This project is not covered by Drupal’s security advisory policy.


This is a payment gateway for Ubercart that implements v2.23/v3.00 of the "Direct Integration & Protocol Guideline", allowing Ubercart to accept credit card payments via Sage Pay without redirecting the user offsite. It can process 3D-Secure transactions through the "Verified By Visa" and "MasterCard SecureCode" schemes.


This module allows fine control over the Apply3DSecure component of the protocol via the workflow-ng (on Drupal 5.x) or Ubercart's Conditional Actions module (on Drupal 6.x). You can use any of the Ubercart conditions to change this value. This module also exposes a new condition which lets you control whether to apply the action of setting the 3D-Secure flag depending of what card type was being used.

Mail Order/Telephone Order transactions

In 6.x, the module also allows fine control over the AccountType parameter via Conditional Actions, so you can flag an admin-created order as a telephone transaction with SagePay, meaning that some of the security checks and the 3D-Secure password will be skipped due to the customer not being present.

PCI DSS compliant information

You can read some discussion on that matter on #1001494: PCI DSS compliance, but the most important thing to note on this subject is that the PCI complaint tests look at your site from an external point of view and don't audit or verify the code that is actually running. Dedicated servers and VPSes with a standard, secure Linux setup and and a few configuration tweaks to Apache are sufficient to pass. Sites built with either version of this module are passing PCI DSS compliant tests.


The 6.x-3.x branch adds the following:

  • Protocol v3.00.
  • Authenticate-only transactions.
  • Refunds (click "Process card" from the admin order view).
  • Sage Pay token system submodule (securely stores card details, except CVV, for reuse in future orders).
  • PayPal integration submodule.
  • Recurring payments (uses Sage Pay tokens and uc_recurring).
  • No dependency on cURL.

A full release will be made after further testing has been completed. Feedback on this version of the module is encouraged.

Drupal 7 and Ubercart 7.x-3.x

This module has been renamed for Drupal 7. See

Sage Pay Go Server integration

This module only supports Direct integration. For the Server integration method, see uc_sagepayserver.

Original development sponsored by Infomagnet.
Drupal 6 port sponsored by LKB Academy.

A few useful Sage Pay pages I found while working on this module:

Project information