQ

5
  • Installation
  • How to activate your plugin license
  • How to add a new box
  • How to change the boxes weight and dimensions units
  • How to view the packing results

WooCommerce Restricted Shipping and Payment Pro

4
  • Installation
  • Setting Up Shipping Methods Conditions
  • Available Shipping & Payment Rules
  • Setting Up Payment Gateways Conditions

Affiliate Butler PRO

9
  • Installation and Upgrade
  • Quick Start Guide
  • Settings
  • Keywords Management
  • Installation
  • Frequently Asked Questions
  • Files Structure
  • Links Types
  • Statistics

WooCommerce Adyen Payment Gateway

2
  • Setup the Adyen payment gateway
  • How to configure Adyen Webhook notifications? 

WooCommerce Free Shipping Per Product

2
  • Installation
  • How to setup free shipping for a certain product

WooCommerce UPS Shipping Method Pro

4
  • Installation
  • UPS Zone Settings
  • UPS Global Settings
  • How to get the UPS Access Key?

Delivery Promise for WooCommerce

9
  • Getting Started
  • Understanding Processing Time vs Transit Time
  • Setting the Cutoff Countdown
  • Configuring Default Delivery Estimates
  • Creating Delivery Rules
  • Setting Working Days and Holidays
  • Using Rule Presets
  • Product-Level Lead Times
  • Why the “Order Within” Countdown Is Not Showing
View Categories
  • Home
  • Knowledge Base
  • WooCommerce Custom Payment Gateway Pro
  • Security and Sensitive Payment Data

Security and Sensitive Payment Data

Waseem
Updated on July 7, 2026

4 min read

WooCommerce Custom Payment Gateway Pro is designed for custom and manual payment workflows — invoices, bank transfers, purchase orders, payment links you send manually, and similar methods where card processing happens outside the plugin.

It is not a PCI-compliant card payment gateway.


Table of Contents

Toggle
  • Do not collect sensitive card data
    • Use PCI-compliant gateways for card payments
  • Deprecated Credit Card field
    • Current behavior
    • Admin warnings you may see
    • Customer notice
  • Sensitive data the plugin blocks
  • Safe use cases for custom fields
  • Merchant payment details vs. customer fields
  • File uploads
  • API requests and data storage
  • Password fields
  • Summary

Do not collect sensitive card data

Never use custom checkout fields to collect:

  • Full credit card numbers
  • CVV, CVC, or card security codes
  • Card PINs or online banking passwords
  • Full magnetic stripe or chip data

Collecting this data through custom fields puts your store and customers at serious risk and may violate PCI DSS requirements.

Use PCI-compliant gateways for card payments

For credit and debit card payments, use a certified payment provider such as:

  • Stripe
  • PayPal
  • WooPayments
  • Authorize.Net
  • Other tokenized, PCI-compliant WooCommerce gateways

These providers handle card data securely so it never touches your server in raw form.


Deprecated Credit Card field

Older versions of the plugin included a Credit Card custom field. This field is now deprecated.

Current behavior

SituationWhat happens
New gatewaysCredit Card fields cannot be added
Existing gateways with the fieldField works temporarily in Legacy Mode with admin warnings
Future updateField will be removed completely

Admin warnings you may see

  • Action required: Deprecated Credit Card field detected — on the Custom Payment Gateways dashboard
  • Inline notice on gateway settings pages with legacy card fields
  • Warning in the field builder for deprecated card fields

Recommended action: Remove the Credit Card field from affected gateways and switch to a secure payment processor.

Customer notice

Customers may see a notice on the thank-you page if they used a gateway that still has the deprecated card field. Replace the field as soon as possible.


Sensitive data the plugin blocks

The plugin actively limits handling of sensitive payment credentials:

  • CVV/CVC and card security fields — submissions can be blocked and are not stored or sent via API
  • Sensitive API payload filtering — card-related keys may be stripped from API requests
  • Order notes — when sensitive data is blocked, an order note may record that CVV/CVC was not stored or sent

Do not try to work around these protections by renaming fields to collect card security codes.


Safe use cases for custom fields

Custom checkout fields are appropriate for:

Safe dataExamples
Invoice detailsCompany name, VAT/Tax ID, billing contact
Purchase ordersPO number, cost center, department
Payment referencesBank transfer reference, transaction ID
Contact informationAccounts payable email, phone number
DocumentsPO PDF, payment receipt upload (non-card)
AgreementsSignature on terms (not card authorization at PCI level)
InstructionsRead-only payment guidance

Merchant payment details vs. customer fields

Payment information you provide (bank details, invoice instructions, payment links, wallet addresses) should be configured in gateway settings or template fields — not collected from customers as free-text input.

If you add checkout fields that look like merchant payment instructions (payment links, QR codes, bank account numbers, wallet addresses), the plugin may show an admin warning. Move that content to gateway settings instead.


File uploads

File upload fields accept configured extensions (default: jpg, jpeg, png, webp, pdf). Dangerous file types are blocked.

Use uploads for receipts and documents — not for images of full card numbers or sensitive credentials.


API requests and data storage

  • Review Payload Preview before enabling API requests in production.
  • Use HTTPS endpoints only.
  • Do not send card data through the API — the plugin filters known sensitive keys, but you must not configure fields to collect them.
  • Store Payment Information in the Database can be disabled if you forward data to an API and do not need local storage. Consider privacy and support needs before disabling.

Password fields

The Password field type masks input on screen. It is intended for non-payment secrets (for example, internal reference codes). Do not use it for card numbers or CVV codes.


Summary

DoDon’t
Use templates for bank transfer, invoice, and manual paymentCollect full card numbers in custom fields
Collect PO numbers, company info, and referencesCollect CVV/CVC or card security codes
Use Stripe/PayPal/etc. for card paymentsRely on the deprecated Credit Card field
Remove legacy card fields when warnedAsk customers to paste payment links you should provide
Store receipts as file uploadsStore raw card data in order meta or APIs

Frequently Asked QuestionsHow to Upgrade from Free to Pro
WPRuby Logo WPRuby

In 2015, WPRuby was established as an independent agency where we focus on producing and supporting many WordPress plugins. Each product we develop is simple to use and easy to customize and backed by awesome support and regular updates.

Resources

  • Knowledge Base
  • Affiliate Area
  • About Us
  • WPTools
  • Nomad Jar

Legal

  • Privacy Policy
  • Terms of Use

Follow us

  • Github
  • X.com
  • LinkedIn
  • Facebook

© 2026 - WPRuby