Skip to main content

Bypassing Payment Gateway Authorization


Bypassing Payment Gateway Authorization

When using the Zuora API to create a payment method (for example, a credit card payment method), you can bypass the authorization settings that you configured when setting up payment gateways.

Using SkipValidation

Use SkipValidation=True to create a payment method object without triggering an authorization call from Zuora to the payment gateway, even if the Verify new credit card and Verify updated credit card settings are configured in Zuora. You can include the field SkipValidation=True when calling a create() call, and the address passed in the Zuora API call will not be validated.

The feature also ignores the validation of CyberSource "Export Compliance" because the Zuora API call will not be sent to CyberSource for authorization. 

Address Verification and Payment Gateways

Zuora does not require that you pass the address during a Zuora API call to create a payment object. 

When creating a payment object, even if users do not have the ability to pass the address, Zuora obtains the address from our database if the information was passed during payment method creation. Zuora will pass address information that you provide in the payment method to the payment gateway.

Whether or not this information is used while processing a payment depends on how you have configured the gateway settings, both at the gateway end (using their portal), and in Zuora's gateway configurations for your tenant.

If you do not want the payment gateway to use the Address Verification System (AVS) in processing the authorization or sale call, please use the portal or user interface provided to you by your gateway (not Zuora) to configure  the gateway to turn off AVS checking.

Potential Security Issues

Zuora recommends that you validate all payment information. Skipping the validation can have the following negative consequences:

  • The gateway will not authenticate the card for authorization amount. 
  • The gateway will not check the CVV code passed in the call.
  • The gateway will not check AVS.
  • The gateway will not check other custom information that we pass (for example, Export Compliance for CyberSource).
  • You will be saving a payment method without confirming that it is valid, which can later result in failed payments. This increases the risk of fraud. 

Not checking some of this information can have serious impacts to the merchant. For example, Export Compliance checks to ensure that the merchant does not sell to blacklisted buyers.