Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL and Payment Gateways


WoodsWalker

Recommended Posts

Hi Folks!

 

I am in the end stages of developing my online store with osCommerce, and have also begun the process of getting an SSL cert for my online catalog. I assumed it would be necessary to have one. :unsure:

 

My credit card processor (acquirer) has always been Moneris, and they have offered me their "E-Select Plus" system as a payment gateway. I expect installation to be easy.

 

Today they sent me some info about completing my application for E-Select Plus, and they mention that, unless I choose otherwise (which would involve getting my own PCI certification), my payment page will be hosted by Moneris and protected by their own SSL.

 

This sounds fine, but does this mean that I don't need my own SSL for my catalog at all? That would save an expense, but are there pros and cons? After a customer logs in and enters the checkout area, are all those pages (which are currently covered by a "shared" SSL offered by my hosting service) hosted by Moneris?

 

Anyone done this with Moneris or a similar gateway? Any info is greatly appreciated. Thanks!

 

~Wendy

Link to comment
Share on other sites

You need your own FULL ssl certificate, to protect customer data entered on your website, and sent in transit to other websites e.g. Moneris.

 

If you don't use ssl then the data is not encrypted and can be read in transit by hackers.

 

You can use shared ssl, but these days customers expect full ssl.

 

Vger

Link to comment
Share on other sites

You need your own FULL ssl certificate, to protect customer data entered on your website, and sent in transit to other websites e.g. Moneris.

 

Vger

 

So, this is true even though Moneris has said that my payment page will be "hosted" with them? They refer to it as the "Moneris payment page hosting option". This implies to me that the pages on which my customers input their order information will reside on Moneris's own server, similar to the way the pages currently reside on a shared SSL service (something I'm using only temporarily) called "secure.securewebexchange.com", which my hosting service provides as part of my business hosting package.

 

In the setup Moneris is proposing (I'm assuming - correct me, anyone out there, if I am wrong), when a customer enters the secure area of my catalog, the url will change from

 

"http://www.mydomain.com/catalog/catalogpage.php"

 

to

 

"https://secure.moneris.com/mydomain.com/catalog/orderpage.php" .

 

If this is the way Moneris wishes it done, would I have any use for my own SSL cert?

 

Thanks again!

~Wendy

Link to comment
Share on other sites

I found the following info (finally!) on the Moneris site!

 

[Note: It's Option #2 I am being offered, which they obviously are pushing because they have then listed a long list of advantages. :) ]

___________________________________________________________________________

1. eSELECTplus Application Program Interface (API) option provides you with control over the entire shopping process as it integrates easily into your web store. Moneris transaction APIs are available in a variety of different web programming languages and enable you to process transactions directly from your website.

 

2. eSELECTplus Secure Payment Page option is hosted by Moneris and seamlessly re-directs your customer to a secure payment page that allows them to pay for goods. There is no need to purchase an SSL certificate, and all cardholder information is captured and protected by Moneris.

 

Benefits

• Easy access to transaction reporting. View online credit card sales 24/7 from any PC so that you can stay on top of your business.

• eSELECTplus hosted payment page. Compatible with most popular shopping cart applications. If you require a shopping cart solution, please visit myebiz.ca™.

• Instant order notification.When your customer places an order, you can automatically receive an email so that you can fulfil the order quickly.

• Enhance cardholder security. Through the hosted payment page, your customers' credit card information is submitted and processed securely, ensuring their data remains protected.

• Reduce fraud. eSELECTplus supports such eFraud tools as the Verified by Visa service, Address Verification Service (AVS) and Card Validation Value (CVV).

____________________________________________________________

 

I would gather, then, that if one already has a fully-developed page with security measures in place, one would go for option #1 (API). Otherwise, if one were like me, just in the process of developing an online catalog, one would likely prefer option #2, putting the ordering pages behind Moneris's SSL.

 

This means that when a customer enters the secure area of the site, they will get the expected "https://" and the "little lock", no error messages regarding the certificate, and will (if they look) see that the URL has lengthened to include Moneris's secure server address. Will many customers be put off by this? In my experience as a customer and merchant, I would say: not many.

 

I am still uncertain as to whether it is only the credit card info that Moneris will gather, or all the order info. If the customer name and address are still processed through my host's server, I expect I will need my own SSL to cover that, in my customers' interests.

 

Any further advice or opinions out there, now that I've provided better information?

 

Thanks!

~Wendy

Link to comment
Share on other sites

Here is a copy of my reply about the same subject in a tread where you also participated:

 

You can run a successful shop without ssl providing you use payment metodes where the customer do not have to input sensitive payment information on your website.

 

Which also goes for using payment services like PayPal and 2checkout where the customer is sent to the payment processors website to complete the payment on their ssl secured servers.

 

But that said you might also loose out on some customers too simply because your site do not have ssl on the checkout since there are shoppers who will not input their contact and address details unless the site is ssl secured.

 

 

 

 

Moneris option 2, should be in the same group as PayPal and 2checkout mentioned abow.....

Link to comment
Share on other sites

Thanks once again, Nick! :)

 

Yepp, I think it is as you say ... we could do this without our own SSL, but the interface might not please all customers. Depends on exactly how it works, and I need to get more info on that.

 

Every quantum leap I make while developing this thing leads to a whole pack of new questions! But that's how these things are...

 

Yes, it looks as if with Moneris's eSelect eCommerce option #2 (using Moneris's own hosted PayPage), the issues of one's own SSL, and PCI compliance are sidestepped.

 

As for Moneris's eSelect eCommerce option #1, getting one's own SSL and using an API to connect osCommerce to Moneris, I have not fully explored it yet, but I'll update when I learn more. From what I understand, this used to be the only way of doing things, short of limiting oneself to PayPal.

 

In the mean time, for anyone who's in the same boat, I've hit pay dirt and found Moneris's cache of informative documents on these and related matters:

 

Moneris merchant documents

 

Here you will find Merchant Integration Guides concerning Moneris's Hosted Paypage, connecting to Moneris via a PHP (or other) API, and other documents concerning PCI compliance and merchant best practices. Now I'm going off to read them... :blink:

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...