Barclays Has Been Trusted With Money Since 1736.
Your Checkout Shouldn't Look Like It Was Built Last Tuesday.
Full ePDQ integration for J2Commerce — HPP redirect, on-site FlexCheckout, saved cards, subscription renewals, admin Capture/Void/Refund, and SHA-signed callbacks that actually verify. Put the bank behind your Joomla ecommerce store. Properly.
Everything ePDQ. Nothing Broken. Nothing Missing.
Most ePDQ plugins for Joomla ecommerce were written when "security" meant remembering to close a PHP tag. This one wasn't. Both checkout modes. Saved cards. Subscriptions. SHA signatures that actually match. Admin operations that don't require a separate login.
Hosted Payment Page
Customer clicks "Place Order," lands on a Barclays-hosted payment form, comes back confirmed. Your server never touches a card number. PCI scope drops to SAQ-A — no annual penetration test, no QSA assessor, no quarterly vulnerability scans. That's thousands of pounds per year you're not spending. Yeah. We do that.
FlexCheckout — On-Site Card Form
Card entry happens right on your checkout page — looks like your store the whole time. Under the hood, card data posts straight to Barclays' Alias Gateway. Your server still never sees raw card data. Still SAQ-A. Customers stay on your domain. That's not a compromise — it's both things at once.
Saved Cards — One Click the Second Time
Returning customers see their saved card. They pick it. They pay. Done. The token lives in Barclays' vault, not your database. Re-entry friction is gone. So is the drop-off that comes with it. Customers who don't have to dig out their wallet buy more often. Simple math.
Subscription Renewals That Don't Crash Silently
Automatic renewal charges against stored cards — no customer action needed each cycle. When a renewal succeeds, the order history updates, notification emails fire, and the status is set correctly. When it fails, you get a visible failure record with the reason. Not a silent PHP crash you find out about three weeks later when a customer asks why their access was revoked.
Capture, Void & Refund from the Order Screen
Authorize funds at order time, capture when you ship — right from the J2Commerce order screen. Void an authorization before settlement. Refund full or partial with cumulative tracking that blocks you from accidentally over-refunding. Every operation writes to the order history. No Back Office login. No explaining what a PAYID is to your warehouse team. It just works.
SHA Signatures That Actually Match
Incoming callbacks are cryptographically verified using the correct parameter set for whichever mode you're running — HPP and Alias Gateway use different field lists. Getting that wrong means a guaranteed mismatch on every successful payment. Most Joomla ePDQ plugins get it wrong. Some just disable verification entirely, which means any HTTP request can confirm an order with zero actual payment. This one gets it right, enabled by default.
Server-to-Server Webhook — The Browser Is Irrelevant
Barclays confirms your payments directly to your store's server — independently of whatever chaos the customer's browser is up to. Tab closed. Internet dropped. Back button pressed. Doesn't matter. Barclays called your server. The order confirms. The customer's browser is not in the loop, and that's exactly how it should be.
Geozone & Subtotal Gating
Restrict Barclaycard to specific geographic zones. Set a floor and ceiling on order values. Barclaycard only appears to the customers who can actually use it — no confusing error messages mid-checkout for someone in a country your merchant account doesn't support. The right payment options for the right customers. Automatically.
Surcharge — Recover Processing Costs
Add a percentage fee, a fixed fee, or both — with an optional tax class applied on top. The surcharge shows as a line item on the order. Customers who pick Barclaycard see it; customers on other methods don't. Processing cost recovery, built in, no spreadsheets required.
One Plugin. Two Checkout Modes. No Choosing Wrong.
Some stores want the full Barclays redirect — customer leaves your domain, pays on an official Barclays-hosted page, comes back confirmed. Maximum trust signal. Zero card data touching your server. UK shoppers recognize that page and they don't hesitate. If that's you, configure HPP. Done.
Other stores want customers on their domain the whole time. FlexCheckout delivers exactly that — an on-site card form that looks native to your checkout while card data posts straight to Barclays' Alias Gateway. Still bank-hosted processing under the hood. Still SAQ-A. Still your URL in the address bar. You switch modes in plugin settings. No code changes. No rebuilding the checkout.
- HPP: full Barclays-hosted redirect — the name customers trust, on the page they see
- FlexCheckout: stays on your domain, looks like your store, still SAQ-A
- Both modes: your server never sees a raw card number. Not once.
- Switch with a settings change — no developer, no deployment, no drama
Capture. Void. Refund. Your Team Does Not Need a Back Office Login.
