Opayo Magento 2 Common Errors

SameSite Cookie Errors

Chrome recently launched an update restricting cookies from other sites such as the ones created by Opayo.


You can fix this following one of the guides below:


For apache users just add the following entry in the apache configuration file:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None


For nginx users please read the following doc: https://geekflare.com/httponly-secure-cookie-nginx/

For nginx plus users please read the following doc: https://docs.nginx.com/nginx/admin-guide/dynamic-modules/cookie-flag/

Message not from "trusted origin"

 This is caused when the module Magento_Csp is disabled (Magento 2.4).

To enable it, run the following command:

bin/magento module:enable Magento_Csp

If enabling it is not possible, add the following policies to you Content Security Policies on Nginx/Apache:









API endpoints abused for stolen credit card testing

One way to avoid this is blocking the ip addresses making the purchases.



In addition find the below links with more information on this matter:


General guidelines from Adobe



General strategies to prevent this



Some recommendations for PayPal


One Step Checkout Error


We are aware of an error on Magento 2.4 when using version 1.2.040 (OSC) and 1.4.2 (Opayo Suite formerly SagePay Suite)

This can be easily solved updating OSC to the latest release.


Your Opayo Suite license is invalid


This error is provided when you haven't entered a valid license on the module configuration page. Please note that the license keys are unique for each URL. We can provide you up to 4 free dev licenses if you have your support on date. Since the dev licenses are free the domain must specify that the site is a dev, the url must contain the word dev, local, beta, staging, test, etc. Ex: dev.mysite.com. Please email us directly to sagepay@ebizmarts-desk.zendesk.com 

Invalid Opayo API Credentials


This error is provided when your credentials on the basic settings are not correct or are from the wrong environment. Please note that if you want to use TEST mode the credentials should be from the SagePay test environment.

Token expired and causing problems when running composer update

If your token expired and it's causing problems when you run composer update. You can renew your support to get a new token or simply run:

composer config --unset repositories.ebizmarts

Invalid merchant authentication


This error is provided when your API Credentials on the PI Integration are not correct. You can read how configure PI Integration and where to find your API Credentials HERE.

Authentication values are missing


This error is provided when you haven't input the credentials on the PI integration. You can read how configure PI Integration HERE.

Something went wrong: Invalid FORM encrypted password.


This error is provided when your Encryption password is not correct. You can read how configure FORM Integration HERE.

5006 - Unable to redirect to Vendor's web site. The Vendor failed to provide a RedirectionURL.


This is a wildcard error message, it could mean a lot of things but here is a few common issues that might lead to this.

- A firewall is not letting Sage Pay POST information to Magento

- The site is in maintenance mode and restricted only to some ip addresses or any kind of restriction

- Site is protected with username and password not letting people viewing it unles they enter the correct information. On this one it can be bypassed if you only filter GET requests, more information here.

- An error in Magento is happening when the POST data reaches our controller, before or after.

- SSL 3.0 is enabled, Sage Pay does not reach servers that are using SSL 3.0.


Something went wrong: Invalid transaction id(Magento 2.3)


To fix this, follow the steps below:

1. Run bin/magento setup:db-schema:upgrade​. 

2. Go to the database, search for the table sales_order_payment, in the structure of the table look for the field last_trans_id. Check that the length of the field is 100. 

3. If the length is not 100, then go to the table patch_list and remove the entry Ebizmarts\SagePaySuite\Setup\Patch\Schema\EnlargeLastTransIdand repeat the previous steps.

4. Clean Magento's cache by running bin/magento cache:flush


Google ReCaptcha incompatibility


At the moment our module is not compatible with Google ReCaptcha.

FORM Integration works correctly, but PI, Server and Paypal Integrations do not work, showing an error message 'Unable to create Elavon payment, please use another payment method'

We will be working on compatibility with ReCaptcha in a future update.

4020 - Information received from an Invalid IP address


One of the most common Sage Pay errors we are asked to solve is the 4020 one.

Actually, this error has nothing to do with the Sage Pay Suite extension, it means that the IP address where the Magento store runs has not been added to the "My Sage Pay" account being used. Most of the times it's pretty easy to solve, just log into your "My Sage Pay" account then go to "Settings -> Valid IPs" and enter your server's IP address.

If you are unsure what your server's IP address is or Sage Pay is still refusing your IP address you can follow a few easy steps in order to get the exact IP address Sage Pay is being contacted from:

1- Get yourself a free Sage Pay Simulator account here.  (or enter our simulator vendorname which is ebizmartssp)

2- Go to your Magento Admin site, then goto System->Configuration->Sales ->Sage Pay->Sage Pay Suite [Global] and set "Vendor" to your Simulator vendor 

3- Then set the Sage Pay Suite extension to "Simulator" Mode, you can do this either in "Sage Pay Suite [SERVER Integration]" or "Sage Pay Suite [DIRECT Integration]" section 

4- Save settings and the refresh cache 

5- Try a new order, you'll still get the 4020 error, but this time Sage Pay will echo back the IP address

If you still experience issues you'll have to email Sage Pay support, include your vendor name, and a screenshot of the alert box showing the 4020 error and the IP address returned by Sage Pay.