CardSave

$39.00

Select Billing Option

1 Year

2 Years

Legacy gateway — existing credentials only. Cardsave Online Payments was acquired by Worldpay in 2010. You cannot sign up for a new Cardsave account. This plugin is for merchants who already hold working Cardsave credentials.
No Cardsave account? Get the Worldpay plugin instead — Worldpay is the company that absorbed Cardsave and is open to new merchants today.

Still Working After All These Years. Somehow.

Cardsave got swallowed by Worldpay in 2010. Your account kept going. This plugin keeps it going on Joomla 6 — hosted or direct mode, HMAC-signed, server-verified, card data scrubbed from logs before it touches disk.

What the Plugin Does

Fifteen-year-old credentials running on a native Joomla 6 ecommerce platform. Two integration modes. Correct HMAC signing. Server-verified results. Everything else the checkout needs.

Hosted Payment Page

Your customers leave your site, enter card details on a Cardsave-hosted page, and come back paid. Your server never sees the card data. PCI scope drops to its lightest tier. The gateway handles 3DS challenges on its own. For most legacy Cardsave merchants, this is the mode they already know.

Direct On-Site Card Form

Card details collected inline in your checkout — no redirect, no branded external page. Cardholder name, card number, expiry, start date, issue number, CVV all on your domain. Same flow you have been running for years, now on Joomla 6.

Server-Pull Result Verification

After a hosted payment, Cardsave contacts your server directly with the result — your server doesn't trust a redirect URL. The result carries a hash digest; the plugin re-computes it and rejects anything that doesn't match. Forged "?status=success" parameters go nowhere.

Three-State Order Status Mapping

Paid, declined, and 3DS-pending each route to whichever J2Commerce order status your workflow uses. 3DS-pending orders hold until authorization completes — no ghost approvals, no false declines. Every status change fires the full order event chain: history, emails, download grants.

PAN and CVV Log Scrubbing

Card numbers are masked to the last four digits and CVV values are replaced entirely before any debug log entry touches disk. Useful diagnostics without the PCI liability. Turn debug logging off in production and nothing sensitive is written at all.

Admin Error Email Alerts

When the gateway returns an error — HMAC mismatch, refused confirmation, failed callback — the plugin emails your administrator group with a masked transaction dump. You find out what went wrong before the customer calls to ask.

Surcharge Support

Name it anything. Set a percentage, a flat amount, or both. Assign a tax class. The surcharge appears as a named line item on the order total and is included in the amount charged. Pass gateway fees to customers cleanly, with a label that makes sense to them.

Geozone Restriction

Show Cardsave only to customers in countries your merchant account actually covers. Customers outside the geozone don't see an error — Cardsave simply doesn't appear as a payment option. No awkward declines at checkout for transactions your account can't handle.

Bootstrap 5 and UIkit Templates

Full template sets for both Bootstrap 5 and UIkit 3. Swap between frameworks in one config field. Drop a custom subtemplate folder and the plugin picks it up automatically — no core file edits, no breakage on next update.

Hosted or Direct. Your Call.

Some merchants want the lightest PCI overhead possible — hosted mode is SAQ-A, your server never touches card data. Other merchants want the smoothest on-site checkout experience — direct mode keeps everything on your domain with no redirect. Both modes are fully implemented. Pick the one that fits your compliance posture and your customers' expectations.

Hosted mode: SAQ-A tier, Cardsave-hosted card form, server-pull result validation
Direct mode: inline card form on your checkout, no redirect, HMAC-signed submission
Both modes: HMAC-SHA1 transaction signing, 3DS-aware status routing, configurable order outcomes
Switch modes in one config field — no reinstall, no credential reset

Verified Results. Clean Logs. No Surprises.

Server-pull result delivery means Cardsave contacts your server to confirm the transaction — your store doesn't trust a URL parameter with "paid=1" in it. Every result carries a hash digest computed with your pre-shared key. Mismatch? Rejected. And before any debug output touches disk, card numbers are masked to the last four digits and CVV values are gone entirely.

