HppyPimp Posted March 15, 2009 Share Posted March 15, 2009 Hi guys, looks like I'm in need of some help here. I'm trying to implement an OSC store that takes credit cards. Our company already has the ability to take cc payments through Quickbooks. I really don't know much about this. Is there a way to take payments through this same account? Would it be better to take them through paypal or another merchant account? Is there anything else I need for this? My web host sprang a bunch of additional options on me after I had already signed up and said I need them in addition to everything else. Main things were static ip and a "private" ssl vs the "shared" ssl they already provide. I'm only given a few hrs to make my decision before the prices jump. I don't think our store will be doing a large volume of business. We are a seasonal operation, and only plan to sell locally for now. Don't know if it would make a difference, but payments would generally be small amounts, but could possibly hit 5digits. Quote Link to comment Share on other sites More sharing options...
Guest Posted March 15, 2009 Share Posted March 15, 2009 Hi guys, looks like I'm in need of some help here. I'm trying to implement an OSC store that takes credit cards. Our company already has the ability to take cc payments through Quickbooks. I really don't know much about this. Is there a way to take payments through this same account? Would it be better to take them through paypal or another merchant account? Is there anything else I need for this? My web host sprang a bunch of additional options on me after I had already signed up and said I need them in addition to everything else. Main things were static ip and a "private" ssl vs the "shared" ssl they already provide. I'm only given a few hrs to make my decision before the prices jump. I don't think our store will be doing a large volume of business. We are a seasonal operation, and only plan to sell locally for now. Don't know if it would make a difference, but payments would generally be small amounts, but could possibly hit 5digits. I've run stores on a shared SSL before. It's not my preference but it does work. For a smaller account you can use the CC module to capture the CC number and expiration date (but I think that puts you out of compliance when it comes to PCI) or start out with PayPal until you think it will pay to set up an account with a supported gateway. I'd hold off going with the dedicated IP and SSL until I got comfortable with running the store unless you don't mind spending the cash to upgrade right up front. Quote Link to comment Share on other sites More sharing options...
HppyPimp Posted March 15, 2009 Author Share Posted March 15, 2009 I've run stores on a shared SSL before. It's not my preference but it does work. For a smaller account you can use the CC module to capture the CC number and expiration date (but I think that puts you out of compliance when it comes to PCI) or start out with PayPal until you think it will pay to set up an account with a supported gateway. I'd hold off going with the dedicated IP and SSL until I got comfortable with running the store unless you don't mind spending the cash to upgrade right up front. Forgive my ignorance, but what is PCI compliance? I thought I saw somewhere that the cc module was used to store cc information on a local server. I took that to mean that I would then be required to input that information into a payment system. Not ideal, not to mention the security risk of storing cc information. As far as holding off on the IP and SSL goes, I'm afraid to do that too, though it would be ideal. My web host gave me a 24hr special 1/2 off price for the year. Money is an issue here, and I don't know if I could afford it at the regular price. Already, it is 3 times what I'm paying for the hosting! What is the difference between a private and shared SSL? My web host said the shared SSL protected my login to my c-panel and such, but would not protect my customers information being sent to a payment site. My limited knowledge suggests that SSL protects all communications with a server. Therefore a shared SSL would allow attacks from anything else already on the shared server. Web host answered my first inquiry promptly, but now doesn't seem interested at all. Quote Link to comment Share on other sites More sharing options...
Guest Posted March 15, 2009 Share Posted March 15, 2009 Forgive my ignorance, but what is PCI compliance? I thought I saw somewhere that the cc module was used to store cc information on a local server. I took that to mean that I would then be required to input that information into a payment system. Not ideal, not to mention the security risk of storing cc information. As far as holding off on the IP and SSL goes, I'm afraid to do that too, though it would be ideal. My web host gave me a 24hr special 1/2 off price for the year. Money is an issue here, and I don't know if I could afford it at the regular price. Already, it is 3 times what I'm paying for the hosting! What is the difference between a private and shared SSL? My web host said the shared SSL protected my login to my c-panel and such, but would not protect my customers information being sent to a payment site. My limited knowledge suggests that SSL protects all communications with a server. Therefore a shared SSL would allow attacks from anything else already on the shared server. Web host answered my first inquiry promptly, but now doesn't seem interested at all. You should Google both PCI and SSL. On PCI, you can read up on what you can or can't do when it comes to collecting and storing CC information. There is a contribution that will let you clean out your database entries to X out all but the last 4 numbers of any CC number stored in your database. On SSL, you'll find that they are pretty inexpensive. The expensive part is having a dedicated server or VPS where you install it yourself or getting your host to install it for you. You should get the same protection out of a shared SSL as you get out of a dedicated one, you just have to know what paths to use in your configure.php files. If that's not true on your host server, I'd suggest looking for another host as soon as you can. Quote Link to comment Share on other sites More sharing options...
