=== WebHosting4U Secure Card Gateway for ePay Paycenter (Piraeus Bank) ===
Contributors: webhosting4ugr
Tags: woocommerce, payment gateway, piraeus bank, greece, credit card
Requires at least: 6.3
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.31
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Independent WooCommerce gateway by WebHosting4U for the ePay Paycenter (Piraeus Bank / Euronet Merchant Services) Redirection service.

== Description ==

= What sets this plugin apart =

* **HPOS-native from day one.** Built against WooCommerce's High-Performance Order Storage from the very first release. All order metadata uses the HPOS-aware `$order->update_meta_data()` / `get_meta()` API — never the legacy `update_post_meta()` / `get_post_meta()` calls that silently fail on HPOS-enabled stores (the WooCommerce default for new installs since 8.x). Your transaction IDs, support reference IDs, and approval codes are preserved whichever storage mode you run.

* **Cloudflare-aware.** Automatically detects when your store is served through Cloudflare (via the `CF-Ray` / `CF-Connecting-IP` request headers) and surfaces the current Cloudflare IPv4 CIDR ranges right in the gateway settings page, ready to copy. You hand them to Euronet Merchant Services so the bank's callbacks are not blocked at their firewall when they arrive via Cloudflare edge IPs. Live list fetched from cloudflare.com/ips-v4 and cached for 12 hours.

* **Built-in WAF / callback self-test.** A diagnostic button in the gateway settings sends a realistic, *declined-transaction*-shaped POST to your own callback URL via loopback and reports whether your host's web-application firewall (cPFence, ModSecurity / OWASP CRS, Imunify360, BitNinja, LiteSpeed WAF) silently blocks it before PHP runs. No real order is created or modified — the synthetic payload carries a `WAFTEST-` merchant reference that cannot match any order in the database. Catches the class of *"callbacks never arrive"* problems before they cost you a sale.

* **Modern admin UI.** Card-based layout, dashicons throughout, one-click Copy-to-clipboard for all callback URLs grouped in a single block, environment badge (Test / Live / Production) on the credentials section, collapsible Cloudflare details. Audited against WordPress 7.0's "Modern" admin theme.

* **Audited for WordPress 7.0 on release day.** Reviewed against the full WordPress 7.0 Field Guide breaking-changes list on 2026-05-20. "Tested up to: 7.0" from the very first stable release. The plugin requires PHP 7.4 (the new WordPress 7.0 minimum) and uses no APIs deprecated in 7.0.

* **Fully bilingual (EN + EL).** All 179 admin and customer-facing strings translated to Greek and shipped as both classic `.mo` and WordPress 6.5+ performant `.l10n.php` payloads. The wp.org page itself ships with an English `readme.txt` that opens with a Greek summary, plus a parallel full Greek `readme-el.txt` companion file inside the plugin folder for Greek-speaking merchants.

----------

**Ελληνικά:**

Ανεξάρτητο πρόσθετο πύλης πληρωμής WooCommerce από τη WebHosting4U για
την υπηρεσία *ePay Paycenter Redirection* της Τράπεζας Πειραιώς /
Euronet Merchant Services. Υλοποιεί πλήρως την επίσημη προδιαγραφή
*Redirection v2.9*:

* Έκδοση μοναδικού εισιτηρίου (TranTicket) μέσω SOAP Ticketing Web
  Service με κωδικοποίηση UTF-8.
* Αυτόματη ανακατεύθυνση POST στην ασφαλή σελίδα πληρωμής της τράπεζας
  (`pay.aspx`) — τα δεδομένα κάρτας δεν περνούν ποτέ από τον διακομιστή
  του καταστήματος.
* Πλήρης επαλήθευση HashKey HMAC-SHA256 σε κάθε επιτυχημένη απάντηση
  πριν χαρακτηριστεί η παραγγελία ως εξοφλημένη.
* Υποστήριξη συναλλαγών Sale και Προέγκρισης (Preauthorization).
* **Υποστήριξη IRIS Payments** (άμεσες πληρωμές μέσω ΔΙΑΣ). Όταν η
  Euronet Merchant Services ενεργοποιήσει το IRIS στη σύμβασή σας, η
  σελίδα πληρωμής της τράπεζας εμφανίζει στον πελάτη και τις δύο
  επιλογές (κάρτα ή IRIS). Το πρόσθετο αναγνωρίζει τις απαντήσεις IRIS,
  αποθηκεύει το κανάλι πληρωμής στην παραγγελία, και εμφανίζει
  μηνύματα προσαρμοσμένα στα IRIS σενάρια (ακύρωση από την εφαρμογή
  τράπεζας, λήξη QR 5 λεπτών, σφάλμα υπηρεσίας IRIS κ.λπ.).
* Συμπλήρωση πεδίων 3-D Secure από τη διεύθυνση χρέωσης / αποστολής
  του WooCommerce.
* Συμβατότητα με HPOS (Custom Order Tables) και WooCommerce Blocks
  checkout.