HMAC-SHA1 hash on every transaction — HMAC-MD5 also supported
Server-pull callback: Cardsave confirms results to your server directly
Card number fields masked to last four in all log output
CVV and issue number replaced entirely — not logged at all

The Exit Ramp Is Right There When You're Ready

Cardsave was acquired by Worldpay in 2010. Worldpay is fully active today — new merchants can sign up. When you're ready to move off your legacy credentials, the J2Commerce Worldpay plugin is the natural next step. Same gateway family, modern API, no nostalgia required. Your order history stays in your database regardless of which payment plugin you're running.

All order data, customer records, and transaction history stay in your database
Migration to Worldpay is a plugin swap — no data export, no data catastrophe
J2Commerce Worldpay plugin — open to new merchant sign-up today

Real-World Use Cases

You opened a Cardsave account years back — before the concept of "looking for a Worldpay account" would have been a sensible suggestion. That account still works. Your settlement reports have the same pattern every week. You are not breaking what is not broken. You are also upgrading to Joomla 6 because your hosting contract renews in three months. You install this plugin, re-enter the same three credentials you have had for years, and your ecommerce checkout is live on Joomla 6 by Thursday afternoon. The Joomla upgrade happens on schedule. The Cardsave migration to Worldpay happens in Q4, when you have budget. Not because of an emergency.

Your business-to-business ecommerce store has been on the same payment rails for a very long time. Some customers are on Net 30 terms. Card payments happen for smaller orders. Your Cardsave credentials are ancient. They still work. Your finance team would rather not touch the payment setup during the current financial year. IT is upgrading Joomla regardless. You install the plugin, the direct on-site card form works exactly as it always did, finance doesn't need to learn anything new, and IT delivers the Joomla upgrade on schedule. You revisit the payment stack at the annual review.

You sell digital products. Some customers go through 3D Secure. The ones who do sometimes land in a deferred state while their bank finishes the authentication flow. With three-state status mapping, 3DS-pending transactions get their own order status — not a hard decline that bounces the customer, not a premature "paid" that delivers a digital download before the bank confirms. Orders sit in a holding status while authentication completes. When it confirms, the order moves to paid. Your customer service team stops seeing phantom orders. Correct behavior, properly routed.

You maintain multiple Joomla ecommerce stores for UK small-business clients. Several of them have Cardsave. You don't have the scope to rebuild the payment stack on each store during a Joomla upgrade project. You install this plugin on each Cardsave store, pass the same credentials through the config screen, verify the checkout flow, and deliver the upgrade on budget. The clients don't care about gateway heritage. They care that checkout works. Checkbox.

You know you should probably move to a modern gateway. You've known this for two years. The problem is that "eventually" keeps colliding with "the quarter when there's actually budget and dev time for a payment migration that doesn't break orders." This plugin makes "eventually" not urgent. Your Cardsave account keeps running on J2Commerce 6 while you plan the Worldpay migration properly — test environment, parallel running, cutover date, staff training, reconciliation audit. The whole thing, done right, on a timeline that doesn't require a weekend fire drill. When you're ready: the Worldpay plugin is there.

Don't have a Cardsave account?

Cardsave has been dead to new merchants since 2010. Can't sign up — of course you can't. But the company that absorbed it is very much alive and taking new applications. Get the J2Commerce Worldpay plugin — same gateway family, modern API, and the doors are open.

Keep Your Checkout Running Through the Upgrade

Your Cardsave account works. Your Joomla upgrade doesn't have to wait for a full gateway migration. Install the plugin, enter your credentials, test the checkout, ship the upgrade. When you're ready for Worldpay, the Worldpay plugin is one install away. Your data goes with you. That's how it should work.

Translated In The Following Languages

Arabic Unitag (ar-AA), Chinese, Traditional (zh-TW), Danish (da-DK), Dutch (nl-NL), English (en-GB), English, USA (en-US), Finnish (fi-FI), French (fr-FR), German (de-DE), Greek (el-GR), Hebrew (he-IL), Italian (it-IT), Japanese (ja-JP), Norwegian Bokmål (nb-NO), Persian Farsi (fa-IR), Polish (pl-PL), Portuguese, Brazil (pt-BR), Portuguese, Portugal (pt-PT), Russian (ru-RU), Spanish (es-ES), Swedish (sv-SE), Turkish (tr-TR)

License Information

An active license entitles you to updates, downloads, and support for the duration of the license period. You may continue using this plugin indefinitely without an active license; however, support, updates, and downloads will not be available while your license is inactive.