Dynamic enablement and configuration of Google reCAPTCHA
Learn how to dynamically enable and configure Google reCAPTCHA for Payment Pages 2.0 using Zuora's HPM Smart Bot Attacking Prevention feature.
For Payment Pages 2.0 implemented through iFrame, Zuora provides the HPM Smart Bot Attacking Prevention feature, which is an opt-in auto-adjusting security feature based on continuous monitoring of attack patterns. With this feature enabled, Zuora dynamically enables and configures reCAPTCHA Enterprise Interactive Test (Checkbox) version when attacks are identified.
According to the hourly monitoring results, when Zuora identifies that a hosted payment page is under attack, Zuora evaluates whether the current reCAPTCHA settings can secure the hosted payment page. If your current reCAPTCHA settings are not sufficient to secure your page, Zuora automatically enables reCAPTCHA Enterprise Interactive Test version and increases the page-level Risk Score Threshold value if necessary. When Zuora finds the bot attack is over, the reCAPTCHA security settings are restored to the latest enablement status and value that you configured. During the attack, if you change your reCAPTCHA security settings, after the attack Zuora restores the values to your latest settings configured during the attack but not to your initial settings before the attack.
Before enabling the HPM Smart Bot Attacking Prevention feature, ensure that you have tested reCAPTCHA Enterprise Interactive Test version on your hosted payment page and that at least one submission has been made successfully over the past 30 days. In some cases (for example, if your Submit button is outside of your hosted payment page), the HPM Smart Bot Attacking Prevention feature might attempt to enable a CAPTCHA challenge that is incompatible with your process flow.
This feature is not supported for Payment Pages 2.0 implemented through Direct POST.
To enable the HPM Smart Bot Attacking Prevention feature for your hosted payment page, complete the following steps:
- Enable HPM Smart Bot Attacking Prevention in Feature Management as this feature is in the Early Adopter phase. You must have the Manage Payments Settings permission to access the Feature Management setting. For more information about this user permission, see Enable payment features by yourself.
- In the Zuora UI, click your username in the upper right and navigate to Settings > Payments > Manage Features .
- On the Payment tab, click Enable in the HPM Smart Bot Attacking Prevention row. A dialog describing that Zuora review is required for your enablement request is shown.
- Click Enable Feature .
- Click all the EA term items, select I agree that I have read and agreed to the terms of the Early Availability Agreement , and then click Confirm to Enable . Your enablement request is submitted for approval. In sandbox environments, it may take a few minutes to complete the approval and provisioning process. In production environments, it may take a few days. After the review is completed, you will receive an email.
- After you receive the confirmation email from Zuora that this feature has been enabled on your tenant, complete the following steps.
- When creating or editing a Payment Page 2.0, navigate to Security Information > Google reCAPTCHA .
- Select Smart Bot Attack Prevention and save your configuration.
To discover when and what reCAPTCHA settings are adjusted, use the HPM Smart Bot Attacking Prevention Audit data sources to export relative data. For more information, see HPM Smart Bot Attacking Prevention Audit data source.
The Token Expiration feature is a page-level security measure. With this feature enabled, when end-users hit this threshold by repeatedly submitting incorrect information on the hosted payment page, they will see the error message and will be blocked from all further hosted payment page submissions.
Enable this feature by setting a positive integer value for the Limit the number of submissions before blocking submission field. This feature is automatically enabled for your Payment Pages 2.0. It is pre-configured by Zuora with a default threshold. You can configure the threshold through Zuora UI.