**Προϋπόθεση:** πρέπει να έχετε υπογεγραμμένο συμβόλαιο αποδοχής με την
Euronet Merchant Services / Τράπεζα Πειραιώς και να διαθέτετε τα
διαπιστευτήρια `AcquirerId`, `MerchantId`, `PosId`, `Username`,
`Password`. Το πρόσθετο δεν παρέχει δικούς του δοκιμαστικούς
λογαριασμούς.

Η πλήρης ελληνική μετάφραση της σελίδας του προσθέτου στο WordPress.org
θα είναι διαθέσιμη μέσω του [translate.wordpress.org](https://translate.wordpress.org/projects/wp-plugins/secure-card-gateway-for-epay-paycenter-piraeus-bank/)
μόλις εγκριθεί από την κοινότητα. Δείτε επίσης το συνοδευτικό
`readme-el.txt` για την ολοκληρωμένη ελληνική τεκμηρίωση.

----------

**English:**

This plugin integrates WooCommerce with the ePay Paycenter Redirection
service operated by Piraeus Bank / Euronet Merchant Services. It implements
the official Redirection v2.9 specification end to end:

* SOAP Ticketing Web Service (`IssueNewTicket`) with UTF-8 payload.
* Auto-submitted HTML form POST redirection to the Paycenter secure
  payment page (`pay.aspx`) so card data never touches your server.
* Full HMAC-SHA256 HashKey verification for every successful callback
  before marking an order as paid.
* Support for Sale and Preauthorization transactions.
* **IRIS payments** (Greek instant payment / DIAS) accepted transparently
  when enabled by Euronet Merchant Services on the merchant agreement.
  The bank's hosted page presents card and IRIS as the two payment
  options; the plugin recognises the IRIS-specific response payload
  (`CardType=15`, `PaymentMethod=IRIS`), surfaces IRIS-tailored decline
  messages for the IRIS-only ResponseCodes (05 user-cancelled-in-bank-app,
  06 service error, 09 pending, 68 5-minute QR timeout, 70 IRIS service
  error) and records the channel on the order so card vs IRIS settlements
  are distinguishable in your reports.
* 3-D Secure auxiliary fields populated from the WooCommerce billing /
  shipping address.
* HPOS (Custom Order Tables) and WooCommerce Blocks checkout support.

**You must have signed an acquiring contract with Euronet Merchant
Services / Piraeus Bank and obtained `AcquirerId`, `MerchantId`, `PosId`,
`Username` and `Password` credentials before using this plugin.** The
plugin does not provide test or sandbox accounts on its own; please
contact Euronet Merchant Services to request one.

= Affiliation and trademark notice =

This plugin is independent software published by **WebHosting4U** and is
**not affiliated with, endorsed by, sponsored by, or otherwise officially
connected to** Piraeus Bank S.A., Euronet Merchant Services, or
Automattic Inc. The third-party names "ePay", "Paycenter", "Piraeus Bank"
and "WooCommerce" are trademarks of their respective owners and are
used here in good faith, after the unaffiliation marker "for", solely
to describe the third-party service this plugin integrates with, in
line with the WordPress.org Detailed Plugin Guidelines on third-party
trademarks. The bundled accepted card brands image
(`assets/img/wp-cards.png`) is included with the rights-holder's
authorization for the merchant distribution scope of this plugin.

