Welcome to Zuora Product Documentation

Explore our rich library of product information

Implement Payment Pages 2.0 via Direct POST

Create a Payment Page using Direct POST to Zuora, allowing full control over the form's appearance while ensuring PCI compliance.

Alternative to embedding the Payment Pages iFrame on your website, you can create an HTML form version of a Payment Page that posts directly to Zuora to create a payment method. This implementation approach gives you full control over the look and feel of your payment form. With Direct POST, sensitive payment data is transferred from the web browser directly to the Zuora server via HTTPS.

While PCI scope is reduced using the Direct POST, your merchant bank will require you to follow PCI compliance best practices when securely submitting your HTML form to Zuora, including:

  • Ensuring that no payment data is stored on your servers

  • Securing your form from submission vulnerabilities such as cross-site scripting

  • Securing your form from redirection to a non-Zuora server upon submission

With PCI-DSS v3 and higher, you may be subject to stricter PCI-compliance audit requirements with this approach.

There are some differences to note between the features and implementations of the iFrame versus the Direct POST:

  • When your Payment Page is implemented via Direct POST, your re-loaded form cannot contain the previously entered user inputs. You can use the retains value feature described in error handling only with the Payment Pages implemented via iFrame. For more detailed information, see Error handling for Payment Pages 2.0

  • In Direct POST version of Payment Pages, you pass the passthrough parameters and gateway options into your HTML form as <input> elements.

The following is an example of a pass-through parameter in an HTML form:

<input type="hidden" name="field_passthrough1" value="Capture"/>

The following is an example of a gateway options parameter in an HTML form:

<input type="hidden" name="param_gwOptions_globalIPaddress" value="SomeAddress"/>

The high-level steps for implementing a Direct POST to Payment Pages are:

  1. Configure Payment Pages 2.0
  2. Obtain the Public Key for Payment Pages 2.0
  3. Generate the Digital Signature for Payment Pages 2.0
  4. Validate the Digital Signature for Payment Pages 2.0
  5. Construct your HTML form for the Direct POST
  6. Verify the callback response

The steps are similar to the steps for implementing the iFrame version of Payment Pages. Only the Step #5 is specific to the Direct POST method. The following section provides more detail for this step.