HppyPimp Posted March 15, 2009 Author Share Posted March 15, 2009 You should Google both PCI and SSL. On PCI, you can read up on what you can or can't do when it comes to collecting and storing CC information. There is a contribution that will let you clean out your database entries to X out all but the last 4 numbers of any CC number stored in your database. On SSL, you'll find that they are pretty inexpensive. The expensive part is having a dedicated server or VPS where you install it yourself or getting your host to install it for you. You should get the same protection out of a shared SSL as you get out of a dedicated one, you just have to know what paths to use in your configure.php files. If that's not true on your host server, I'd suggest looking for another host as soon as you can. Basically, I've got that even if it's possible to be non-compliant with PCI, it's not something I want to do. I'm not sure what is considered pretty inexpensive, but JustHost charges $180 a year normally. Considering I paid just over $35 for a year of hosting, even at the 1/2 off price of $90, it's near 3 times my hosting. I may have to look for another host, but I've only just signed up yesterday and they are the most highly recommend host I could find. Is there a way to find out what paths to use for the php files? Is this a static thing or is it based on the configuration of the web host's SSL? I saw that there is a plugin for using Quickbooks as my merchant account but that it may be hard to setup. It seems like this would be the best setup if i can get it to work. If not, my backup would have to be paypay I think. If I go either, would they require the customer to go off site and require them to register another account? I saw someone else complaining about this with other payment methods, but didn't know if it applied to these or not. Thanks so much for all the help so far. I'm just really bogged down with all the new things I'm finding out in the last few days. Quote Link to comment Share on other sites More sharing options...
Guest Posted March 15, 2009 Share Posted March 15, 2009 Basically, I've got that even if it's possible to be non-compliant with PCI, it's not something I want to do. I'm not sure what is considered pretty inexpensive, but JustHost charges $180 a year normally. Considering I paid just over $35 for a year of hosting, even at the 1/2 off price of $90, it's near 3 times my hosting. I may have to look for another host, but I've only just signed up yesterday and they are the most highly recommend host I could find. Is there a way to find out what paths to use for the php files? Is this a static thing or is it based on the configuration of the web host's SSL? I saw that there is a plugin for using Quickbooks as my merchant account but that it may be hard to setup. It seems like this would be the best setup if i can get it to work. If not, my backup would have to be paypay I think. If I go either, would they require the customer to go off site and require them to register another account? I saw someone else complaining about this with other payment methods, but didn't know if it applied to these or not. Thanks so much for all the help so far. I'm just really bogged down with all the new things I'm finding out in the last few days. I've seen plenty of sources for an SSL for $30 or less. Your host should be able to provide the path to use if you want to use the shared SSL (which I would do if in your shoes). If they won't or can't, try looking at their support site or Google it to see what you can come up with. There might even be something under your Control Panel that would point you in the right direction. Which host are you using? Quote Link to comment Share on other sites More sharing options...
HppyPimp Posted March 15, 2009 Author Share Posted March 15, 2009 I've seen plenty of sources for an SSL for $30 or less. Your host should be able to provide the path to use if you want to use the shared SSL (which I would do if in your shoes). If they won't or can't, try looking at their support site or Google it to see what you can come up with. There might even be something under your Control Panel that would point you in the right direction. Which host are you using? I'm using JustHost.com. I know GoDaddy is only 30 for the basic SSL but they also go up to 300. I'm not sure which is comparable to the one JustHost wants me to get, or If either would need a dedicated IP as well. The price's I listed before included the "required" dedicated IP as well. VeriSign certificates run from 620 to 2375. Obviously, I worry about my customers security. I know something that costs 30 isn't going to provide the same security as something that costs 2375 or more. I just want to provide a safe environment for my customers without paying an arm and a leg. I'll be looking into using the provided SSL as my first option. I sure wish my host would respond to me sometime. I feel better about my options every time I get a response for you though. Thanks! Quote Link to comment Share on other sites More sharing options...
Guest Posted March 15, 2009 Share Posted March 15, 2009 I know something that costs 30 isn't going to provide the same security as something that costs 2375 or more. Check this out: http://www.verisign.com/ssl/ssl-information-center/ I think your first decision after deciding to go with your own SSL is whether or not you want an Extended Validation SSL. For now though, I'd still go with the shared SSL if it was me. Quote Link to comment Share on other sites More sharing options...
