Skip to main content

How do I set up a PCI-compliant page to accept new payment methods?


How do I set up a PCI-compliant page to accept new payment methods?


If your company sells products online via an ecommerce site, you may need a way for your customers to securely submit their payment method information during the checkout process. Just like the order (subscription) details, the payment method data also gets submitted to Zuora where it is securely stored and used to process recurring payments.

Zuora supports both electronic payment methods (examples of these are credit cards, bank transfer, or PayPal) and external payment methods (check or cash). Accepting credit card payment methods online requires you (as the merchant) to achieve and maintain a level of security that meets the requirements of the Payment Card Industry (PCI Compliance). PCI Data Security Standard (PCI DSS) is a set of requirements to ensure companies that process, store, or transmit credit card information maintain a secure environment.  See PCI SSC Data Security Standards Overview for more information on PCI Compliance.

This article provides information on how you can use Zuora's Z-Payments Page to accept new payment methods. The Z-Payments Page is a premium offering available today in controlled release that allows you to capture payment methods for new or existing customers in a fully secure and PCI Compliant manner. Zuora is PCI DSS compliant, as well as SAS 70, Safe Harbor compliant and we are on MasterCard and Visa Card's list of approved providers.


One solution is a Zuora Z-Payments Page – a fully customizable hosted payments page that allows merchants to collect payment methods without worrying about PCI compliance. The Z-Payments Page, hosted by Zuora, can be presented in an iframe that you drop into your website to collect and transmit your customers' cardholder information safely and securely to Zuora's PCI Compliant servers.  

Since the iFrame is hosted at Zuora, the cardholder data does NOT pass through your environment. This gives you the ability to minimize the scope of your PCI control requirements.

Zuora protects all your sensitive customer data at the highest level of compliance, from the moment it accepts the card data to when it stores it and uses it to process recurring payments. In addition to leveraging Zuora's Hosted Payment Pages on your website using a standard HTML iframe, you can also invoke Zuora's Z-Payments Page from inside a Visualforce page again gaining access to Zuora's PCI compliance and security. Now your customer service representatives can collect credit card information over the phone as long as they are trained to properly handle card information (such as not writing the credit card information down anywhere), the solution remains PCI Compliant.

If you do not use Zuora's Z-Payments Page, you can still use Zuora to store the credit cards you collect through your own screens, but unless you have obtained your own PCI Compliance Certificate for your servers (these are servers presenting the card collection screens), your customer facing solution is not considered PCI-compliant.