WooCommerce Custom Payment Gateway Pro is designed for custom and manual payment workflows — invoices, bank transfers, purchase orders, payment links you send manually, and similar methods where card processing happens outside the plugin.
It is not a PCI-compliant card payment gateway.
Do not collect sensitive card data
Never use custom checkout fields to collect:
- Full credit card numbers
- CVV, CVC, or card security codes
- Card PINs or online banking passwords
- Full magnetic stripe or chip data
Collecting this data through custom fields puts your store and customers at serious risk and may violate PCI DSS requirements.
Use PCI-compliant gateways for card payments
For credit and debit card payments, use a certified payment provider such as:
- Stripe
- PayPal
- WooPayments
- Authorize.Net
- Other tokenized, PCI-compliant WooCommerce gateways
These providers handle card data securely so it never touches your server in raw form.
Deprecated Credit Card field
Older versions of the plugin included a Credit Card custom field. This field is now deprecated.
Current behavior
| Situation | What happens |
|---|---|
| New gateways | Credit Card fields cannot be added |
| Existing gateways with the field | Field works temporarily in Legacy Mode with admin warnings |
| Future update | Field will be removed completely |
Admin warnings you may see
- Action required: Deprecated Credit Card field detected — on the Custom Payment Gateways dashboard
- Inline notice on gateway settings pages with legacy card fields
- Warning in the field builder for deprecated card fields
Recommended action: Remove the Credit Card field from affected gateways and switch to a secure payment processor.
Customer notice
Customers may see a notice on the thank-you page if they used a gateway that still has the deprecated card field. Replace the field as soon as possible.
Sensitive data the plugin blocks
The plugin actively limits handling of sensitive payment credentials:
- CVV/CVC and card security fields — submissions can be blocked and are not stored or sent via API
- Sensitive API payload filtering — card-related keys may be stripped from API requests
- Order notes — when sensitive data is blocked, an order note may record that CVV/CVC was not stored or sent
Do not try to work around these protections by renaming fields to collect card security codes.
Safe use cases for custom fields
Custom checkout fields are appropriate for:
| Safe data | Examples |
|---|---|
| Invoice details | Company name, VAT/Tax ID, billing contact |
| Purchase orders | PO number, cost center, department |
| Payment references | Bank transfer reference, transaction ID |
| Contact information | Accounts payable email, phone number |
| Documents | PO PDF, payment receipt upload (non-card) |
| Agreements | Signature on terms (not card authorization at PCI level) |
| Instructions | Read-only payment guidance |
Merchant payment details vs. customer fields
Payment information you provide (bank details, invoice instructions, payment links, wallet addresses) should be configured in gateway settings or template fields — not collected from customers as free-text input.
If you add checkout fields that look like merchant payment instructions (payment links, QR codes, bank account numbers, wallet addresses), the plugin may show an admin warning. Move that content to gateway settings instead.
File uploads
File upload fields accept configured extensions (default: jpg, jpeg, png, webp, pdf). Dangerous file types are blocked.
Use uploads for receipts and documents — not for images of full card numbers or sensitive credentials.
API requests and data storage
- Review Payload Preview before enabling API requests in production.
- Use HTTPS endpoints only.
- Do not send card data through the API — the plugin filters known sensitive keys, but you must not configure fields to collect them.
- Store Payment Information in the Database can be disabled if you forward data to an API and do not need local storage. Consider privacy and support needs before disabling.
Password fields
The Password field type masks input on screen. It is intended for non-payment secrets (for example, internal reference codes). Do not use it for card numbers or CVV codes.
Summary
| Do | Don’t |
|---|---|
| Use templates for bank transfer, invoice, and manual payment | Collect full card numbers in custom fields |
| Collect PO numbers, company info, and references | Collect CVV/CVC or card security codes |
| Use Stripe/PayPal/etc. for card payments | Rely on the deprecated Credit Card field |
| Remove legacy card fields when warned | Ask customers to paste payment links you should provide |
| Store receipts as file uploads | Store raw card data in order meta or APIs |