HppyPimp Posted March 16, 2009 Author Share Posted March 16, 2009 Check this out: http://www.verisign.com/ssl/ssl-information-center/ I think your first decision after deciding to go with your own SSL is whether or not you want an Extended Validation SSL. For now though, I'd still go with the shared SSL if it was me. For now, I definitely plan to use the shared SSL if I can. I can also see the benefits of the EV SSL, and would do that if it becomes fiscally feasible. My host is still being convoluted. I asked why I would need to purchase the private SSL rather than use the shared one. Their response: "You can setup self-singed certificate for free but it requires a dedicated IP address to be enabled for your account as well as each SSL certificate." As far as I can tell, a self signed SSL certificate would be something I would create myself. Or some random person/company would and then say "hey, this is fine!" without getting it verified by anyone else. Seems a big security loophole to me, and not something suitable for ecommerce. Quote Link to comment Share on other sites More sharing options...
Guest Posted March 16, 2009 Share Posted March 16, 2009 For now, I definitely plan to use the shared SSL if I can. I can also see the benefits of the EV SSL, and would do that if it becomes fiscally feasible. My host is still being convoluted. I asked why I would need to purchase the private SSL rather than use the shared one. Their response: "You can setup self-singed certificate for free but it requires a dedicated IP address to be enabled for your account as well as each SSL certificate." As far as I can tell, a self signed SSL certificate would be something I would create myself. Or some random person/company would and then say "hey, this is fine!" without getting it verified by anyone else. Seems a big security loophole to me, and not something suitable for ecommerce. A shared SSL Certificate is provided with every Just Host account. Click Here Quote Link to comment Share on other sites More sharing options...
HppyPimp Posted March 17, 2009 Author Share Posted March 17, 2009 A shared SSL Certificate is provided with every Just Host account. Click Here Yeah, but using it is the key right? The first agent said I needed the private SSL to run a store. But you say I might be able to use the shared SSL if I set it up right, right? I don't know why they came back at me with the self signed stuff. Am I wrong in thinking that that is something else entirely? Quote Link to comment Share on other sites More sharing options...
Guest Posted March 17, 2009 Share Posted March 17, 2009 Yeah, but using it is the key right? The first agent said I needed the private SSL to run a store. But you say I might be able to use the shared SSL if I set it up right, right? I don't know why they came back at me with the self signed stuff. Am I wrong in thinking that that is something else entirely? They are trying to sell you an upgrade. That's all. There is no reason you can't run an osCommerce store using a shared SSL. I've done it more than once. They just need to tell you how to set up the path in your configure.php files. Again, you might be able to find it by poking around in your Control Panel. I didn't find it (big surprise) on their support pages. They claim to have great support. Doesn't sound like they deliver on that claim. Quote Link to comment Share on other sites More sharing options...
Guest Posted March 17, 2009 Share Posted March 17, 2009 Yeah, but using it is the key right? The first agent said I needed the private SSL to run a store. But you say I might be able to use the shared SSL if I set it up right, right? I don't know why they came back at me with the self signed stuff. Am I wrong in thinking that that is something else entirely? BTW, regarding self-signed certificates: They won’t be trusted in any web browsers and will throw a big error message unless you tell each web browser to trust them. See Article Quote Link to comment Share on other sites More sharing options...
HppyPimp Posted March 17, 2009 Author Share Posted March 17, 2009 They are trying to sell you an upgrade. That's all. There is no reason you can't run an osCommerce store using a shared SSL. I've done it more than once. They just need to tell you how to set up the path in your configure.php files. Again, you might be able to find it by poking around in your Control Panel. I didn't find it (big surprise) on their support pages. They claim to have great support. Doesn't sound like they deliver on that claim. Yeah, very unhappy with the support so far. I read a ton of reviews saying it was great though. Maybe they all pay for the "Priority Support" upgrade. The tech's latest response was to send me a link. No explanations or anything, just a link. The page popped up "Secure Connection Failed web31.justhost.com uses an invalid security certificate." I'm thinking this means they are using a self signed certificate. I've never seen this before. I would not expect a customer to get through that. Quote Link to comment Share on other sites More sharing options...
