Skip to main content

Configure Advanced Security Checks for Payment Pages 2.0


Configure Advanced Security Checks for Payment Pages 2.0

For tighter security around Payment Pages 2.0, Zuora supports additional security checks. 


To configure advanced security checks for Payment Pages 2.0, you must complete the tasks in the following checklist to set up the Payment Page:

  1. Generate a new signature for each Payment Page and Direct POST render. 
    • Generate a new signature in your callback page if you want to re-render a Payment Page in the Inline Button Outside mode when a previous submission fails. Your callback page will usually try to re-render page when submission failed.
    • If you Implement Payment Pages 2.0 via Direct POST, generate a new signature for each Direct POST request that is sent to Zuora. 
  2. Customize the error messages for the Attempt_Exceed_Limitation, ReCaptcha_Validation_Failed, and Submit_Too_Quick error codes. 
    See Error Handling for Payment Pages 2.0 for more information.
  3. If the CAPTCHA challenge feature is enabled, ensure that elements surrounding the hosted page should support changes in the HPM iFrame width and height.
  4. Ensure that you use the 1.3.0 or later version of zuora.js.

The Inline Button Outside mode only supports Three Domain Secure (3D Secure) on Payment Pages 2.0. If you are using this mode, you cannot limit the number of Payment Page submissions before CAPTCHA challenge or limit the number of Payment Page submissions before Disabled Submit for security checks.

Secure your Payment Pages 2.0

To help reduce and manage your risk from potential credit card fraud, Zuora strongly recommends that you enable the CAPTCHA Challenge feature and configure the proper rate limiting for your Payment Pages.

Configure Rate Limiting

Zuora provides several tenant-level rate limiting settings to help you manage fraud and malicious use of Payment Pages. See Rate limiting configuration for more information.

Configure CAPTCHA

  • If you use HPM iFrame integration:

    Ensure that you have CAPTCHA enabled for any Payment Page you have configured to accept credit cards. Recommended values are:

    • Enable Captcha: Selected.
    • Limit the number of submission before CAPTCHA Challenge: 0
    • Limit the number of submission before blocking Submission: 3. You can adjust this to your requirements and risk tolerance, but we recommend you to keep it low.

    For more information about these settings, see the Understand Advanced Security Checks section below.

  • If you use HPM Direct POST integration:

    Ensure that you have implemented your own CAPTCHA and rate limiting for any Payment Pages that you have created that accept credit cards. We also recommend:

    • Enforce CAPTCHA or other bot/fraud detection prior to first submission.
    • Limit the rate of submissions from individual submission sources. For example, no more than 3 submissions per minute from a single source.

    See Best practices for Direct POST for more information.

The following table summarizes the recommended configuration for Zuora's CAPTCHA settings for iFrame and Direct POST respectively:

The security setting for a new Payment Page Payment Pages implemented via iFrame Payment Pages implemented via Direct POST
Enable Captcha Selected Deselected
Limit the number of submission before CAPTCHA Challenge 0 N/A
Limit the number of submission before blocking Submission 3 3 for client (your website) to Zuora server

Set up Event Handler for Processing CAPTCHA Interaction

If you have implemented a loading overlay after form submission, you can use the event handler function Z.setEventHandler to support the end-user interaction with the CAPTCHA challenge.

Z.setEventHandler("onCaptchaStateChange", function(event) {
        if (event.visible) {
                // When CAPTCHA is visible, remove the loading overlay so that the end-user can interact with CAPTCHA
        } else {
                // When CAPTCHA is invisible once the challenge completes, display the loading overlay again

Understand Advanced Security Checks

Enable Captcha

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a type of challenge-response test used in computing to determine whether or not the user is human. The CAPTCHA challenge protects you against potential automated abuse of Payment Page submissions. This check box is used to enable the CAPTCHA Challenge feature. 

Limit the Number of Payment Page Submissions before CAPTCHA Challenge

Before end users submit the incorrect information on Payment Pages as many times as the value of the Limit the number of submission before CAPTCHA Challenge field, they will not be challenged. After they hit this threshold, they will see the CAPTCHA challenge page displayed in every submission attempt. They must pass the CAPTCHA challenge for every further Payment Page submission. 

The CAPTCHA challenge page is displayed even after the number of Payment Page submission failures exceeds the value of the Limit the number of submission before blocking Submission field to slow down the frequency of potential attacks.

Limit the Number of Payment Page Submissions before Disabled Submit

You can enable the Disabled Submit feature by setting a positive integer for the Limit the number of submission before blocking Submission field on the Zuora UI. With this feature enabled: 

When the value of the Limit the number of submission before blocking Submission field is exceeded, the Submit button is not disabled. However, subsequent requests are not sent to the gateway even if end users click Submit. Zuora directly responds with an error message and error code to inform end-users that they have tried too many times. When the submission threshold is reached, you need to regenerate a signature and provide end customers with a way to re-render the page. You can also customize the error message of the Attempt_Exceed_Limitation error code. 

The value of the Limit the number of submission before blocking Submission field must be greater than the value of the Limit the number of submission before CAPTCHA Challenge field. The value of both these thresholds must be equal to or greater than 0. 

Enable 3D Secure

This feature is in Controlled ReleaseSubmit a request at Zuora Global Support to get this feature enabled for your tenant.

With this feature, Zuora will perform the 3D Secure check for Visa, MasterCard, and American Express credit cards. 

To use the 3D Secure feature, you must select the Verify new credit card check box on the corresponding payment gateway configuration page. Otherwise, 3D Secure will not be performed even if you enable the 3D Secure feature.

For more information, see 3D Secure for Payment Pages 2.0.

Enable 3D Secure 2.0

Zuora supports 3D Secure 2.0 for Payment Pages 2.0. 3DS2 is the solution of strong customer authentication (SCA) and requires you to send additional data with each transaction so that the bank can validate if the transactor is the actual cardholder. Select the Enable 3D Secure 2.0 checkbox to enable 3D Secure 2.0.

See Zuora's implementation of 3D Secure 2.0 for more information.

Customize Error Messages for Error Codes

You can customize how you want to display the messaging for the following error codes based on the fields that caused the error:

  • Attempt_Exceed_Limitation
    The default message is Attempt exceed the limitation, refresh page to try again.
  • ReCaptcha_Validation_Failed
    The default message is You didn't pass CAPTCHA validation, please try again.
  • Submit_Too_Quick
    The default message is Too many failed submission. Please wait for a while and try again.

For more information, see Error Handling for Payment Pages 2.0.