home

Zuora Payments

Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies
Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies

Welcome to Zuora Product Documentation

Explore our rich library of product information

Show Contents

thumbnailZuora Payments

Secure your Payment Pages 2.0 integration with Zuora security measures

Configure Google Cloud account for reCAPTCHA service

Learn how to configure your Google Cloud account for reCAPTCHA Enterprise in Zuora, including setting up site keys, API keys, and project IDs.

In Zuora, configure the Google Cloud account used for reCAPTCHA Enterprise by following these steps:

  1. Navigate to Settings > Payments > Setup Payment Page and Payment Link .
  2. On the Payment Pages tab page, navigate to the Google reCAPTCHA Enterprise Configuration section, and then click Edit .
  3. Select to use Google reCAPTCHA Enterprise with your own Google Cloud Enterprise account or Zuora’s Google Cloud Enterprise account. If you select to use Zuora’s Google Could Enterprise account, Zuora will generate a Google reCAPTCHA site key dedicated to your tenant for each type of the reCAPTCHA Enterprise service enabled on your tenant.
  4. If you decide to use your own account, configure the following credentials in the Google reCAPTCHA Enterprise Configuration section. You can obtain these fields from your Google reCAPTCHA Admin Console in Google Cloud Platform.

    • Enterprise Site Key

      • Score-based: Configure this key for use with Google reCAPTCHA Enterprise AI Assessment version.

      • Checkbox: Configure this key for use with Google reCAPTCHA Enterprise Interactive Test version .

    • Google Cloud API Key

    • Google Cloud Project Id : Provide your Google Cloud Project ID that is a character string, such as "merchant-captcha-enterprise". Do not provide the Google Cloud Project Number that is a numeric string.

In your Google reCAPTCHA Admin Console, ensure the following configurations are completed:

  • Add your domains for both sandbox and production environments in the Google reCAPTCHA Domains setting. For URLs of Zuora Data Centers, see Zuora Data Centers.

  • The following settings are configured for the API Key on the Credentials page:

    • Application restrictions : The None option is selected.

    • API restrictions : The Restrict key option is selected and reCAPTCHA Enterprise API is selected.

For more information, see Google reCAPTCHA developer documentation.

Note:

If you are using Zuora Central Sandbox, you must reconfigure the Google Cloud account used for reCAPTCHA Enterprise after Central Sandbox is refreshed.

For both AI Assessment and Interactive Test versions of Google reCAPTCHA Enterprise, you can configure the tenant-level and page-level Risk Score Threshold settings to set up thresholds for the level of risk the user interaction poses. Details about the allowed value are available in the UI tooltip. The Risk Score Threshold value configured in Zuora HPM settings is used to evaluate whether the attempt is a bot attack, but not used to determine whether to show the CAPTCHA challenge. For the recommended value, refer to the recommendations by Google. For more information about the risk score recommendation and interpretation, see Google Cloud Docs.

  • To configure the tenant-level Risk Score Threshold setting:

    1. Navigate to Settings > Payments > Setup Payment Page and Payment Link .

    2. On the Payment Pages tab page, click Edit in the Google reCAPTCHA Enterprise Configuration section.

    3. Enter a value in the Risk Score Threshold field, and click Save .

  • To configure the page-level Risk Score Threshold setting:

    1. Navigate to the Security Information > Google reCAPTCHA section when creating or editing a Payment Page 2.0.

    2. Click the Interactive Test (Checkbox) or AI Assessment (Score-Based) option according to your needs. The Risk Score Threshold field is displayed under the option.

    3. Enter a value in the Risk Score Threshold field. If no value is set for this setting, the tenant-level Risk Score Threshold value will be used for your hosted payment page. This page-level value takes precedence over the tenant-level Risk Score Threshold value.

When you create or edit a Payment Page 2.0, navigate to the Security Information > Google reCAPTCHA section and click Disable reCAPTCHA to disable the Google reCAPTCHA service on your Payment Page 2.0.

The support for reCAPTCHA v2 Classic in Payment Pages 2.0 has been deprecated since 8 November 2022. reCAPTCHA Enterprise Interactive Test (Checkbox) version is recommended as the replacement solution for an improved bot detection experience and to avoid failures due to exceeding the reCAPTCHA quota. If you did not migrate to reCAPTCHA Enterprise before 8 November 2022, reCAPTCHA is disabled on your tenant. Though you can still enable reCAPTCHA Enterprise, your tenant is not protected by the reCAPTCHA service until you enable it.

Migrate to reCAPTCHA Enterprise Interactive Test (Checkbox) version by completing both of the following tasks:

  • Update your client code for handling the CAPTCHA challenge user interaction to support the flow of reCAPTCHA Enterprise Interactive Test (Checkbox) version.

  • Update your hosted payment page setting in Zuora.

Because the user interaction flows for these two versions of reCAPTCHA services are different, you must update your client code to support the flow for reCAPTCHA Enterprise Interactive Test (Checkbox) version. For reCAPTCHA Enterprise Interactive Test (Checkbox) version, if CAPTCHA challenges are required, end-users resolve the challenges first, and then click the submit button to submit the hosted payment page. You can use the onCaptchaStateChange event handler to implement your logic.

For example, you have integrated your hosted payment page through the Button Outside mode. To support the reCAPTCHA v2 Classic service, you implemented the logic in the onCaptchaStateChange event to remove an overlay when the challenge displays and add the overlay back after the challenge is resolved by the end-user. You now want to migrate to reCAPTCHA Enterprise Interactive Test (Checkbox) version. To support the interaction flow, you must update your code by removing the logic of handling the overlay before the end-user resolves the challenge.

Last updated: March 30, 2026