For tighter security around Payment Pages 2.0, Zuora supports additional security checks.
To configure advanced security checks for Payment Pages 2.0, you must complete the tasks in the following checklist to set up the Payment Page:
- Generate a new signature for each Payment Page and Direct POST render.
- Generate a new signature in your callback page if you want to re-render a Payment Page in the Inline Button Outside mode when a previous submission fails. Your callback page will usually try to re-render page when submission failed.
- If you Implement Payment Pages 2.0 via Direct POST, generate a new signature for each Direct POST request that is sent to Zuora.
- Customize the error messages for the
See Error Handling for Payment Pages 2.0 for more information.
- If the CAPTCHA challenge feature is enabled, ensure that elements surrounding the hosted page should support changes in the HPM iFrame width and height.
- Ensure that you use the 1.3.0 or later version of
The Inline Button Outside mode only supports Three Domain Secure (3D Secure) on Payment Pages 2.0. If you are using this mode, you cannot limit the number of Payment Page submissions before CAPTCHA challenge or limit the number of Payment Page submissions before Disabled Submit for security checks.
Secure your Payment Pages 2.0
To help reduce and manage your risk from potential credit card fraud, Zuora strongly recommends that you enable the CAPTCHA Challenge feature and configure the proper rate limiting for your Payment Pages.
Configure Rate Limiting
Zuora provides several tenant-level rate limiting settings to help you manage fraud and malicious use of Payment Pages. See Rate limiting configuration for more information.
- If you use HPM iFrame integration:
Ensure that you have CAPTCHA enabled for any Payment Page you have configured to accept credit cards. Recommended values are:
- Enable Captcha: Selected.
- Limit the number of submission before CAPTCHA Challenge: 0
- Limit the number of submission before blocking Submission: 3. You can adjust this to your requirements and risk tolerance, but we recommend you to keep it low.
For more information about these settings, see the Understand Advanced Security Checks section below.
- If you use HPM Direct POST integration:
Ensure that you have implemented your own CAPTCHA and rate limiting for any Payment Pages that you have created that accept credit cards. We also recommend:
- Enforce CAPTCHA or other bot/fraud detection prior to first submission.
- Limit the rate of submissions from individual submission sources. For example, no more than 3 submissions per minute from a single source.
See Best practices for Direct POST for more information.
The following table summarizes the recommended configuration for Zuora's CAPTCHA settings for iFrame and Direct POST respectively:
|The security setting for a new Payment Page||Payment Pages implemented via iFrame||Payment Pages implemented via Direct POST|
|Limit the number of submission before CAPTCHA Challenge||0||N/A|
|Limit the number of submission before blocking Submission||3||3 for client (your website) to Zuora server|
Understand Advanced Security Checks
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a type of challenge-response test used in computing to determine whether or not the user is human. The CAPTCHA challenge protects you against potential automated abuse of Payment Page submissions. This check box is used to enable the CAPTCHA Challenge feature.
Limit the Number of Payment Page Submissions before CAPTCHA Challenge
Before end users submit the incorrect information on Payment Pages as many times as the value of the Limit the number of submission before CAPTCHA Challenge field, they will not be challenged. After they hit this threshold, they will see the CAPTCHA challenge page displayed in every submission attempt. They must pass the CAPTCHA challenge for every further Payment Page submission.
The CAPTCHA challenge page is displayed even after the number of Payment Page submission failures exceeds the value of the Limit the number of submission before blocking Submission field to slow down the frequency of potential attacks.
Limit the Number of Payment Page Submissions before Disabled Submit
You can enable the Disabled Submit feature by setting a positive integer for the Limit the number of submission before blocking Submission field on the Zuora UI. With this feature enabled:
- The Payment Pages will only be generated once with one generated signature. See Prevent Multiple Renderings with One Signature for more information.
- When end-users hit this threshold by repeatedly submitting incorrect information on the Payment Page, they will see the error message and will be blocked from all further Payment Page submissions. See Limit on Number of Payment Page Submissions for more information.
When the value of the Limit the number of submission before blocking Submission field is exceeded, the Submit button is not disabled. However, subsequent requests are not sent to the gateway even if end users click Submit. Zuora directly responds with an error message and error code to inform end-users that they have tried too many times. When the submission threshold is reached, you need to regenerate a signature and provide end customers with a way to re-render the page. You can also customize the error message of the
Attempt_Exceed_Limitation error code.
The value of the Limit the number of submission before blocking Submission field must be greater than the value of the Limit the number of submission before CAPTCHA Challenge field. The value of both these thresholds must be equal to or greater than 0.
Enable 3D Secure
This feature is in Controlled Release. Submit a request at Zuora Global Support to get this feature enabled for your tenant.
With this feature, Zuora will perform the 3D Secure check for Visa, MasterCard, and American Express credit cards.
To use the 3D Secure feature, you must select the Verify new credit card check box on the corresponding payment gateway configuration page. Otherwise, 3D Secure will not be performed even if you enable the 3D Secure feature.
For more information, see 3D Secure for Payment Pages 2.0.
Enable 3D Secure 2.0
This feature is in Limited Availability. If you want to have access to the feature, submit a request at Zuora Global Support.
Zuora supports 3D Secure 2.0 for Payment Pages 2.0. 3DS2 is the solution of strong customer authentication (SCA) and requires you to send additional data with each transaction so that the bank can validate if the transactor is the actual cardholder. Select the Enable 3D Secure 2.0 check box to enable 3D Secure 2.0.
See Zuora's implementation of 3D Secure 2.0 for more information.
Customize Error Messages for Error Codes
You can customize how you want to display the messaging for the following error codes based on the fields that caused the error:
The default message is
Attempt exceed the limitation, refresh page to try again.
The default message is
You didn't pass CAPTCHA validation, please try again.
The default message is
Too many failed submission. Please wait for a while and try again.
For more information, see Error Handling for Payment Pages 2.0.