= User tracking and consent =

This plugin does **not** load any analytics, telemetry, advertising,
fingerprinting, profiling or behavioural tracking code, neither on the
storefront nor in the WordPress admin. It does not set cookies on
visitor browsers, does not contact any first-party or third-party
analytics endpoint, and does not collect aggregated or individual
usage statistics from the merchant's installation. The only outbound
network traffic the plugin generates is the strictly transactional
traffic documented in the *External services* section below, which
is required to complete a payment the merchant has explicitly
configured the plugin to perform. No user-tracking consent prompt is
therefore required by this plugin (Plugin Review Team Guidelines 7
and 9).

== External services ==

This plugin reaches out to three external services. Two are operated
by Euronet Merchant Services on behalf of Piraeus Bank S.A. for the
"ePay Paycenter" payment redirection product (mandatory for the
plugin's core function). The third is a publicly available Cloudflare
endpoint used only in the admin panel to help store owners configure
firewall rules for payment callbacks.

= 1. ePay Paycenter Ticketing Web Service =

* What it is: a SOAP / ASMX endpoint published by Euronet Merchant
  Services that issues a single-use `TranTicket` for each card
  payment attempt. The ticket is then handed to the customer's
  browser as a hidden form field that POSTs to the secure payment
  page, so cardholder data never touches the merchant server.
* Endpoint: `https://paycenter.piraeusbank.gr/services/tickets/issuer.asmx`
* What is sent: the merchant credentials provided by Euronet Merchant
  Services (AcquirerId, MerchantId, PosId, Username and an MD5 hash
  of the Password), the order's MerchantReference (numeric WooCommerce
  order id with a short random suffix), the transaction amount and
  ISO 4217 numeric currency code, the request type (Sale or
  Preauthorization), and the 3-D Secure auxiliary fields populated
  from the WooCommerce order: billing email, cardholder name,
  billing address (city / lines / post code / state / ISO 3166
  numeric country code), shipping address when present, and the
  customer's mobile phone number formatted as `CC-Number`. No
  cardholder data, no PAN, no CVV, no expiry, and no analytics
  identifier is ever transmitted; cardholder data is collected
  exclusively on the bank's secure payment page.
* When it is sent: once per successful checkout submission, at the
  moment WooCommerce hands control to the gateway's
  *Pay for order* page, immediately before the customer is
  auto-redirected to the bank.

= 2. ePay Paycenter Redirection page =

* What it is: the bank-hosted secure payment page where the customer
  enters card details and completes the 3-D Secure challenge. The
  plugin renders an auto-submitted HTML form whose `action` attribute
  is the URL below.
* Endpoint: `https://paycenter.piraeusbank.gr/redirection/pay.aspx`
* What is sent: the merchant identifiers (AcquirerId, MerchantId,
  PosId, User), the language code, the MerchantReference issued
  during ticketing, and a per-order ParamBackLink so the bank's
  Cancel button returns the customer to the correct WordPress
  endpoint. The TranTicket itself is read by the customer's
  browser from the hidden form field; the merchant server is not
  the originator of the redirect POST.
* When it is sent: once per checkout, immediately after the
  Ticketing call above succeeds.
* Inbound counterpart: Paycenter posts a signed transaction
  response (HMAC-SHA256 HashKey) back to the plugin's WC-API
  callback URL on the merchant site
  (`https://<merchant-site>/?wc-api=epay_paycenter`). This is the
  same service - the merchant site is the Notification / Success /
  Failure / Backlink target the merchant configures in the
  Euronet portal. No data leaves the merchant server on this
  inbound leg; the plugin only reads, verifies, and acts on the
  response.

= Service operator and legal links =

Both endpoints above are operated by Euronet Merchant Services
(epay) for Piraeus Bank S.A.. Before activating the gateway,
merchants must review and agree to the operator's terms and
privacy policy:

* Service homepage: <https://epayworldwide.com/> (Euronet Merchant
  Services / epay corporate site)
* Greek market homepage: <https://www.epaygreece.gr/>
* Terms of Service: <https://www.epaygreece.gr/oroi-xrisis/>
* Privacy Policy: <https://www.epaygreece.gr/politiki-aporritou/>
* Piraeus Bank corporate site: <https://www.piraeusbank.gr/>
* Piraeus Bank Privacy Policy: <https://www.piraeusbank.gr/en/idiwtes/protection-of-personal-data>

If any of the above URLs change after publication, please consult
the live operator websites for the current version of the relevant
document. The plugin's behaviour is not affected by such updates
because the operator's terms apply to the merchant's relationship
with Euronet Merchant Services / Piraeus Bank, not to the plugin
itself. Merchants remain responsible for keeping their own
privacy policy and terms aligned with the data flows documented
above (notably the transmission of billing / shipping address
fields and customer email / phone to the bank for 3-D Secure
authentication).

