Navigate to Payments Settings > Setup Hosted Pages in the Zuora UI to configure Payment Pages 2.0.
Configure security settings for Payment Pages 2.0
Before configuring a Payment Page for a specific payment method type, you can optionally configure the following security settings:
- Rate limiting for all Payment Pages in your Zuora tenant.
- Google reCAPTCHA v2 keys.
- Raw Gateway Info Configuration
Rate limiting configuration
Zuora provides several rate limiting settings to help you manage fraud and malicious use of Payment Pages. The following settings are specific to Payment Pages 2.0:
- Enable Rate Limiting - Select this check box if you want to enable rate limiting for your Payment Pages.
- IP Whitelist - The whitelisted IP ranges are not subject to the rate limiting configuration. You can specify a maximum of 50 IPv4 address ranges or 20 IPv6 address ranges.
- Submission Limit Per Minute - The number of times a page can be submitted per minute per IP. The default value is 3.
- Submission Limit Per Hour - The number of times a page can be submitted per hour per IP. The default value is 15.
If the number of page submissions exceeds the configured thresholds, the
Too many submissions. Please retry later. error message is displayed.
Google reCAPTCHA v2 Keys Configuration
The CAPTCHA challenge feature for Payment Pages 2.0 in Zuora is implemented based on the Google reCAPTCHA service. You can add Google reCAPTCHA to your site to monitor the traffic on your site so that potential security issues can be identified at an early stage. To add Google reCAPTCHA, specify the following fields in the Google reCAPTCHA v2 Keys Configuration area:
- Site Key
- Secret Key
Both fields are Google reCAPTCHA v2 keys that you can obtain from your Google reCAPTCHA Admin Console. For more information, see Google reCAPTCHA developer documentation. Note that you have to add your domains for both sandbox and production environments in the Google reCAPTCHA Domains setting.
Raw Gateway Info Configuration
With the Need to Return Raw Gateway Info setting enabled, the raw gateway information can be returned in Payment Pages 2.0 responses. For detailed information about fields returned in rawGatewayInfo for different gateways, see Fields returned in rawGatewayInfo.
- Validate Client-Side HPM Parameters - With this setting enabled, the client parameters in the requests for rendering or submitting Payment Pages 2.0 are validated by comparing with the values specified in the digital signature. See Validate client-side HPM parameters for more information.
- Allow Subdomain Callback for Hosted Pages - With this setting enabled, your hosted payment pages and callback pages can reside in the subdomain of the hosted domain that you specified when configuring the payment pages. See the following articles for more information.
Create Payment Pages 2.0
The following payment method types are supported for Payment Pages 2.0. Click the following payment method types for the detailed configuration steps: