home

Zuora Payments

Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies
Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies

Welcome to Zuora Product Documentation

Explore our rich library of product information

Show Contents

thumbnailZuora Payments

Security measures for Payment Pages 2.0

Client-side Payment Page parameter validation

Learn how to enable and configure client-side parameter validation for Zuora Payment Pages to enhance security by validating client parameters against digital signatures.

Zuora recommends that you enable this security measure:

  1. Navigate to Settings > Payments > Setup Payment Page and Payment Link > Advanced Configuration .
  2. On the Payment Pages tab page, click Edit in the Advanced Configuration section.
  3. Select Validate Client-Side HPM Parameters , and then click Save .

After this feature is enabled, when receiving a request for rendering or submitting a hosted payment page, Zuora validates the client parameters in the request by comparing the value in the request with the value specified in the digital signature. Therefore, you must specify these parameters when calling the REST Generate RSA signature operation for generating the digital signature.

When specifying the client parameters in the Generate RSA signature operation, if the parameter name contains field_ , use only the string after field_ as the field name. For example, field_currency is a supported client parameter. In the Generate RSA signature operation, use currency instead of field_currency . The field name that can be supported by the Generate RSA signature operation is documented in the API Reference.

Note that the following client parameters in client parameters are not supported by the Client-side HPM Parameter Validation feature:

  • The following three parameters are not supported because they are only used to control the display in the UI:

    • retainValues

    • countryBlackList

    • countryWhiteList

  • The url parameter is also not supported because it was already validated.

If the parameters contained in the rendering or submission request can match the value specified in the digital signature, the validation succeeds. If they do not match, the validation fails. The Validate_Dynamic_Params_Failed error code is returned, and Zuora blocks the rendering or submission request.

Here is a sample Curl request to generate a token and a digital signature. paymentGateway and locale are the client parameters specified for validation. 

curl -i -k -H "apiAccessKeyId:superadmin@myCompany.com" -H "apiSecretAccessKey:password" -H "Accept:application/json" -H "Content-Type:application/json" -X POST https://rest.zuora.com/v1/rsa-signatures -d '
{
   "uri": "https://www.zuora.com/apps/PublicHostedPageLite.do",
   "method": "POST",
   "pageId":"ff80808145b3bf9d0145b3c6812b0008",
   "paymentGateway":"Orbital7",
   "locale":"fr_CA"
}';

Support for Address Verification Service

Zuora Payment Pages 2.0 supports the billing address fields in the payment page form. If the gateway provider offers Address Verification Service (AVS), the address information entered by the end user in your payment page form will be passed to the gateway and compared with the cardholder's billing address on record with the card issuer.

Support for Email address verification

Zuora Payment Pages 2.0 supports the email address field in the payment page form. If the gateway provider offers the verification service of email addresses, the email address information entered by the end user in your payment page form will be passed to the gateway and compared with the cardholder's email address on record with the card issuer.

Zuora Fraud Protection

Zuora integrates with LexisNexis ThreatMetrix Fraud Protection and provides an opt-in payment fraud protection service, called Zuora Fraud Protection. For more information, see Zuora Fraud Protection.

Last updated: March 30, 2026