= 3. Cloudflare IPv4 list =

* What it is: a publicly available plain-text file published by
  Cloudflare, Inc. that lists the current IPv4 CIDR ranges used by
  Cloudflare's edge network. The plugin fetches this file once every
  12 hours (or 15 minutes on failure) via `wp_safe_remote_get()` and
  caches the result in a WordPress transient.
* Endpoint: `https://www.cloudflare.com/ips-v4/`
* What is sent: a standard HTTP GET request with no personal data,
  no order information, no credentials, and no cookies. The only
  identifying information in the request is the plugin's `User-Agent`
  string (`secure-card-gateway-for-epay-paycenter-piraeus-bank/VERSION`).
* Why: when the plugin's admin settings page detects that the
  WordPress site is served through Cloudflare (via the CF-Ray /
  CF-Connecting-IP / CDN-Loop request headers), it displays the
  current Cloudflare IPv4 ranges so the store owner can copy them
  into an email to Euronet Merchant Services to whitelist them for
  payment callbacks. Without this list, callbacks routed through
  Cloudflare edge IPs may be rejected by the bank's firewall.
* When: only when an administrator views the gateway's WooCommerce
  settings page and Cloudflare is detected on the incoming request.
  It is never triggered on the storefront or by guest/customer visits.
* Cloudflare service homepage: <https://www.cloudflare.com/>
* Cloudflare Privacy Policy: <https://www.cloudflare.com/privacypolicy/>
* Cloudflare Terms of Service: <https://www.cloudflare.com/terms/>

No data is sent to any third party other than the three endpoints
listed above.

== Installation ==

1. Upload the plugin ZIP through **Plugins → Add New → Upload Plugin**,
   or extract it into `wp-content/plugins/wh4u-secure-card-gateway-for-epay-paycenter-piraeus-bank/`.
2. Activate the plugin.
3. Go to **WooCommerce → Settings → Payments** and enable
   *ePay Paycenter (Piraeus Bank)*.
4. Enter your AcquirerId, MerchantId, PosId, Username and Password
   exactly as provided by Euronet Merchant Services.
5. Set the environment (Test / Live), language, and transaction type.
6. Provide Euronet Merchant Services with the following URLs for your
   merchant record:
     * Referrer URL: your shop checkout page.
     * Success URL:  `https://your-site.tld/wc-api/epay_paycenter/`
     * Failure URL:  `https://your-site.tld/wc-api/epay_paycenter/`
     * Backlink URL: `https://your-site.tld/wc-api/epay_paycenter/`
     * IP address:   the outbound IP of your web server.
     * Response method: **POST** (recommended).
7. Execute the mandatory test cases documented in Section 7 of the
   Redirection v2.9 manual before requesting live credentials.

== Frequently Asked Questions ==

= Which cards are supported? =

Visa, Mastercard, Maestro, and (subject to agreement with Euronet
Merchant Services) Diners / Discover and American Express.

= Does the plugin support IRIS payments? =

Yes. When IRIS is enabled on your merchant agreement by Euronet Merchant
Services, customers can choose between card and IRIS directly on the
bank's hosted payment page — the plugin does not need a separate setting
to "turn IRIS on" because the choice is made server-side at the bank,
not in your checkout. The plugin recognises IRIS responses (CardType=15
or PaymentMethod=IRIS in the bank's HMAC-verified callback), shows
IRIS-tailored messages for the IRIS-only decline scenarios (user
cancelled in their banking app, 5-minute QR timeout, IRIS service error,
etc.) and records the payment channel on the order so card and IRIS
transactions are distinguishable in your reports.

Per Piraeus Bank policy, **IRIS payments do not support installments**
(the full amount is charged) and **refunds are not supported for IRIS
transactions** (ResponseCode 9167). These restrictions are enforced by
the bank, not by the plugin.

