Why Woopay v2 Is the Most Secure WooCommerce Payment Gateway in 2026
PCI-DSS 4.0 tokenisation, signed webhooks, per-domain licence binding and mandatory 3-D Secure 2 — a tour of what changed under the hood in Woopay v2.
Security is a moving target
PCI-DSS 4.0 became mandatory in March 2025, and every WooCommerce gateway that handles PANs on the merchant's server had to rewrite big chunks of its stack. Woopay v2 is our full rewrite for that world — and it also closes a handful of common WooCommerce attack vectors that never had anything to do with cards in the first place.
What actually changed
- No card data ever touches your server. The v2 checkout mounts an isolated PayPal-hosted card field via the JS SDK. Your WordPress process only ever sees a one-time payment token.
- Signed webhooks. Every capture, refund and dispute event Woopay sends to your store is signed with an HMAC-SHA256 header. If the signature is missing or wrong, the request is dropped.
- Per-domain licence binding. Your licence key is bound to the exact hostname you activate it on. Cloning the plugin to a staging domain no longer silently processes live transactions.
- Mandatory 3-D Secure 2. Every European card must clear SCA. You can't turn this off, and we log the liability-shift flag against every order so you have evidence in a chargeback.
- Nonces on every admin action. Refunds, void, subscription pause and licence reset all require a fresh WordPress nonce.
Backwards compatibility
If you were on Woopay 1.x, the upgrade is one plugin update and one settings-page re-save. Existing tokens migrate automatically; subscriptions keep billing without a re-authorisation.
The short version
You get a gateway that would pass a bank's security review, without changing anything about how your customers pay.
Ready to switch?
Take card payments on WooCommerce today.
Woopay installs in under 10 minutes. No redirect, no reserves, no restricted-business list.
Get Woopay