Knowledge Center

Knowledge Center > Commerce > Hosted Commerce Pages > Payment Pages 2.0 > Configure Advanced Security Checks for Payment Pages 2.0

Configure Advanced Security Checks for Payment Pages 2.0

For tighter security around Payment Pages 2.0, Zuora supports additional security checks. If you want to configure advanced security checks, you have to complete the tasks in a checklist and enable advanced security checks.

Understand Advanced Security Checks for Payment Pages 2.0

By default, the advanced security checks mentioned in this section are disabled. 

Go Through a Checklist

To configure advanced security checks for Payment Pages 2.0, you must complete the tasks in the following checklist to set up the Payment Page, and contact Zuora Global Support to enable the setting or adjust the limits.

  1. Generate a new signature for each Payment Page and Direct POST render. You have to regenerate a signature if you want to re-render a Payment Page in callback mode, such as in the Inline Button Outside mode.
  2. Generate a new signature in your callback code before re-rendering a Payment Page when a previous submission fails.
  3. If you Implement Payment Pages 2.0 via Direct POST, generate a new signature for each Direct POST request that is sent to Zuora. 
  4. Customize the error messages for the Attempt_Exceed_Limitation, ReCaptcha_Validation_Failed, and Submit_Too_Quick error codes. 
    See Error Handling for Payment Pages 2.0 for more information.
  5. If the CAPTCHA challenge feature is enabled, ensure that elements surrounding the hosted page should support changes in the HPM iframe width and height.

Limit the Number of Payment Page Submissions before CAPTCHA Challenge

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a type of challenge-response test used in computing to determine whether or not the user is human. The CAPTCHA challenge protects you against potential automated abuse of Payment Page submissions. 

A new tenant level limit on the maximum number of Payment Page submissions is implemented in the CAPTCHA Challenge feature. Through the Zuora UI, you can set a value for the Display CAPTCHA Threshold field. When end users hit this threshold by repeatedly submitting incorrect information on the Payment Page, they will see the CAPTCHA challenge page displayed. They must pass the CAPTCHA challenge for every further Payment Page submission.

The CAPTCHA challenge page is displayed even after the number of Payment Page submission failures exceeds the value of the Disabled Submit Threshold field to slow down the frequency of potential attacks.

Limit the Number of Payment Page Submissions before Disabled Submit

A new tenant level limit on the maximum number of Payment Page submissions is implemented in the Disabled Submit feature.

Through the Zuora UI, you can set a value for the Disabled Submit Threshold field. When end users hit this threshold by repeatedly submitting incorrect information on the Payment Page, they will see the error message and will be blocked from all further Payment Page submissions. 

When the value of the Disabled Submit Threshold field is exceeded, the Submit button is not disabled. However, subsequent requests are not sent to the gateway even if end users click Submit. Zuora directly responds an error message and error code to inform end users that they have tried too many times. Tenants can also customize the error message of the Attempt_Exceed_Limitation error code. 

The value of the Disabled Submit Threshold field must be greater than the value of the Display CAPTCHA Threshold field. The value of both these thresholds must be equal to or greater than 0. The value 0 indicates that this function is disabled.

Contact Zuora Global Support if you want to increase the tenant level threshold for submitting Payment Pages.

Customize Error Messages for Error Codes

You can customize how you want to display the messaging for the following error codes based on the fields that caused the error:

  • Attempt_Exceed_Limitation
    The default message is Attempt exceed the limitation, refresh page to try again.
  • ReCaptcha_Validation_Failed
    The default message is You didn't pass CAPTCHA validation, please try again.
  • Submit_Too_Quick
    The default message is Too many failed submission. Please wait for a while and try again.

For more information, see Error Handling for Payment Pages 2.0.

Enable Advanced Security Checks

When you configure a Payment Page for a specific payment type in the Zuora UI, you can enable the advanced security checks in the Security Information area.

  1. Enter the Payment Pages 2.0 configuration page.
  2. In the Security Information section, configure the following security information:
    • In the Display CAPTCHA Threshold field, enter a threshold for the number of Payment Page submissions before the CAPTCHA challenge page is displayed on the HPM iframe. End users must pass the CAPTCHA challenge before submitting every further Payment Page submission.
      The default value is 0 for existing payment pages and 15 for new payment pages. The value 0 indicates that this function is disabled. By default, this function is disabled for existing payment pages.
    • In the Disabled Submit Threshold field, enter a threshold for the number of Payment Page submissions before Zuora blocks all subsequent requests. 
      The default value is 0 for existing payment pages and 30 for new payment pages. The value 0 indicates that this function is disabled. By default, this function is disabled for existing payment pages.
  3. Click generate and save page to save configurations.

If any of the preceding thresholds is greater than 0, when you save the configurations, a dialog is displayed to prompt the tenant to go through a checklist. If you have gone through the checklist, click OK.

Last modified
00:44, 2 Aug 2017

Tags

This page has no custom tags.

Classifications

(not set)