Jump to content
Sign in to follow this  
tru-cast

Is SSL required?

Recommended Posts

I have been running OS Commerce for 3.5 years. In that time I have had no problems and forgotten most of what I knew about installing it. My website (tru-cast.com) does not use SSL and currently sends the customer to viaklix.com https website for credit card data entry using the viaKLIX Payment Gateway. Because vialix will no longer be supported witin a few months I am planning to move to the following new payment module:

 

Virtual Merchant - Elavon, ViaKlix, Nova Payment Module v. 1.2 (Full Package)

 

Does the above module work the same way as Nova/Viaklix? In other words, can my website continue to be an unencrypted http website (without SSL) with the new module? If so I assume the new Virtual Merchant website handles the encryption of the credit card info as did the viaklix website before?

 

Also, can I install the new VM module above while keeping the existing viaKLIX Payment Gateway module? I do not have a test environment nor do I know how to set one up so I would like to be able to continue using the existing viaKLIX Payment Gateway module while I install and test the new VM module?

 

Will the new module require any customization or should it be pretty much install and go? I'm not worried about configuring normal stuff, but I am not a programmer and want to make sure I don't break my website with a new installation that might take weeks to get working.

 

BTW, Thanks to all the developers and supporters for such a great product! I get compliments on my website and it's you guys that deserve the credit!

Share this post


Link to post
Share on other sites

According to the package description the credit card data is POSTed to the merchant website. That means that you will have to have an SSL cert, AND YOU WILL HAVE TO BE PCI COMPLIANT. Look for another module is my opinion.

 

 

And by the way, do you not care enough about your customer details to SSL protect them? (Yeah, that's harsh but just to make a point, not trying to be mean.)


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

If you're using a payment system where you handle (or just see in passing) customer credit card information on your site, you will have to be PCI-DSS compliant. That's complicated and expensive, and requires much more than just an SSL certificate for your site. You may want to look at "third party" payment systems (PayPal [non-Pro], et al.) where the customer is sent off to their site to enter credit card details (under https). Is that what you had with Viaklix?

 

SSL isn't absolutely required if you use a third party to handle credit cards, but it's generally considered good practice to protect other customer information (name and address, phone, email, etc.) under https. Customers will be more willing to make a purchase if they see that you are taking steps to protect their personal data. If you do not wish to spring for a private SSL certificate, most hosts offer a free shared SSL certificate (you use a URL of something similar to https://server.hostname.com/~ACCOUNTNAME/path-to-your-shop/...). Talk to your host to confirm that a PHP application such as osC will work with a shared certificate.

Share this post


Link to post
Share on other sites

Viaklix/Nova is a 3rd party processor with encryption. Even 4 years ago the credit card processor would not approve your account unless the CC info was encrypted. My customers are even better protected because I have never seen, stored, or known of their credit card account numbers. The highest risk to consumers is not unencrypted traffic, it's when someone breaks into an e-store's database and steals everybody's personal information, including credit card numbers, expiration, name, address, etc. Last time I checked, if I get an SSL certificate my monthly hosting costs go from zero to $40+ per month.

 

I was hoping to have an easy solution with Virtual Merchant. Looks like I'll have to do more research.

Share this post


Link to post
Share on other sites

I think I posted my original question to the wrong forum. I reposted it to:

 

http://forums.oscommerce.com/topic/323748-virtual-merchant-elavon-viaklix-nova-payment-module-support-forum/page__st__100__gopid__1499536entry1499536

 

Also, I did find out (From Elevon tech support) that VM will continue to do the SSL by sending the customer to their credit card data entry form. This way the website does not have to have SSL since data entry is done on their secure site.

Share this post


Link to post
Share on other sites

The highest risk to consumers is not unencrypted traffic, it's when someone breaks into an e-store's database and steals everybody's personal information, including credit card numbers, expiration, name, address, etc.

Well yes, PCI-DSS does cover much more than just using SSL-protected pages. It also covers the secure storage and handling of such information, so that no unauthorized parties get access to sensitive financial data at any point. With all the massive credit card information thefts in the last few years, it is evident that the bad guys put a lot of effort into stealing this valuable data, and that merchants/payment gateways/banks have to do a much better job than they have been at protecting it.

 

SSL protection at $40+ per month? No way! You're being royally ripped off if they charge that much. Generally you buy a certificate on an annual basis, and pay a one-time installation fee. Certainly less than $500 a year!

Edited by MrPhil

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×