Pay Methods

From WHMCS Documentation


In WHMCS, a Pay Method is a method of payment belonging to a client. A Pay Method can represent a credit card or a bank account and a client can have multiple Pay Methods associated with their account.

Clients can choose any of their available Pay Methods during checkout both for new orders and payment of invoices.

Each Pay Method can also have a different billing address associated with it if required.

Default Pay Method

There must always be a default Pay Method and this is the Pay Method that is used by default for all automatic recurring payment attempts.

In certain conditions, the default Pay Method may not be applicable for a given invoice, for example when the default Pay Method is tokenized with a specific payment gateway and the invoice's payment method is a different gateway. In this scenario, the first applicable Pay Method for the user in order of display is used.

Please Note: At this time, it is not possible to set a different default Pay Method on a per service basis, although this functionality is planned to be delivered in a future update.

Managing Pay Methods

Admin Area

A Clients' Pay Methods can be viewed via a dedicated panel on the Client Summary page within the Admin Area.

The default Pay Method will always be displayed at the top of the list, and be indicated via an icon.

Clicking on any Pay Method within the list will open a popup that allows you to view and manage the selected Pay Method.


The following actions are available:

  • Decrypt Card Number - Credit card numbers are always displayed masked, only revealing the last 4 digits. To view the full card number, click the eye icon located to the right of the Card Number field and enter the Credit Card Encryption Hash when prompted.
  • Edit - For an existing Pay Method you can edit certain fields and values. In the case of a credit card, this includes the Expiry Date and Card Description. In the case of a bank account, this includes the Account Holder Name, Account Number, Routing Number and Bank Account Description.
  • Delete - To delete a Pay Method, first click on the Pay Method to open the edit window, and then click the Delete button. You will be asked for confirmation before the deletion is completed.
The Credit Card Encryption hash can be found within the WHMCS configuration.php file located within the root directory of a WHMCS installation.

To add a new Pay Method, click the "Add Credit Card" or "Add Bank Account" links located within the Pay Methods panel on the Client Summary page. A popup will open allowing you to enter the details for the Pay Method.

Note that these options will only display if you have an appropriate Payment Gateway activated. If you do not have either an active merchant gateway and/or bank account module, then no options to add Pay Methods will be displayed.

When multiple Payment Gateways are active, and include a combination of both local card storage and tokenized payment gateway modules, upon selecting to add a credit card, you will be prompted for the Storage Method you wish to use. Essentially you need to tell WHMCS if the card should be tokenized with your desired Payment Gateway, or stored locally and encrypted in the database. In most cases if you have a tokenization payment gateway in use, you will probably want to use this.

Force Delete

If an error occurs deleting a remote Pay Method, or if the gateway that a remote Pay Method is associated with has been deactivated, WHMCS will be unable to delete the record. When this happens, a message will be shown displaying the error that occurred and providing an option to ignore and force delete the Pay Method. PayMethodDeleteFail.png

Force deleting a Pay Method will not run anything on the remote gateway system. Manual removal of any records in a gateway account would need to be done manually if required, when force deleting from WHMCS.

Client Area

Clients can view and manage Pay Methods via the "Payment Methods" page accessible from the Billing and Account sub-menus within the Client Area.


Clients can view all of their saved Pay Methods, edit (update descriptions and expiry date), delete (if enabled) and change the default Pay Method used for automated recurring payment attempts.

If you have multiple Payment Gateways active, including a mix of both Tokenized and non-tokenized Payment Gateways, customers will be presented with the option to choose the desired Payment Method when adding a Pay Method via the Client Area. This is essential for knowing whether the card should be stored locally encrypted in the WHMCS database, or remotely with the Tokenized Payment Gateway. If you do not wish to allow customers to store cards locally, please refer to the Enforcing Tokenization section below.

Processing Payments

Automated recurring charges will be attempted for capture automatically using the default Pay Method for a given client.

If no Pay Methods exist for a client, the client will receive an email informing them that an automated payment could not be attempted and that they must login and pay the invoice manually.

To use a different card, client can login and pay an unpaid invoice manually at any time via the Client Area.

Admin Area users can also attempt a capture at any time using any stored Pay Method. To do this, navigate to the desired invoice within the Admin Area and click the Attempt Capture button. If this button does not appear or is disabled, check the Payment Method that the invoice is assigned to via the Options tab.

Upon clicking the Attempt Capture button, a popup window will appear allowing you to choose the desired Pay Method to be used. Select the desired entry, optionally enter the CVV number for the card if available, and then click the Attempt Capture button to attempt the payment.

Related Settings

The following settings affect the behaviour of Pay Method functionality and can be found in Configuration () > System Settings > General Settings > Security or, prior to WHMCS 8.0, Setup > General Settings > Security:

  • Allow Client CC Removal - Enabling this option allows customers to delete saved Pay Methods from their account. It also provides customers with a choice during checkout to allow them to choose to store the payment details they are entering as a saved Pay Method for faster checkouts in future. We recommend leaving this option enabled.
  • Delete Encrypted Credit Card Data - This option allows you to perform a mass-deletion of all encrypted credit card data that is stored within the WHMCS database. You can use this if you want to instantly and immediately remove all sensitive pay method related data from the database. Note that this action cannot be un-done so exercise caution before using this functionality.

Tokenization of Pay Methods


Tokenization is a process in which sensitive payment details are stored remotely by a payment gateway processor. This is intended to reduce the security burden and limit the liability on you as a business. Examples of payment gateways that support tokenization include, Stripe, Quantum Gateway, etc...

When a tokenization payment gateway is in use, the details for a Pay Method are stored remotely by a given payment gateway and therefore the Pay Method is restricted for use only by the given payment gateway.

In such scenarios, the ability to use a given Pay Method with other payment gateways will be restricted. This will become apparent during checkout when switching between payment methods (also referred to as payment gateways) and the list of available Pay Methods changing. For example, a Stripe Pay Method cannot be used to pay an invoice assigned to and vice-versa.

Tokenization Migration

If you have previously used a Payment Gateway that stores credit cards locally and wish to switch to a Tokenized Payment Gateway solution, the following considerations apply:

  1. Activating a Tokenization Payment Gateway module in addition to a non-tokenized Merchant Gateway module will still allow credit cards to be stored locally by both Admin and Client Users.
  2. Activating a Tokenization Payment Gateway does not remove existing locally stored credit cards from the database. To do this, please refer to the Related Settings above.
  3. To enforce use of a tokenization Payment Gateway for Clients, please see the Enforcing Tokenization section below.
  4. In many cases, WHMCS can convert locally stored credit cards to tokenized cards upon the next automated recurring payment attempt automatically. With some tokenized Payment Gateways this may not be possible due to technical restrictions imposed by the Payment Gateway. Please refer to the documentation for your specific Payment Gateway for further information.

Enforcing Tokenization

To enforce the use of a Tokenization Payment Gateway and prevent new credit cards from being stored locally, you simply need to hide all non-tokenization Payment Gateways from the order form.

To do this, navigate to Configuration () > System Settings > Payment Gateways or, prior to WHMCS 8.0, Setup > Payments > Payment Gateways. Then, select the Manage Existing Gateways tab, and ensure the Show on Order Form checkbox is deselected for all non-tokenization Merchant Gateway Modules.

Note that doing this does not delete existing credit cards stored locally in the database. If you wish to do this, an option is available in Configuration () > System Settings > General Settings > Security or, prior to WHMCS 8.0, General Settings > Security. Please refer to the Related Settings for more information.