Security measures for Payment Form
To help reduce and manage your risks from potential testing fraud, Zuora provides the following security measures for Payment Form:
- Rate limiting
- IP-based submission rate limiting
- Card-based submission rate limiting
- Tenant-based submission rate limiting
- 3D Secure
IP-based submission rate limiting
The IP-based submission rate limiting feature is a tenant-level security measure. It limits the number of times a payment form can be submitted from the same IP address within a time range.
This feature is enabled by default for your payment form. To access and configure this feature, complete the following steps:
-
Navigate to Settings > Payments > Payment Form.
-
On the Payment Forms page, click Security Preferences in the upper right.
-
In the Security Preferences dialog, configure the following settings for your needs:
-
Submission limit per minute: The number of times a payment form can be submitted per minute from the same IP.
-
Submission limit per hour: The number of times a payment form can be submitted per hour from the same IP.
-
IP Whitelist: The whitelisted IP ranges that are not subject to the IP-based submission rate limiting configuration. You can specify a maximum of 50 IPv4 address ranges or 20 IPv6 address ranges.
-
For scenarios such as call center agents, it is recommended to include approved IP addresses in the IP whitelist, instead of increasing the rate limiting values, to avoid any disruptions to legitimate service.
If the number of submissions exceeds the thresholds, an error occurs. No more submissions are accepted from the same IP until the beginning of the next time period.
Card-based submission rate limiting
The card-based submission rate limiting feature is a tenant-level security measure. It limits the times a payment form can be submitted for the same card within a time range.
The card-based submission rate limiting feature is enabled by default in all production environments and cannot be disabled. This feature is pre-configured by Zuora with a group of thresholds, including attempt times allowed within a minute, within an hour, and within a day. This feature is not available for self-configuration. If you want to know more information about this feature, submit a request at Zuora Global Support.
If the number of submissions exceeds the thresholds, an error occurs. No more submissions are accepted from the same card until the beginning of the next time period.
For tests in production environments, it is recommended to use multiple cards or increase the time interval between submissions.
This feature is only supported in production environments. It cannot be enabled in any API Sandbox or Central Sandbox environments.
Tenant-based submission rate limiting
The tenant submission rate limiting feature is a tenant-level security measure. It limits the number of attempts a payment form can be submitted from the same tenant.
This feature is enabled in all production environments by default. With this feature enabled, the maximum number of attempts to submit payment form from the same tenant is configured by Zuora with a group of thresholds based on the normal peak traffic value of a tenant, including attempt times allowed within a minute, within an hour, and within a day. This feature is not available for self-configuration. If you want to know more information about this feature, submit a request at Zuora Global Support.
If the number of submissions exceeds the thresholds, an error occurs. No more submissions are accepted from the same tenant until the beginning of the next time period.
If you plan or expect any activities with high-volume traffic, submit a request at Zuora Global Support before the activity. Zuora will evaluate your request and increase the thresholds for your tenant.
Support for 3D Secure
3D Secure is the abbreviation for Three Domain Secure, which is the payment industry’s Internet Authentication Standard. 3D Secure requires end users to complete an additional verification step when making a payment. To ensure enhanced security, 3D Secure 2.0 is supported and auto-enabled for Credit Card payment methods in Payment Form. See Payment Form overview for more information.