= Does the plugin store any card data? =

No. Cardholder data is entered exclusively on the Paycenter secure
payment page and never transits your server. The plugin stores only
non-sensitive metadata such as approval code, response code and
`SupportReferenceID` for reconciliation.

= What happens if the HashKey cannot be verified? =

The order is set to *On hold* and a notice is logged. Verification is
mandatory before an order is marked paid; a mismatching HashKey is
treated as a potentially forged callback.

= Is this plugin GDPR-compatible? =

The plugin transmits only the minimum data required for the transaction
(order total, currency, merchant reference, and 3-D Secure auxiliary
fields such as billing email and address). No analytics or telemetry is
collected.

= My host's WAF (cPFence, ModSecurity, Imunify360, BitNinja, LiteSpeed) is blocking the bank callback. What do I do? =

Shared-hosting firewalls sometimes flag Paycenter's decline-callback
payload because it contains patterns (dash-only `TransactionDateTime`,
empty `HashKey` on declined transactions, Greek `ResponseDescription`
text) that overlap with default attack signatures. Symptoms: callbacks
for failed transactions never arrive and orders get stuck in *pending
payment*.

The plugin's settings page includes a **Test callback URL** diagnostic
that POSTs a realistic declined-transaction payload to your own callback
URL via loopback and reports whether a host WAF intercepts it. Run it
once before going live. If a WAF is intercepting, ask your hosting
provider to whitelist the URL `/?wc-api=epay_paycenter` (callback-URL
scope only — never disable rules server-wide). CDN-level WAFs
(Cloudflare, Sucuri, Akamai) must be configured separately at the CDN —
the in-admin diagnostic only exercises the origin server's WAF.

= My customer sees only "-1" after the bank return. What happened? =

The literal `-1` comes from WooCommerce core's `WC_API` handler. For
this plugin it usually means one of three things:

1. The callback URL in the Euronet portal does not match the plugin's
   URL. Use exactly `https://<your-site>/?wc-api=epay_paycenter` (no
   trailing slash, no extra path). Copy it from the gateway settings
   page where the plugin displays the canonical form.
2. A host WAF intercepted the callback before it reached PHP (see the
   WAF FAQ above).
3. The plugin handled the callback but a downstream redirect target
   suppressed the notice. Since 1.0.14 decline messages survive
   cross-origin redirect cookie stripping, so this is rare on current
   versions.

Check **WooCommerce → Status → Logs** for `epay-paycenter-*` entries
around the transaction timestamp. The `Callback envelope` INFO line is
written on every callback that reaches PHP, so its presence or absence
distinguishes WAF-level blocks from plugin-level rejects.

== Changelog ==

= 1.0.31 =
* Docs: readme Description trimmed to fit the wp.org 2,500-word limit (the 1.0.30 release was truncated on the public plugin page). The standalone `== WAF compatibility ==` section was rolled into two FAQ entries that cover the same operator scenarios (WAF blocking callbacks, "-1" troubleshooting) without per-vendor configuration snippets — those move to support docs. No code change; the in-admin "Test callback URL" diagnostic, callback envelope logging and URL normalisation features previously documented in that section all remain.

