Configure Advanced Security Checks for Payment Pages 2.0

Knowledge Center > Billing and Payments > Hosted Payment Pages > Payment Pages 2.0 > Configure Advanced Security Checks for Payment Pages 2.0

Configure Advanced Security Checks for Payment Pages 2.0

For tighter security around Payment Pages 2.0, Zuora supports additional security checks. If you want to configure advanced security checks, you have to complete the tasks in a checklist and enable advanced security checks.

Understand Advanced Security Checks for Payment Pages 2.0

By default, the advanced security checks mentioned in this section are disabled. 

Go Through a Checklist

To configure advanced security checks for Payment Pages 2.0, you must complete the tasks in the following checklist to set up the Payment Page, and contact Zuora Global Support to enable the setting or adjust the limits.

  1. Generate a new signature for each Payment Page and Direct POST render. 
    • Generate a new signature in your callback page if you want to re-render a Payment Page in the Inline Button Outside mode when a previous submission fails. Your callback page will usually try to re-render page when submission failed.
    • If you Implement Payment Pages 2.0 via Direct POST, generate a new signature for each Direct POST request that is sent to Zuora. 
  2. Customize the error messages for the Attempt_Exceed_Limitation, ReCaptcha_Validation_Failed, and Submit_Too_Quick error codes. 
    See Error Handling for Payment Pages 2.0 for more information.
  3. If the CAPTCHA challenge feature is enabled, ensure that elements surrounding the hosted page should support changes in the HPM iframe width and height.
  4. Ensure that you use the 1.3.0 or later version of zuora.js.

The Inline Button Outside mode only supports Three Domain Secure (3D Secure) on Payment Pages 2.0. If you are using this mode, you cannot limit the number of Payment Page submissions before CAPTCHA challenge or limit the number of Payment Page submissions before Disabled Submit for security checks.

Limit the Number of Payment Page Submissions before CAPTCHA Challenge

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a type of challenge-response test used in computing to determine whether or not the user is human. The CAPTCHA challenge protects you against potential automated abuse of Payment Page submissions. 

A new tenant level limit on the maximum number of Payment Page submissions is implemented in the CAPTCHA Challenge feature. In order to enable this feature, you need to set a positive integer for both the Limit the number of submission before CAPTCHA Challenge field and the Limit the number of submission before blocking Submission field on the Zuora UI.

Before the end users submit the incorrect information on Payment Pages as many times as the value of the Limit the number of submission before CAPTCHA Challenge field, they will not be challenged. After they hit this threshold, they will see the CAPTCHA challenge page displayed in every submission attempt. They must pass the CAPTCHA challenge for every further Payment Page submission. 

The CAPTCHA challenge page is displayed even after the number of Payment Page submission failures exceeds the value of the Limit the number of submission before blocking Submission field to slow down the frequency of potential attacks.

To use the CAPTCHA Challenge feature, you must use the following endpoints:

Limit the Number of Payment Page Submissions before Disabled Submit

A new tenant level limit on the maximum number of Payment Page submissions is implemented in the Disabled Submit feature.

You can enable this feature by setting a positive integer for the Limit the number of submission before blocking Submission field on the Zuora UI. With this feature enabled: 

When the value of the Limit the number of submission before blocking Submission field is exceeded, the Submit button is not disabled. However, subsequent requests are not sent to the gateway even if end users click Submit. Zuora directly responds an error message and error code to inform end users that they have tried too many times. When the submission threshold is reached, you need to regenerate a signature and provide the end customers with a way to re-render the page. You can also customize the error message of the Attempt_Exceed_Limitation error code. 

The value of the Limit the number of submission before blocking Submission field must be greater than the value of the Limit the number of submission before CAPTCHA Challenge field. The value of both these thresholds must be equal to or greater than 0. The value 0 indicates that this function is disabled.

Contact Zuora Global Support if you want to enable or modify the page level threshold for submitting Payment Pages.

Enable 3D Secure

This feature is in Controlled Release. Submit a request at Zuora Global Support to get this feature enabled for your tenant.

Zuora now supports Three Domain Secure (3D Secure) for Payment Pages 2.0 to ensure enhanced security and strong authentication for consumers.

With this feature, Zuora will perform the 3D Secure check for Visa, MasterCard, and American Express credit cards. Currently, this feature is only available for the Ingenico ePayment payment gateway.

To use the 3D Secure feature, you must select the Verify new credit card check box on the corresponding payment gateway configuration page. Otherwise, 3D Secure will not be performed even if you enable the 3D Secure feature.

For more information, see 3D Secure for Payment Pages 2.0.

Customize Error Messages for Error Codes

You can customize how you want to display the messaging for the following error codes based on the fields that caused the error:

  • Attempt_Exceed_Limitation
    The default message is Attempt exceed the limitation, refresh page to try again.
  • ReCaptcha_Validation_Failed
    The default message is You didn't pass CAPTCHA validation, please try again.
  • Submit_Too_Quick
    The default message is Too many failed submission. Please wait for a while and try again.

For more information, see Error Handling for Payment Pages 2.0.

Enable Advanced Security Checks

When you configure a Payment Page for a specific payment type in the Zuora UI, you can enable the advanced security checks in the Security Information area.

Security Information.png

  1. Enter the Payment Pages 2.0 configuration page.
  2. In the Security Information section, configure the following security information:
    • In the Limit the number of submission before CAPTCHA Challenge field, enter a threshold for the number of Payment Page submissions before the CAPTCHA challenge page is displayed on the HPM iframe. End users must pass the CAPTCHA challenge before submitting every further Payment Page submission.
      The default value is 0 for existing payment pages and 15 for new payment pages. The value 0 indicates that this function is disabled. By default, this function is disabled for existing payment pages.
    • In the Limit the number of submission before blocking Submission field, enter a threshold for the number of Payment Page submissions before Zuora blocks all subsequent requests. 
      The default value is 0 for existing payment pages and 30 for new payment pages. The value 0 indicates that this function is disabled. By default, this function is disabled for existing payment pages.
    • If you want to perform the 3D Secure check for transactions, select the Enable 3D Secure check box.
      By default,   this check box is cleared. Note that you must select the Verify new credit card check box on the corresponding payment gateway configuration page. Otherwise, 3D Secure will not be performed even if you enable the 3D Secure feature.
  3. Click generate and save page to save configurations.

If any of the preceding thresholds is greater than 0, when you save the configurations, a dialog is displayed to prompt you to go through a checklist. If you have gone through the checklist, click OK.

Last modified

Tags

This page has no custom tags.

Classifications

(not set)