Jump to content

Archived

This topic is now archived and is closed to further replies.

Nathan56

SSL - do I need?

Recommended Posts

Hi all,

 

Planning on implementing a small e-commerce platform to enable the selling of evouchers to our karting on ice experience. Payments will be handled via world pay who we also use for card payments in the field.

 

Do I still need an SSL certificate for this type platform? If so where is the best place for me too look?

 

Thanks,

 

Nathan

Share this post


Link to post
Share on other sites

If your Third Party payment system takes the customer to their site to process credit card information, it is possible to run without SSL (https). If you will be handling credit card information on your site (e.g., merchant account with payment gateway), SSL will definitely be required (as well as other PCI-DSS requirements, such as security audits).

 

Note that some places (EU?) may have legal requirements for SSL usage when handling "sensitive" personal data (name and address, contact information, etc.). This includes signing up for accounts, and so on, where osC will use SSL if available. Anyway, make sure you know of any such legal requirements for where your business is based and your customers are.

 

That said, there are other reasons for getting an SSL certificate. Customers may be reluctant to give out contact information if the page is not under SSL protection, and you could lose business that way. Also, Google will be ranking SSL-protected sites higher than unprotected sites, so you should consider putting your entire site under SSL. It's currently not a significant hit, but could become so in the future.

 

If you want to go ahead with SSL, one source should be your host. They would be the ones to actually install any SSL certificate you've purchased, and if they don't sell certs themselves, could certainly point you to trusted vendors. A search on "SSL certificate sale" should turn up other vendors, if you want to compare prices.

Share this post


Link to post
Share on other sites

@@Nathan56 You may also want to ask your host if they offer a shared ssl. Using that is free and generally works well. Some shop owners don't like that the url changes but for new shops that aren't paying for themselves yet, it can be good choice.

Share this post


Link to post
Share on other sites

Ah yes, a shared SSL certificate will usually mean your URL is something like https://<servername>.<hostcompany>.com/~<accountname>/store/... and this can be disconcerting to users. What you might do is put a warning (informational) message next to every link or button which is going to SSL, just to reassure customers that they're not being hijacked. It might even be possible to add a string like " [separate SSL server]" as part of tep_href_link() or as a title attribute, rather than having to do it separately for each usage (I haven't looked at it in detail). Worst case, you could manually add the string to every place an SSL link is called (assuming the entire site is not under SSL).

 

A random thought: would it be possible to add something to the URI when SSL (or just look for https as the protocol) to have .htaccess invisibly redirect to the shared SSL server? Ideally, you'd see the SSL padlock, but the URL wouldn't change. Does anyone know if something like this can be done? You'd probably have to force a redirect code of 200, to prevent a 30x change of the visible address (if that's possible).

Share this post


Link to post
Share on other sites

I don't know if it is possible to change the url for a shared ssl but my guess is that it isn't. But I don't think it is worth the effort. Most customers, in my opinion, just know to look for https in the url and that the ssl lock is showing. We have a few hosting members that have used our shared ssl for many years without any negative affect, that I can see. If the host can provide a ssl seal then displaying that on the site might be a good idea.

Share this post


Link to post
Share on other sites

×