= 1.0.30 =
* Feature: **IRIS payments support** per Redirection Manual v2.9. When Euronet Merchant Services enables IRIS on your merchant account, the bank's hosted page lets customers pay by IRIS instead of card; the plugin now recognises the IRIS response payload (`CardType=15` / `PaymentMethod=IRIS`), stores the payment channel on the order, and surfaces IRIS-tailored messages for the IRIS-only ResponseCodes 05 (user cancelled in their bank app), 06 (service error), 09 (initiated but not confirmed), 68 (5-minute QR-code timeout) and 70 (IRIS service unexpected error). HMAC-SHA256 HashKey verification applies to IRIS callbacks identically (the empty AuthStatus / PackageNo / TraceID fields are concatenated as empty strings per the manual). No payment-flow or callback-handler change for existing card transactions.
* Feature: **customer-selectable installments on the classic WooCommerce checkout**. The gateway now renders an "Installments (interest-free)" dropdown when installments are enabled and the cart total qualifies; the picked value is captured at order creation, persisted as `_epay_installments` order meta, and sent as the `Installments` parameter in the Ticketing request to Piraeus Bank.
* Feature: **tiered max-installments by amount** via a new admin setting "Tiered max installments by amount (interest-free)". Format `amount:max,amount:max,...` (e.g. `50:3, 100:6, 200:12`). Overrides the flat "Maximum installments" when set. Per Piraeus Bank policy all installments via this gateway are interest-free for the customer; the merchant absorbs the bank commission.
* Security: the customer-side dropdown is treated as untrusted. `process_payment()` always re-clamps the picked value against the merchant's tier policy evaluated for the live order total, and the SOAP ticket request re-clamps a second time as defence-in-depth. Tier-string parsing uses a strict regex; malformed segments are silently dropped instead of throwing.
* Internal: the existing `installments` checkbox + `max_installments` + `min_amount_for_installments` settings, previously cosmetic (the Ticketing request was hard-coded to `Installments=0`), are now wired up. `_epay_installments` order meta carries the value through the bank round-trip. Success order note now branches by payment channel — IRIS rows omit the empty PackageNo / TraceID columns that have no analogue in the DIAS instant-payment flow.
* Docs: readme Description, FAQ and Greek `readme-el.txt` companion updated with IRIS coverage; new section "What sets this plugin apart" surfaces the technical differentiators (HPOS-native, Cloudflare detection, WAF self-test, WP 7.0 audit, bilingual readme).
* Known limitation: the installments customer picker ships for classic WC checkout only. WooCommerce Blocks Checkout customers default to one-time payment (`Installments=1`, the bank's canonical "no installments" per Redirection Manual v2.9 §4); the Blocks picker is scheduled for a follow-up release.

= 1.0.28 =
* Compatibility: tested with WordPress 7.0 (released 2026-05-20). Verified that the gateway works on the new Modern admin theme, the iframed post editor changes do not affect WooCommerce Blocks checkout integration, and PHP 7.4+ requirement already meets the new core minimum.
* Docs: screenshot captions in readme corrected to match the actual images (bilingual EN/EL).

= 1.0.27 =
* UX: settings screen reordered — the "Merchant credentials" section now appears above the "Bank integration data" section, matching the natural onboarding flow (enter the credentials from Euronet first, then send the technical data back).
* UX: "Bank integration data" card and its Cloudflare detection sub-block are now collapsible (closed by default) to keep the settings screen compact after onboarding.
* UX: the five callback URLs (Website, Referrer, Success, Failure, Backlink) are consolidated into a single grey block with one "Copy" button, replacing the per-URL row layout.
* i18n: Greek translation added for the new "Copy callback URLs to clipboard" aria-label.
* Internal: aligned EPAY_PAYCENTER_VERSION constant with the plugin header (was lagging at 1.0.25, used by asset cache-busting and outbound User-Agent strings).

= 1.0.26 =
* Compliance: invalid Plugin URI header removed per Plugin Review Team feedback. The URI is an optional header (https://developer.wordpress.org/plugins/plugin-basics/header-requirements/) and the previously declared page was not public. Author URI (https://webhosting4u.gr/) is unchanged and reachable.

= 1.0.22 =
* Fix: plugin folder and main file renamed to secure-card-gateway-for-epay-paycenter-piraeus-bank to match WP.org slug; resolves Plugin Check TextDomainMismatch on all i18n calls.
* Fix: UTF-8 BOM properly stripped from all PHP files (previous fix re-encoded U+FEFF as a BOM on write; correct method skips the 3 BOM bytes before decoding).

= 1.0.21 =
* Fix (critical): TranTicket was missing from the redirect form POST to pay.aspx — every payment attempt would be rejected by the bank. Added to form_fields in output_receipt_page().
* Fix: apply_filters( epay_paycenter_icon ) pre-escaped the default URL violating escape-late; escaping now happens only at output.
* Fix: printf() with HTML link replaced with echo wp_kses_post( sprintf() ).
* Fix: is_cloudflare_proxied() now uses isset() + is_scalar() guards on CF_RAY / CF_CONNECTING_IP.
* Fix: phpcs:ignore added to dbDelta() SQL interpolation in create_tables().
* Cleanup: removed orphaned docblock for deleted collect_attempt_stats().

