Zuora's approach to securing hosted payment pages

Zuora uses a defense-in-depth security strategy for Payment Pages 2.0 (HPM 2.0). Through Zuora’s layered security features, you can tailor security controls based on your specific needs. Zuora is serious about security and works diligently to enhance our security and privacy programs to address new challenges.

Securing your hosted payment pages is a shared responsibility between Zuora and your business. You must ensure that personal data and payment card information (PCI) processed during a transaction are protected against unauthorized access. In addition to implementing your own security program for your website and user accounts, it is strongly recommended that you implement the Payment Pages 2.0 security measures described in the following sections.

This article provides suggestions and guidance on the implementation of the following security measures:

• Approaches to preventing card testing fraud

• Your own necessary security infrastructure

• Zuora’s out-of-box security measures, including:

  Security Measure	Description
  IP-based rate limiting	Limit the number of times a hosted payment page can be submitted from the same IP address within a time range.
  Card-based rate limiting	Limit the times a hosted payment page can be submitted for the same card within a time range.
  Tenant-level submission rate limiting	Limit the number of attempts to submit payment pages from the same tenant.
  Support for CAPTCHA challenges	Detect and block requests originating from a bot, while allowing legitimate traffic to pass.
  HPM Smart Bot Attacking Prevention	Google reCAPTCHA Enterprise Interactive Test (Checkbox) version can be dynamically enabled and configured when attacks are identified.
  Token expiration management	When end-users hit the threshold by repeatedly submitting incorrect information on the hosted payment page, they will see the error message and will be blocked from all further hosted payment page submissions.
  Support for 3D Secure	The Strong Customer Authentication regulation requires the use of 3D Secure for card payments in the United Kingdom and the European Economic Area. 3D Secure requires end users to complete an additional verification step when making a payment.
  Client-side Payment Page parameter validation	When receiving a request for rendering or submitting a hosted payment page, the client parameters in the request are validated by comparing the value in the request with the value specified in the digital signature.
  Support for Address Verification Service	Pass the address information entered by the end user to the gateway and compare it with the cardholder's billing address on record with the card issuer.
  Support for email address verification	Pass the email address information entered by the end user to the gateway and compare it with the cardholder's email address on record with the card issuer.
  Zuora Fraud Protection	Zuora integrates with LexisNexis® ThreatMetrix Fraud Protection to provide an opt-in payment fraud protection service.

Prevent card testing fraud

A card testing attack is when a malicious actor or group attempts to validate stolen card information. Fraudsters usually validate the card information with small payments or authorizations, which are less likely to be noticed by cardholders. These tactics are usually automated, so large numbers of cards can be tested with minimal human involvement. The negative consequences of card testing fraud include the following:

• Additional transaction charges from payment gateways

• Damage to a company’s reputation due to security issues and loss experienced by end customers

• Revenue impact due to suspension or fines from merchant services

• Potential disablement by the payment providers

• Payment card fraud and chargebacks

There are some effective approaches to preventing card testing attacks. Here are some examples:

• Increase the number of required matching security elements, such as address verification, CVV (Card Verification Value), expiration date, etc.

• Implement security measures such as CAPTCHA challenges for bot attacks.

• Deploy 3D Secure for additional authentication for regions that support it.

• Limit checkout attempts.

• Regularly monitor the transactions to identify card testing fraud.

Zuora has implemented multiple security features into Payment Pages 2.0 and provides continuous protection as new threats are developed. We recommend that you stay up to date with our latest Payment Pages 2.0 features. You can optimize your Payment Pages 2.0 integration by using Zuora’s out-of-box security measures to minimize your efforts in implementing some of your security approaches.

HPM Threat Detection dashboard

Zuora System Health dashboard for Hosted Payment Method Pages (HPM Threat Detection dashboard) collects and displays HPM traffic and threat data, as well as security settings configured for each hosted payment page. In the HPM Threat Detection dashboard, data about hosted payment pages on your Zuora tenant within a time range are available for you to detect attacks and other issues and then troubleshoot. For details about this dashboard, see HPM Threat Detection dashboard .

Export Zuora security measure data for validation or auditing

To discover the issues that happened during a Payment Page 2.0 submission, you can use the following data sources to export data for further analysis. Open the following links to find details about how to use the data source.

• HPM reCAPTCHA Validation Result data source

• HPM Smart Bot Attacking Prevention Audit data source, if the HPM Smart Bot Attacking Prevention feature is enabled.

• Payment Method Transaction Log data source