Card Details • Braintree

Created 13 August 2025 • Updated 19 August 2025

Storing Card Details

 

What is the background to this change?

Following a support call that was recently received into the Zonal Help Centre in relation to unusual orders being placed through our mobile ordering solution, we have been investigating a significant increase in the volume of ‘addCard’ calls being made by registered user accounts.

The White Label App allows your customers to store their card information to make ordering smoother when they place an order in your establishments. This is referred to as “vaulting” a card, and places it in the secure vault using calls to an API on our webservers.

Most customers add a small number of cards, however, our security logging shows a significant increase in addCard calls being made on a small number of user accounts.

We suspect that this activity is linked with fraudulent attempts to test the validity of payment cards.

Over the last few days, we have continued to monitor the situation and have actively blocked any user accounts where unusually large volumes of calls have been made. We have also implemented a rate limiting change as part of 2.63.1, deployed on the 13th of August, to restrict how many times in a given period the addCard request can be made.

However, we also now need to implement a further change to prevent any further abuse of Braintree’s Payment Gateway.

 

What is changing?

 

Rate Limit

Zonal are implementing rate limiting on ‘add card’ calls to limit the number of times a customer can vault a card within a short period of time.

This will be set to a limit of 5 calls that can be made within a 24-hour period.

If a customer reaches the 5-limit threshold, they will receive the following error code:

Error 5131, "Unfortunately, you cannot add a new card at this time.

Users will be able to continue placing orders using a valid card, Apple Pay or Google Pay, or any previously vaulted cards, but will not be able to add cards to their vault.

 

Verification Requirement

To provide further protection, we have also implemented a change as part of 2.63.2 which requires that a user be 'verified' in order to successfully vault a card. This means that only users that have completed an OTP challenge (supplied a One Time Passcode to authenticate themselves). Any user attempting to vault a card without having completed an OTP challenge will now receive an error.

Users will be able to continue placing orders using a valid card, Apple Pay or Google Pay or any previously vaulted cards, but will not be able to add cards to their vault.

 

What do you need to do?

 

Review of Braintree’s Fraud Management Settings

Braintree provide several Fraud Management settings within the admin console; however, we anticipate that these controls are not being utilised to their full potential and in line with best practice.

To strengthen the security controls on the Braintree Payment Gateway, we would strongly encourage all customers to review the following settings:

1) Implement the AVS challenge within the Braintree Fraud Management Settings. This will add an automatic verification of customer address information when processing transactions and verifications. When configuring the AVS rules, the following should be implemented:

a. Postal Code does not match: ‘For Any Transaction’

b. Street Address does not match: ‘For Any Transaction’

2) Implement the CVV (Card Verification Value) and ensure that CVV matching is enabled to reject any transaction and verifications when the CVV does not match. When configuring the CVV rules, the following should be implemented:

a. Reject Transactions & Verification If:

i. CVV does not match: ‘For Any Transactions’

 

Update App Version

Now that the API has been updated, all 'unverified' users will receive an error every time they try to vault a card in the White Label App. To resolve this issue, all App users will be required to do is log out and log back into their account. Upon logging in again they will receive an OTP challenge and, once passed, they will be able to successfully store card details. This is true no matter the App version, but currently the error message the unverified user will see does not advise them of this if they are using an Apple device.

Therefore to ensure that the user experience is not impacted, we would advise the following:

a. Customers should upgrade to the latest version of the App: August 2025

b. Customers should also set the minimum App version to August 2025 in iOrder Platform, ensuring that all app users are using the latest version of the App.

 

Are more changes planned?

Zonal takes the security of our customers data, and the safety of their customers, seriously. We constantly review our security measures and will implement changes to protect our customers as required.

As this issue is being monitored closely, we may implement further changes.