Security around the shopping cart and checkout

[Guest]

I used the installation script provided by my hosting company to install OS Commerce and all seemed cool. But then I got to thinking (scary!)... Customers need to be at a secure site for checkout and payment but the shopping cart itself isn't secure.

 

The customer enters their credit card number on the apparently non-secure account setup page and then continues to the processing center. Is this safe? I was always under the impression that you should only enter the credit card number on a secure page.

 

Thanks,

Jim

[Trusten]

things that seem too good to be true usually are. No, I don't think it's secure at all until they enter a secure area of the site to enter their cc information and so on.

 

You may want to look into either installing a new cart by yourself, and worrying about your own security, or maybe asking your hosting company the same question.

[Guest]

Sounds like you need to invest in an SSL certificate to protect your clients.

 

This will secure your site where necessary. I am a little confused about the account creation comment though. I have never seen OSC ask for a credit card while creating the account. Only while checking out.

[d-woo]

Jim,

 

Are you saying that based on your hosting company's installation settings of OSC, that installation allows a shopper to enter their credit card information on a non-SSL portion of the site?

 

and that this information is requested during account setup?

 

The customer enters their credit card number on the apparently non-secure account setup page and then continues to the processing center. Is this safe? I was always under the impression that you should only enter the credit card number on a secure page.

 

If this is the case, I'm with Wayne and you need to install this yourself.

 

If not and you are referring to shopping in non-SSL then entering your credit card information in SSL, this is the way most carts operate.

[Guest]

Well, perhaps I misspoke just a bit. I didn't try creating the account before trying to check out, instead created the account during checkout.

 

Anyway, the paths given by the hosting company's script lists "home/myusername/public_html/shop/includes/application_top.php" as one of the installation directories. The other directories have similar paths and the shop url is "http://mysite.com/shop/".

 

I don't see anything to indicate I'm on a secure site even though the accounts come configured with a secure server.

 

And I have asked the question on the host's forums but haven't seen any response yet. To their credit, though, I didn't ask it directly on the support forum or file a ticket request. I'll go on and ask in the support forum and then file a ticket if I don't hear anything.

 

Thanks,

Jim

[Guest]

I just went to the SSL site for my account and was able to get to the osCommerce catalog and administration pages. It's interesting, though, that it also comes up on the non-secure side also. Guess I'll have to ask the hosting company just how this works.

 

Anyway, I feel a little bit better now. At least I don't have to worry about customers going from an insecure site to a secure one. Now I just need to make sure the insecure one is not available for someone to stumble across!

 

Thanks. I'll post and let you know how it turns out.

 

Jim

[Guest]

Some of the other users on my hosts forums were able to help immensely. The installation script my host used didn't change the https path away from the default public path. I was able to change that and everything now seems to be fine. :D

 

Now I've got to decide if it's worth the money to purchase my own certificate for the site or if I want to stay with the hosts. I suspect I'll end up buying the certificate.

 

I've also got to arrange for a payment gateway. I'm leaning toward PayPal and 2CheckOut until I develop enough traffic to make the credit card and electronic payments worthwhile. Does anyone have any suggestions or comments, pro or con, about specific vendors? Do PayPal or any of the other options negatively affect the public perception of a site?

 

Thanks again,

Jim

[aperfecthost]

Paypal has become a very acceptable means of payment. You will now find paypal a payment option on large company sites.

 

I think there was a stigma about sites who used paypal a few years back, but now there doesn't seem to be. Matter of fact, I know many people who prefer to always pay by paypal on sites since their card doesn't actually get entered except the first time.

 

I say, use it and feel confident.

 

... just my opinion though! ...

[mthierfelder]

I have a slightly different setup, but similar issue with the SSL/NONSSL thing. My client, who has OsCommerce installed on his site, and uses a shared SSL server with his host, is concerned about the confidence of his customers when they go to the checkout page (at this point they switch over to our webhost's shared SSL server) ,and an alert box comes up that says, "This page contains both secure and non secure information, are you sure you want to continue?". Some customers would shy away, and that is a big concern.

 

I know, and my client knows that the only non secure information at that point is images... is this correct? I'm looking for an easy fix here, one way, according to my hosting company wuold be to purchase my own SSL certificate for $149. Otherwise it would be a big Hunt/Replace and somehow rerout the image links through the SSL server.

 

Any one have any suggestions on how to solve?

[Guest]

Mike,

 

If you make sure that all of the images are called via the relative path instead of the absolute path they will get called through the SSL server unless it has a different directory...if that's the case just make sure all images are in the secure directory.

[Guest]

I'm facing something of the same issue in deciding whether to use my host's certificate or buy my own.

 

I know that the host's shared certificate is good but prefer to ensure that my customers see only my url so I'll get my own certificate. They don't have to be expensive. Instant SSL http://www.instantssl.com has a basic Komodo certificate for $50. You can get one with "insurance" for just a bit more.

 

Alternatively, Thawte http://www.thawte.com has as basic certificate for $200 and Verisign's http://www.verisign.com basic certificate is $400 (2 years for $700, I think).

 

Now, a couple of impressions -- I've talked with folks at both Verisign and InstantSSL about secure e-mai, specifically sending 128-bit encryption of form data via sendmail.

 

The Verisign folks (sales, not tech service) were VERY helpful and knowledgeable, willing to ask/answer questions and refer me to others as appropriate. The basic story was that e-mail can be done using 128-bit encryption but it's discouraged because of the load on the server (makes sense). 40-bit encryption is preferred. (This isn't an option for my customer, however.)

 

When I called InstantSSL I got a similar, but different answer, from the tech service fellow. He didn't have a problem with 128-bit encryption, perhaps because they don't offer 40-bit certificates. My biggest problem with InstantSSL, and please don't let this offend anyone, is that the technician had a strong accent and it was difficult to understand him. (I also have a hearing problem which aggravates the issue.)

 

I didn't try Thawte because they don't have a US phone number. They do, however, have several alternative methods of tech support and deserve a shot at the business. I may run my questions past them to get a reading...

 

Bottom line -- I'll probably go with InstantSSL because of the low cost and insurance. Need to understand more about the insurance thing, though.

 

Jim Winters