home

Zuora Payments

Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies
Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies

Welcome to Zuora Product Documentation

Explore our rich library of product information

Show Contents

thumbnailZuora Payments

Security measures for Payment Pages 2.0

Secure your Payment Pages 2.0 integration with Zuora security measures

Learn how to secure your Payment Pages 2.0 integration using Zuora's comprehensive security measures, including rate limiting, CAPTCHA challenges, and fraud protection services.

To help reduce and manage your risks from potential card testing fraud, Zuora provides the following security measures:

  • IP-based rate limiting
  • Card-based rate limiting
  • HPM submission rate limiting
  • Support for Google reCAPTCHA challenges
  • HPM Smart Bot Attacking Prevention
  • Token expiration
  • Support for 3D Secure
  • Client-side Payment Page parameter validation
  • Address Verification Service
  • Email address verification
  • Zuora Fraud Protection service powered by LexisNexis ThreatMetrix

This section provides guidance on enabling and configuring Zuora security measures for Payment Pages 2.0. For the latest sample code for Payment Pages 2.0 integration, see Sample Code for Payment Pages 2.0.

Before you configure and use the security measures provided by Zuora for Payment Pages 2.0, complete the following tasks:

  1. Generate a new token and signature pair for each Payment Page 2.0 and Direct POST render.
  2. Ensure that you use the 1.3.1 or later version of zuora.js .

IP-based submission rate limiting

The IP-based submission rate limiting feature is a tenant-level security measure. It limits the number of times a hosted payment page can be submitted from the same IP address within a time range. This feature is enabled by default for your Payment Pages 2.0, including hosted payment pages set up through embedded iFrame and Direct POST requests.

Access and configure this feature by navigating to Settings > Payments > Setup Payment Page and Payment Link > Rate Limiting Configuration . You can use the following settings to configure this feature. Ensure to configure the values within the allowed ranges that are described in the UI tooltips.

  • IP Whitelist : The whitelisted IP ranges that are not subject to the IP-based rate limiting configuration. You can specify a maximum of 50 IPv4 address ranges. For scenarios such as call center agents, it is recommended to include approved IP addresses in the IP whitelist, instead of increasing the rate limiting values, to avoid any disruptions to legitimate service.

  • Submission Limit Per Minute : The number of times a page can be submitted per minute from the same IP.

  • Submission Limit Per Hour : The number of times a page can be submitted per hour from the same IP.

Card-based submission rate limiting

The card-based submission rate limiting feature is a tenant-level security measure. It limits the times a hosted payment page can be submitted for the same card within a time range. The card-based rate limiting feature is enabled by default in all production environments and cannot be disabled. This feature is pre-configured by Zuora with a group of thresholds, including attempt times allowed within a minute, within an hour, and within a day. This feature is not available for self-configuration. If you want to know more information about this feature, submit a request at Zuora Global Support.

For tests in production environments, it is recommended to use multiple cards or increase the time interval between submissions.

Note:

This feature is only supported in production environments. It cannot be enabled in any API Sandbox or Central Sandbox environments.

HPM submission rate limiting

The HPM submission rate limiting feature is a tenant-level security measure. This feature is enabled in all production environments by default. With this feature enabled, the maximum number of attempts to submit payment pages from the same tenant is configured by Zuora with a group of thresholds based on the normal peak traffic value of a tenant, including attempt times allowed within a minute, within an hour, and within a day. This feature is not available for self-configuration. If you want to know more information about this feature, submit a request at Zuora Global Support.

For example, a total of 100 submissions per hour is configured for a tenant. If the tenant makes 100 submissions in the first 10 minutes, this tenant cannot complete any more submissions until the hour has expired.

Note:

If you plan or expect any activities with high-volume traffic, submit a request at Zuora Global Support. before the activity. Zuora will evaluate your request and increase the thresholds for your tenant.

If the number of page submissions exceeds the thresholds, a Submit_Too_Quick error code error occurs. You can customize how you want to display the message for this error. For security considerations, it is not recommended that you alert users to your security setting details, such as the number of attempts to reach the error limit and the timeframe between submissions. See Error Handling for Payment Pages 2.0 and Customize error messages for Payment Pages 2.0 for more information.

Last updated: March 30, 2026