Guest Posted March 17, 2009 Share Posted March 17, 2009 Yeah, very unhappy with the support so far. I read a ton of reviews saying it was great though. Maybe they all pay for the "Priority Support" upgrade. The tech's latest response was to send me a link. No explanations or anything, just a link. The page popped up "Secure Connection Failed web31.justhost.com uses an invalid security certificate." I'm thinking this means they are using a self signed certificate. I've never seen this before. I would not expect a customer to get through that. This is the warning I get: web31.justhost.com uses an invalid security certificate. The certificate is not trusted because it is self signed. (Error code: sec_error_untrusted_issuer) Quote Link to comment Share on other sites More sharing options...
HppyPimp Posted March 17, 2009 Author Share Posted March 17, 2009 This is the warning I get: web31.justhost.com uses an invalid security certificate. The certificate is not trusted because it is self signed. (Error code: sec_error_untrusted_issuer) Yeah, that's the rest of the message. I clicked the add exception button, and get a message that says legitimate banks, stores, and other public sites will not ask you to do this. Also says it could be someone trying to impersonate the server. I think this is the only shared certificate they have then. I would not expect anyone to go though that though. Looks like I'll have to either pay for theirs, or get someone else's. Quote Link to comment Share on other sites More sharing options...
Guest Posted March 17, 2009 Share Posted March 17, 2009 Yeah, that's the rest of the message. I clicked the add exception button, and get a message that says legitimate banks, stores, and other public sites will not ask you to do this. Also says it could be someone trying to impersonate the server. I think this is the only shared certificate they have then. I would not expect anyone to go though that though. Looks like I'll have to either pay for theirs, or get someone else's. I don't think that's right. I don't think the shared certificate will be a self-signed one. If it is, it's a rip off and I'd look for another host. Quote Link to comment Share on other sites More sharing options...
HppyPimp Posted March 17, 2009 Author Share Posted March 17, 2009 I don't think that's right. I don't think the shared certificate will be a self-signed one. If it is, it's a rip off and I'd look for another host. First the guy said I had a shared certificate, but could purchase a private one. His last response was to say there are two kinds of certificates. Self signed and private. I'm starting to think the guy just doesn't know what he's talking about. Your help in all this has been invaluable. Even in trying to look up information, everyone seems to want to talk about it in different terms. Quote Link to comment Share on other sites More sharing options...
Guest Posted March 18, 2009 Share Posted March 18, 2009 First the guy said I had a shared certificate, but could purchase a private one. His last response was to say there are two kinds of certificates. Self signed and private. I'm starting to think the guy just doesn't know what he's talking about. Your help in all this has been invaluable. Even in trying to look up information, everyone seems to want to talk about it in different terms. Tell the guy you want him to tell you how to set up a self-signed SSL on your site. Bet he can't do it unless you upgrade to a dedicated IP. Tell him it's false advertising to say all accounts come with a shared SSL if they don't. Better yet, ask to speak to someone who knows what a shared SSL is and how to use theirs on your site. Or ask what you need to do to get your money back under their money-back guarantee. Quote Link to comment Share on other sites More sharing options...
HppyPimp Posted March 18, 2009 Author Share Posted March 18, 2009 Tell the guy you want him to tell you how to set up a self-signed SSL on your site. Bet he can't do it unless you upgrade to a dedicated IP. Tell him it's false advertising to say all accounts come with a shared SSL if they don't. Better yet, ask to speak to someone who knows what a shared SSL is and how to use theirs on your site. Or ask what you need to do to get your money back under their money-back guarantee. His manager said they can install a non-self signed SSL, but it would "take some time." Not sure yet what that means though. I found out that the $70 certificate they offer is an EV certificate though, so the price makes more sense. I'm surprised by how many host only provide 1 and don't say what it is. As far as pricing goes, I found they were doing more false advertising. They specifically said I had on 24 hrs to get the "1/2 off deal." Turns out 1/2 off is the standard price. On another note, I plan to have a forum along with lots of information type pages on my site. The info pages would also have user specific things as well. Is there any way to use a single log in module for the site, store and forum? I don't want my customers to have to log in 3 times. I could probably incorporate the information stuff into pages in OSC, but not the forum. Any ideas? Quote Link to comment Share on other sites More sharing options...
Guest Posted March 18, 2009 Share Posted March 18, 2009 On another note, I plan to have a forum along with lots of information type pages on my site. The info pages would also have user specific things as well. Is there any way to use a single log in module for the site, store and forum? I don't want my customers to have to log in 3 times. I could probably incorporate the information stuff into pages in OSC, but not the forum. Any ideas? I'd start a new thread on that point. No need to hijack your own thread. ;) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.