Here's the deal: if your operations team needs to log into Barclays' merchant portal every time they want to settle, void, or refund a payment, you've built your payment workflow around a browser bookmark and a password someone probably wrote on a sticky note. That's not a process. That's a liability.
With authorize-first mode enabled, the Capture button appears right on the J2Commerce order screen the moment a payment is authorized. Click it. Barclays settles. Done. Void cancels before settlement. Refunds handle full or partial amounts — the plugin tracks the cumulative refunded total and physically blocks you from going over the original charge. Every operation logs to the order history. Clean audit trail. No sticky notes.
- Capture authorized funds at shipment — zero Back Office login required
- Void before settlement — one click, authorization released
- Full and partial refunds with over-refund protection baked in
- Every action in the J2Commerce order history — squeaky clean audit trail
Signature Verification Enabled by Default. Because Disabling It Is How Fraud Happens.
SHA-OUT signature verification is the only barrier between your callback URL and someone forging a payment confirmation with a curl command. No actual payment. Just a crafted HTTP request that says "paid." If verification is off — and plenty of Joomla ePDQ plugins ship with it off, or don't implement it at all — your store will confirm those orders. Every time. Without blinking.
This plugin ships with verification enabled and uses the correct field list for whichever mode you're running. HPP callbacks and Alias Gateway callbacks include different parameters — use the wrong list and you get a SHA mismatch on every legitimate payment. That's where most integrations fail. SHA-1, SHA-256, and SHA-512 all supported. Configure the one in your Back Office. They'll align exactly.
- Verification on by default — forged confirmations rejected before they reach your orders
- Correct parameter sets for HPP vs Alias Gateway — no guaranteed mismatch on live payments
- SHA-512 recommended; SHA-256 and SHA-1 also fully supported
- Debug logs go to the admin directory only — never public, sensitive fields excluded
Real Stores. Real Problems. Real Fixes.
Put a 290-Year-Old Bank Behind Your Joomla Checkout.
Your store probably shouldn't be built on something younger than the Wi-Fi router in the break room. Full ePDQ integration. Proper SHA signing. Subscription renewals that don't crash silently. Admin refunds that don't require a browser bookmark and a sticky note. Built for J2Commerce. Seriously.
Translated In The Following Languages
Arabic Unitag (ar-AA), Chinese, Traditional (zh-TW), Danish (da-DK), Dutch (nl-NL), English (en-GB), English, USA (en-US), Finnish (fi-FI), French (fr-FR), German (de-DE), Greek (el-GR), Hebrew (he-IL), Italian (it-IT), Japanese (ja-JP), Norwegian Bokmål (nb-NO), Persian Farsi (fa-IR), Polish (pl-PL), Portuguese, Brazil (pt-BR), Portuguese, Portugal (pt-PT), Russian (ru-RU), Spanish (es-ES), Swedish (sv-SE), Turkish (tr-TR)
License Information
An active license entitles you to updates, downloads, and support for the duration of the license period. You may continue using this plugin indefinitely without an active license; however, support, updates, and downloads will not be available while your license is inactive.
- Developer J2Commerce
- Extension Type Payment
- J2Commerce Version 6.x, 4.x
- Joomla Version 4.x, 5.x, 6.x
Arabic Unitag
Chinese, Traditional
Danish
Dutch
English
English, USA
Finnish
French
German
Greek
Hebrew
Italian
Japanese
Norwegian Bokmål
Persian Farsi
Polish
Portuguese, Brazil
Portuguese, Portugal
Russian
Spanish
Swedish
TurkishNew Feature Barclaycard ePDQ payment gateway for J2Commerce 6
New Feature Hosted Payment Page (HPP) checkout with SHA-IN/SHA-OUT signing
New Feature FlexCheckout on-site card form via Alias Gateway (SAQ-A)
New Feature Saved cards (Alias) and subscription renewal charges (COF MIT)
New Feature Admin order capture, void, and full/partial refund
New Feature DirectLink maintenance API client with caller-IP whitelist
New Feature SHA-OUT callback signature verification with toggle
New Feature 21-locale language pack (en-US source, en-GB + 19 translations)
Improvement Native Joomla 6 MVC, namespaced extension, vanilla ES6 checkout JS
Update Requires Joomla 6.x + J2Commerce 6.x + a Barclaycard ePDQ PSPID
Fix corrected media folder destination to plg_j2store_payment_epdq
Update J2Commerce/J2Store v4 and Joomla 4/5 plugin support
You may also be interested in these products
Stay Updated
Subscribe for free and be the first to know about the latest features, updates, and new additions.