= 1.0.20 =
* Compliance: text domain corrected from wh4u-* to secure-card-gateway-for-epay-paycenter-piraeus-bank to match WP.org slug. All 179 i18n strings updated; language files renamed.
* Compliance: echo generate_settings_html() kept as phpcs:ignore with explanatory comment; wp_kses_post() wrap broke WooCommerce form attributes.
* Security: enqueue_admin_settings_assets() now checks current_user_can( manage_woocommerce ) before reading  args.
* External services: Cloudflare IPv4 fetch documented in readme with terms / privacy links.

= 1.0.19 =
* Compliance: plugin renamed to WebHosting4U Secure Card Gateway for ePay Paycenter (Piraeus Bank); slug wh4u-* per Guideline 17. External services section fully documented with terms / privacy links. Deprecated libxml_disable_entity_loader() removed.

= 1.0.18 =
* UI: checkout icon changed from piraeus.svg to responsive wp-cards.png. Block checkout now shows card brands. Front-end CSS enqueued on checkout.

= 1.0.17 =
* Localisation: Greek translation backfilled with all strings from 1.0.10-1.0.16. POT regenerated.

= 1.0.16 =
* Fix: decline notice not appearing after bank redirect. Hook priority collision with WooCommerce core resolved (priority 5 vs core 10).

= 1.0.15 =
* Compliance: failure handler aligned row-by-row with Redirection Manual v2.9 section 5 scenario table. Fixes misleading ResultCode 1048 message; widens 50x matching to 500-599.

= 1.0.14 =
* Fix: decline message lost after bank redirect due to SameSite=Lax session-cookie stripping. Notices now queued as order-scoped transients (session-independent delivery).

= 1.0.13 =
* Fix: -1 body when Success/Failure URL is doubled in the Euronet portal. Malformed wc-api values normalised at parse_request.

= 1.0.12 =
* Declined-transaction handling per Redirection Manual v2.9 section 5. Failure redirect now targets pay-for-order URL. Fixes -1 body via plugins_loaded binding.

= 1.0.11 =
* Admin diagnostics: Test callback URL button detects host WAF interception before live payments.

= 1.0.10 =
* Logging: Callback envelope INFO line written on every callback reach for WAF/plugin-reject disambiguation.

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 1.0.31 =
Docs-only release. Readme Description trimmed to fit the wp.org 2,500-word limit (the 1.0.30 plugin page was truncated). No code or behaviour change — the in-admin WAF diagnostic, IRIS support, installments picker and tiered installments from 1.0.30 are all preserved.

= 1.0.30 =
Adds IRIS payments support per Redirection Manual v2.9 (transparently recognised when Euronet Merchant Services enables IRIS on your account) AND customer-selectable installments on classic WC checkout with tiered max-installments by order amount. The previous flat installments configuration is preserved and still works. WooCommerce Blocks checkout: customers default to one-time payment (Blocks picker scheduled for 1.0.31). All card installments via this gateway are interest-free for the customer per Piraeus Bank policy; IRIS does not support installments or refunds.

= 1.0.28 =
Compatibility with WordPress 7.0 (Modern admin theme, iframed editor, PHP 7.4 minimum). No payment-flow, database, or callback-handler change.

= 1.0.27 =
Settings screen reorganized: merchant credentials now sit above bank integration data, the bank-data card is collapsed by default, and the five callback URLs share one grey "Copy" block. No payment-flow, database, or callback-handler change.

= 1.0.20 =
Text domain corrected to match plugin slug. Cloudflare IP fetch documented in External services. echo wrapped with wp_kses_post(). No payment-flow or database change.

= 1.0.19 =
Plugin renamed to "WebHosting4U Secure Card Gateway for ePay Paycenter (Piraeus Bank)" with slug wh4u-* per Plugin Review Team feedback. External services fully documented with terms / privacy links. Deprecated libxml_disable_entity_loader() removed. No payment-flow change.

= 1.0.18 =
Checkout icon changed from piraeus.svg to a responsive wp-cards.png image (400 px desktop, scales on mobile). Block checkout now shows card brands. Front-end CSS enqueued on checkout. Drop-in upgrade.

= 1.0.17 =
Greek translation backfilled with all strings from 1.0.10-1.0.16: scenario labels, decline notices, admin notes, WAF self-test UI. POT regenerated. No PHP/database/payment-flow change.

= 1.0.16 =
Fixes decline notice not appearing after bank redirect. Hook priority collision with WooCommerce core resolved (priority 5 vs core 10). Works on every theme. No database or payment-flow change.

