home

Zuora Payments

Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies
Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies

Welcome to Zuora Product Documentation

Explore our rich library of product information

Show Contents

thumbnailZuora Payments

Payment Form

Security measures for the Payment Form

Zuora offers security measures for the Payment Form to mitigate risks from potential testing fraud, including rate limiting and 3D Secure.

To help reduce and manage your risks from potential testing fraud, Zuora provides the following security measures for Payment Form:

  • Rate limiting

    • IP-based submission rate limiting

    • Card-based submission rate limiting

    • Tenant-based submission rate limiting

  • 3D Secure

Card-based submission rate limiting

The card-based submission rate limiting feature is a tenant-level security measure. It limits the times a payment form can be submitted for the same card within a time range.

The card-based submission rate limiting feature is enabled by default in all production environments and cannot be disabled. This feature is pre-configured by Zuora with a group of thresholds, including attempt times allowed within a minute, within an hour, and within a day. This feature is not available for self-configuration. If you want to know more information about this feature, submit a request at Zuora Global Support .

If the number of submissions exceeds the thresholds, an error occurs. No more submissions are accepted from the same card until the beginning of the next time period.

For tests in production environments, it is recommended to use multiple cards or increase the time interval between submissions.

This feature is only supported in production environments. It cannot be enabled in any API Sandbox or Central Sandbox environments.

Tenant-based submission rate limiting

The tenant submission rate limiting feature is a tenant-level security measure. It limits the number of attempts a payment form can be submitted from the same tenant.

This feature is enabled in all production environments by default. With this feature enabled, the maximum number of attempts to submit payment form from the same tenant is configured by Zuora with a group of thresholds based on the normal peak traffic value of a tenant, including attempt times allowed within a minute, within an hour, and within a day. This feature is not available for self-configuration. If you want to know more information about this feature, submit a request at Zuora Global Support .

If the number of submissions exceeds the thresholds, an error occurs. No more submissions are accepted from the same tenant until the beginning of the next time period.

If you plan or expect any activities with high-volume traffic, submit a request at Zuora Global Support before the activity. Zuora will evaluate your request and increase the thresholds for your tenant.

Support for 3D Secure

3D Secure is the abbreviation for Three Domain Secure, which is the payment industry’s Internet Authentication Standard. 3D Secure requires end users to complete an additional verification step when making a payment. To ensure enhanced security, 3D Secure 2.0 is supported and auto-enabled for Credit Card payment methods in Payment Form. See Payment Form overview for more information.

Last updated: February 23, 2026