Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Do I need an SSL Certificate?


kelly236

Recommended Posts

Posted

I'm trying to find out if I need an SSL on my site when using Google checkout, I'm not sure if I do, since I am not collecting any credit card info, can anyone please let me know if I do and why

 

Thank you for your time and help with this matter

 

Kelly

Posted

Thank you for your response, but seems the people I work for are extremely cheap and their argument seems to be if your not collecting any information, for example using the Purchase Without Account v2.1 contribution that there would be no need for an SSL on the domain, I disagree but they make the decisions and I would like to argue back but I really don't have the extensive knowledge to make a case, if there is any other information you can provide I would be very grateful. Again thank you for your time and quick response

 

 

Kelly

Posted

Kelly,

 

Even PWA requires the customer to enter their name and address and that information is transmitted to Google Checkout in an insecure form if you do not have an SSL installed.

 

I do not know where you are located but there are laws in place in most areas that require online vendors to 'reasonably secure information transmitted over the internet'. Personally, I would never make a purchase online without having an SSL installed to secure ANY information I am providing to complete the purchase. I simple just find another e-store to buy the item from.

 

If you are a licensed business, I would have the client confirm via email they DO NOT want the SSL and you have explained the importance of Site Security and they have declined the suggestion to obtain an SSL.

 

 

Chris

Posted

SSL is mandatory only if you're handling credit card numbers yourself, rather than letting a third party such as PayPal or Google handle it on their site. Actually, a whole bunch of other security stuff comes into play, not just SSL (see "PCI-DSS"), if you're using a payment gateway/merchant account and touching credit card numbers on your site.

 

Personal information is another matter. This includes name, address, phone, and email. Some jurisdictions may require that it be protected to a certain level (SSL, database encryption, etc.), but at least in the US it's not legally protected. That said, customers will be more willing to part with (somewhat) sensitive personal information if they see that it is protected under SSL. Note that SSL only prevents bad guys from eavesdropping on the data flow between site and browser -- the information is "in the clear" on both the PC (think browser cache) and on the server. You can't do much about the former, except to advise users to clear the cache and shut down the browser when they're done. On the server end, you need to be cognizant of what information you're storing, how long you need to keep it, what could happen if the wrong people get a hold of it, whether you need to encrypt any of it, etc., etc. Customers will be happier if you have a written statement about what you can and cannot do with their information (privacy). For typical ecommerce applications, name/address/phone/email isn't terribly sensitive -- normal data center security should be enough protection. Note that in special cases, such as medical purchases which tell something about the person's health, data may fall under stricter regulations such as HIPAA.

 

"Not collecting information" is rather a fuzzy statement. You're going to have to collect name, address, etc. and contact information, in order to ship the package. Payment services will also want that data in case there's some dispute by the customer. Even if you're not going to permanently store such information, once you've obtained it from the customer, you've got it, and it behooves you to treat it carefully.

 

Many hosting services provide free "shared certificate" SSL. You might look into that, rather than spending money on a private SSL certificate and dedicated IP address. Make sure it will work with PHP on your site (some configurations won't). The biggest downside is that usually you can't use your domain name, and have to give something like https://servername.hostingcompany.com/~accountname/...your store... on SSL-protected pages.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...