= 1.0.15 =
Aligns with Redirection Manual v2.9 section 5 scenario table. Fixes misleading ResultCode 1048 message, widens 50x matching to 500-599, adds AdminTool hint on 1045. Drop-in upgrade.

= 1.0.14 =
Fixes decline message not appearing after bank redirect due to SameSite=Lax stripping the session cookie. Notices now queued as order-scoped transients. No database or payment-flow change.

= 1.0.13 =
Fixes "-1" body when Success/Failure URL is doubled in the Euronet portal. Malformed wc-api values normalised at parse_request. Please also correct the URL in the portal.

= 1.0.12 =
Declined-transaction handling per Redirection Manual v2.9 section 5. Issuer decline shown to customer, failures redirect to pay-for-order URL. Fixes "-1" body via plugins_loaded binding.

= 1.0.11 =
Adds "Test callback URL" button on the settings screen. Detects host WAF interception (cPFence, ModSec, Imunify360, BitNinja, LiteSpeed). No database or payment-flow change.

= 1.0.10 =
Adds a "Callback envelope" forensic log line at every callback reach so
host-WAF-blocked transactions can be distinguished from plugin-rejected
ones, and refines the customer-facing wording per Paycenter ResultCode
and ResponseCode. Safe drop-in upgrade, no database change.

= 1.0.9 =
Greek translation rewritten in plain, merchant-friendly Greek. Banking
jargon replaced with everyday terms; field labels shortened so the
WooCommerce settings layout is not stretched. Safe drop-in upgrade.

= 1.0.8 =
Plugin Check compliance: adds the standard `defined( 'ABSPATH' ) || exit;`
guard at the top of the performant-translations `.l10n.php` file. No
runtime or database change, safe drop-in upgrade.

= 1.0.7 =
Plugin Review compliance: the bank redirect auto-submit helper is now
loaded via wp_enqueue_script() from a standalone asset file instead of
an inline `<script>` block in the receipt template. Safe drop-in
upgrade, no database or payment-flow change.

= 1.0.6 =
Adds a complete Greek (el) translation, regenerates the POT catalog from
the live source, and ships WP 6.5+ performant-translations `.l10n.php`
files next to every `.mo`. Safe drop-in upgrade, no database change.

= 1.0.5 =
Plugin Check compliance: sanitizes $_SERVER input on the settings
screen, switches statistics queries to $wpdb->prepare() with the %i
identifier placeholder, and trims the 1.0.2 upgrade notice under the
300-char limit. No functional change.

= 1.0.4 =
Adds Cloudflare auto-detection and a help notice on the gateway
settings page instructing store owners to email Euronet Merchant
Services to whitelist Cloudflare's IPv4 ranges. Safe drop-in upgrade.

= 1.0.3 =
Stops the WC-API callback endpoint from spamming the WooCommerce error
log with "Callback missing MerchantReference" entries when hit by bots,
scanners or direct browser visits. No functional or security change.

= 1.0.2 =
Redesigned settings screen with status overview and an auto-generated
Bank integration data block listing the exact Website, Referrer,
Success, Failure and Backlink URLs, server IP and response method
asked for by Euronet Merchant Services. Safe drop-in upgrade.

= 1.0.1 =
Compliance, security and packaging fixes. Recommended for all users;
no database migration required.

= 1.0.0 =
Initial release.

== Screenshots ==

1. ePay Paycenter gateway entry in **WooCommerce → Settings → Payments** with editable title and description shown to the customer. / Καταχώρηση πύλης ePay Paycenter στο **WooCommerce → Ρυθμίσεις → Πληρωμές** με επεξεργάσιμο τίτλο και περιγραφή.
2. Gateway settings page: **Merchant credentials** (AcquirerId, MerchantId, PosId, Username, Password) above **Bank integration data** with the Success / Failure / Backlink URLs grouped into a single grey block with a one-click Copy button. / Σελίδα ρυθμίσεων πύλης: **Στοιχεία πρόσβασης εμπόρου** πάνω από τα **Στοιχεία σύνδεσης με την τράπεζα**, με τα Success / Failure / Backlink URLs σε ενιαίο γκρι πεδίο και κουμπί αντιγραφής με ένα κλικ.
