Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

Is SSL required?


Recommended Posts

I have been running OS Commerce for 3.5 years. In that time I have had no problems and forgotten most of what I knew about installing it. My website (tru-cast.com) does not use SSL and currently sends the customer to viaklix.com https website for credit card data entry using the viaKLIX Payment Gateway. Because vialix will no longer be supported witin a few months I am planning to move to the following new payment module:


Virtual Merchant - Elavon, ViaKlix, Nova Payment Module v. 1.2 (Full Package)


Does the above module work the same way as Nova/Viaklix? In other words, can my website continue to be an unencrypted http website (without SSL) with the new module? If so I assume the new Virtual Merchant website handles the encryption of the credit card info as did the viaklix website before?


Also, can I install the new VM module above while keeping the existing viaKLIX Payment Gateway module? I do not have a test environment nor do I know how to set one up so I would like to be able to continue using the existing viaKLIX Payment Gateway module while I install and test the new VM module?


Will the new module require any customization or should it be pretty much install and go? I'm not worried about configuring normal stuff, but I am not a programmer and want to make sure I don't break my website with a new installation that might take weeks to get working.


BTW, Thanks to all the developers and supporters for such a great product! I get compliments on my website and it's you guys that deserve the credit!

Link to comment
Share on other sites

According to the package description the credit card data is POSTed to the merchant website. That means that you will have to have an SSL cert, AND YOU WILL HAVE TO BE PCI COMPLIANT. Look for another module is my opinion.



And by the way, do you not care enough about your customer details to SSL protect them? (Yeah, that's harsh but just to make a point, not trying to be mean.)

Community Bootstrap Edition, Edge


Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

If you're using a payment system where you handle (or just see in passing) customer credit card information on your site, you will have to be PCI-DSS compliant. That's complicated and expensive, and requires much more than just an SSL certificate for your site. You may want to look at "third party" payment systems (PayPal [non-Pro], et al.) where the customer is sent off to their site to enter credit card details (under https). Is that what you had with Viaklix?


SSL isn't absolutely required if you use a third party to handle credit cards, but it's generally considered good practice to protect other customer information (name and address, phone, email, etc.) under https. Customers will be more willing to make a purchase if they see that you are taking steps to protect their personal data. If you do not wish to spring for a private SSL certificate, most hosts offer a free shared SSL certificate (you use a URL of something similar to https://server.hostname.com/~ACCOUNTNAME/path-to-your-shop/...). Talk to your host to confirm that a PHP application such as osC will work with a shared certificate.

Link to comment
Share on other sites

Viaklix/Nova is a 3rd party processor with encryption. Even 4 years ago the credit card processor would not approve your account unless the CC info was encrypted. My customers are even better protected because I have never seen, stored, or known of their credit card account numbers. The highest risk to consumers is not unencrypted traffic, it's when someone breaks into an e-store's database and steals everybody's personal information, including credit card numbers, expiration, name, address, etc. Last time I checked, if I get an SSL certificate my monthly hosting costs go from zero to $40+ per month.


I was hoping to have an easy solution with Virtual Merchant. Looks like I'll have to do more research.

Link to comment
Share on other sites

I think I posted my original question to the wrong forum. I reposted it to:




Also, I did find out (From Elevon tech support) that VM will continue to do the SSL by sending the customer to their credit card data entry form. This way the website does not have to have SSL since data entry is done on their secure site.

Link to comment
Share on other sites

The highest risk to consumers is not unencrypted traffic, it's when someone breaks into an e-store's database and steals everybody's personal information, including credit card numbers, expiration, name, address, etc.

Well yes, PCI-DSS does cover much more than just using SSL-protected pages. It also covers the secure storage and handling of such information, so that no unauthorized parties get access to sensitive financial data at any point. With all the massive credit card information thefts in the last few years, it is evident that the bad guys put a lot of effort into stealing this valuable data, and that merchants/payment gateways/banks have to do a much better job than they have been at protecting it.


SSL protection at $40+ per month? No way! You're being royally ripped off if they charge that much. Generally you buy a certificate on an annual basis, and pay a one-time installation fee. Certainly less than $500 a year!

Edited by MrPhil
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...