Skip to main content

Create and Configure Payment Pages 2.0

Zuora

Create and Configure Payment Pages 2.0

Create and configure Payment Pages 2.0

You can create and configure Payment Pages 2.0 through Zuora UI. Creation of Payment Pages 2.0 is not supported through APIs.

  1. In the UI, navigate to Payments Settings > Setup Hosted Pages.
  2. Configure the tenant-level security settings for your hosted page. See Tenant-level security settings for Payment Pages 2.0 for details.
  3. Select a payment method type for your hosted page from the Type dropdown list, and then click Create New Hosted Page. The following payment method types are supported for Payment Pages 2.0. Click the following payment method types for the detailed configuration steps:
    • Credit Card
    • Credit Card Reference working with the Stripe v2 gateway (Limited Availability)
    • CyberSource Token for Credit Card Reference working with the CyberSource Tokenization gateway (Limited Availability)
    • Bank Transfer, including the following Bank Transfer types:
      • SEPA
      • ACH
      • UK Direct Debit
      • AU Direct Entry
      • New Zealand Direct Debit
      • Sweden Direct Debit (Autogiro)
      • Denmark Direct Debit (Betalingsservice)
      • Canadian Pre-Authorized Debit (PAD)

Tenant-level security settings for Payment Pages 2.0

IP-based rate limiting configuration

Zuora offers the IP-based rate limiting feature to help you manage fraud and malicious use of Payment Pages. The IP-based rate limiting feature is automatically enabled for your Payment Pages 2.0, including Payment Pages set up through embedded iFrame and Direct POST. You can use the following settings to configure this feature. Ensure to configure the values within the allowed ranges that are provided in the UI.

  • IP Whitelist - The whitelisted IP ranges are not subject to the rate limiting configuration. You can specify a maximum of 50 IPv4 address ranges or 20 IPv6 address ranges.
  • Submission Limit Per Minute - The number of times a page can be submitted per minute per IP. The default value is 3. 
  • Submission Limit Per Hour - The number of times a page can be submitted per hour per IP. The default value is 6.

If the number of page submissions exceeds the configured thresholds, an error occurs. See Submit_Too_Quick error code for more information.

Card-based rate limiting

Zuora also provides card-based rate limiting as a means of fraud prevention for Payment Pages. The card-based rate limiting feature is enabled by default in all production environments and cannot be disabled. This feature is not available for configuration. Zuora manages the following thresholds for attempts to authorize the unique credit card:

  • 3 times a minute
  • 6 times an hour
  • 10 times a day

For example, an unauthorized user tries to figure out the CVV code and triggers up to 999 attempts for the same card number. In this case, the card-based rate limiting feature will limit the number of attempts for the same card as soon as it reaches the max allowed attempts, which are 3 attempts per minute, 6 attempts per hour, and 10 attempts per day. When any one of these 3 thresholds is reached, Zuora will block the same card for 24 hours.

If the number of page submissions exceeds the configured thresholds, an error occurs. See Submit_Too_Quick error code for more information.

For the tests in production environments, it is recommended to use multiple cards or increase the time interval between submissions.

This feature is only supported in production environments. It cannot be enabled in any API Sandbox or Central Sandbox environments.

Configure Google reCAPTCHA

The CAPTCHA challenge feature for Payment Pages 2.0 in Zuora is implemented based on the Google reCAPTCHA service. You can add Google reCAPTCHA to your site to monitor the traffic on your site so that potential security issues can be identified at an early stage. Both reCAPTCHA v2 Classic and reCAPTCHA Enterprise are supported in Zuora. 

The support for Google reCAPTCHA Enterprise is in the Early Adopter phase. We are actively soliciting feedback from a small set of early adopters.

For details about enabling reCAPTCHA in Zuora, see Advanced Security Measures for Payment Pages 2.0.

Configure reCAPTCHA v2 Classic

For Google reCAPTCHA v2 Classic, to use your own Google Cloud account, you can configure your own Site Key and Secret Key for Google reCAPTCHA service in the Google reCAPTCHA v2 Keys Configuration section. You can obtain these fields from your Google reCAPTCHA Admin Console. For more information, see Google reCAPTCHA developer documentation. Note that you have to add your domains for both sandbox and production environments in the Google reCAPTCHA Domains setting. 

If the credentials are not provided, Zuora’s Google Cloud account and settings will be used by default.

Configure reCAPTCHA Enterprise

In the Google reCAPTCHA Enterprise Configuration section, click Edit and then you can configure the following settings.

Configure Risk Score Threshold

Configure the Risk Score Threshold setting to set up a tenant-level threshold for the level of risk the user interaction poses. The value must be in the range 0.01 - 1, with one or two decimal places. Google suggests starting the risk score threshold from 0.5. If no value is set for this setting, the default value 0.5 will be used. This tenant-level value can be overridden by the page-level Risk Score Threshold value. For more information about the page-level setting, see Advanced Security Measures for Payment Pages 2.0.

For more information about the risk score interpretation from Google, see https://cloud.google.com/recaptcha-enterprise/docs/overview.

Configure Google Cloud Enterprise Account

You can select to use Google reCAPTCHA Enterprise with your own Google Cloud Enterprise account or Zuora’s Google Cloud Enterprise account.

To use your own account, configure the following credentials in the Google reCAPTCHA Enterprise Configuration section:

You can obtain these fields from your Google reCAPTCHA Admin Console. For more information, see Google reCAPTCHA developer documentation. Note that you have to add your domains for both sandbox and production environments in the Google reCAPTCHA Domains setting.

Raw Gateway Info Configuration

With the Need to Return Raw Gateway Info setting enabled, the raw gateway information can be returned in Payment Pages 2.0 responses. For detailed information about fields returned in rawGatewayInfo for different gateways,  see Fields returned in rawGatewayInfo.

Advanced configuration

Comparison of attempt limiting settings for Payment Pages 2.0

The following table lists and compares the different attempt limiting settings offered by Zuora for Payment Pages 2.0.

Setting Where to find it Which level threshold does it define Description More information
IP-based rate limiting Payments Settings > Setup Hosted Pages > Rate Limiting Configuration Tenant

Defines the number of times a page can be submitted per minute and per hour for the same IP.

See IP-based rate limiting configuration.
Card-based rate limiting Not available in the UI for self-configuration Tenant

Defines the number of times a page can be submitted per minute, per hour, and per day for the same card.

See Card-based rate limiting.
Limit the number of submission before CAPTCHA Challenge Payments Settings > Setup Hosted Pages > Create New Hosted Page > Security Information > Google reCAPTCHA > Google reCAPTCHA V2 Classic Page

For Google reCAPTCHA v2 Classic, defines the number of failed submissions in a session after which a CAPTCHA security challenge is required.

See Advanced security measures.
Limit the number of submission before blocking Submission Payments Settings > Setup Hosted Pages > Create New Hosted Page > Security Information > Token Expiration Page Defines the number of failed submissions in a session after which Zuora will disable the payment page requests to the gateway. See Advanced security measures.