MaFunk Posted April 21, 2003 Share Posted April 21, 2003 Hi, I've been asked to bid on a pretty big job, and one of the components is a fully integrated ecommerce solution. I have a software engineer that will customize osCommerce to my client's needs, however he wants me to take care of the ssl and transaction account. I'm not really sure where to start. So, 1) Does anyone know which transaction systems work with osCommerce? (I looked up authorize.net and saw that osCommerce is not among their "certified shopping carts". Once I identify a transaction system how much work is involved in integrating it to osCommerce. (I'm thinking that the software engineer will need to do this, and I want to budget his time) 2) How do I go about securing and installing an ssl certificate? Please don't flame me for my ignorance, but is an ssl certificate a one-time purchase, or something that we have to lease? Once again, I think that the software guy will do this, but I need to tell him what to do, and to budget for his time. I've built shopping carts before, but that was several years ago, and so many things have changed. Anywhere that I can go for good, simple reading on this stuff so that I can get a firm grasp of what I'm doing? Any help or advice would be really appreciated. Thanks, MaFunk :? Link to comment Share on other sites More sharing options...
Guest Posted April 21, 2003 Share Posted April 21, 2003 Monique, the only dumb questions are the ones we don't ask. Here are some answers: 1) OSCommerce supports out-of-the-box the most popular merchant systems, including Authorize.net. You only need to test with your account information once you have it. After installing OSC, decide which merchant system you want (Authorize.net is arguably the biggest and most popular, with such resellers as Wells Fargo, etc). The customer will need to establish a merchant account with the merchant vendor, and when you have the details, you can test. Believe me, the OSC modules for merchant stuff works pretty much right off the bat. 2) The SSL certificate is a license, meaning it must be renewed, and is given from a certificate authority (e.g. Thawte) after the identification of you (or your customer) and their server is positively identified, and the fee is paid (about $300. annually). Now, if you customer decides to go with shared hosting (i.e., not their own hardware), usually the hosting company provides a shared SSL as part of the monthly service fee. Things for you to look into. As an aside, OSC is so complete and ready to use, you almost won't need that 'software engineer' to do anything too complicated; probably mostly artwork and organization, which are things you could probably do yourself. Good luck! Link to comment Share on other sites More sharing options...
Ramesh Posted April 21, 2003 Share Posted April 21, 2003 You can purchase an SSL solution from pair networks using the link in the top right of this page. Prices depend on what level of warranty (value $) you want to have. The major browsers have these certificates built in. Shared SSL is not professional enough for most people. When I see a padlock and double click it in the browser, I want to see the details match the companys website (name, registered address,tel no e.t.c..) . SSl solutions start from about $49 to $119 (P.A) (warranty from $50 to $10,0000 ) with discounts for 2 and 3 yr purchases. I've used a couple and am very happy ! Special Effects / 3d + Flash Link to comment Share on other sites More sharing options...
orchard Posted April 21, 2003 Share Posted April 21, 2003 Shared SSL is not professional enough for most people.Shared SSL gets rid of the big dialog box that says the security certicate is invalid do you want to continue which is the main thing I wanted to do. It's cheaper and comes included in many hosting plans. The downside is that the URL and certificate for my store say internetsecuresite.com instead of arbucklechurch.org which might make some people hesitate, but only those that know how to view a certificate. In olden times the men were made of iron and the ships were made of wood; now it's the other way around. :wink: Link to comment Share on other sites More sharing options...
MaFunk Posted April 21, 2003 Author Share Posted April 21, 2003 OK, thanks for the feedback - very helpful. Now, a few questions about hosting: I called my host (hostway) but they don't offer hosting to osCommerce sites. Who do you reccomend for hosting osCommerce sites? I want a company that will allow me to install osCommerce and full customization of the site. Who is best for shared ssl and who is best for dedicated ssl? It's very important that the transactions are secure, and that everything works as planned. Thanks for any help. MaFunk [email protected] Link to comment Share on other sites More sharing options...
orchard Posted April 21, 2003 Share Posted April 21, 2003 It looks like you should be able to use osCommerce at Hostway if you move up to the Gold or Gold Plus plan. I'm using Wyenet because I need the 5GB of web space. I have tested osCommerce recently at IPowerWeb ($7.95/mo) and it seemed to work fine in limited testing. Both use shared SSL. In olden times the men were made of iron and the ships were made of wood; now it's the other way around. :wink: Link to comment Share on other sites More sharing options...
MaFunk Posted April 21, 2003 Author Share Posted April 21, 2003 The sales rep at Hostway tells me that they will only do it if I manage the entire account myself (install dns, firewall, NO support - nada, zilch, etc. etc.). He said, he wouldn't do it if he was in my shoes. So who can offer osCommerce hosting with support? I want to be able to load the fully customized site and want my client to have full hosting tech support, but don't want to build the site online (like those point and click wysiwyg deals) Does that make sense? MaFunk Link to comment Share on other sites More sharing options...
Ramesh Posted April 21, 2003 Share Posted April 21, 2003 You dont need a host to specifically state that they host oscommerce sites. You need a hosting package which comes with PHP and Mysql. I have installed it on a number of sites for testing purposes oin the Uk and they all worked fine ! For SSL I had to get a dedicated I.P. address and after that it worked great ! The SSL cost $90 I believe renewable annually. I would stay away from shared SSL. Its fine for general use /testing and trying out. But in the real business world you have to spend a little to make a little as they say. Also SSL for under $100 is a good price to pay ! Regards, Special Effects / 3d + Flash Link to comment Share on other sites More sharing options...
MaFunk Posted April 21, 2003 Author Share Posted April 21, 2003 My questions reveal my ignorance, but hey after all this I'll be an expert ;) When you say that my client needs a dedicated IP address, do you mean a dedicated server for their hosting account? I've been looking around, and that is about $150 to $200 per month. If that is what they need, does that mean that I have to install everything from scratch? Or, can I find a host that will install php, mysql, admin control panel, etc., and all I have to do is upload ocCommerce site? If so, who do you reccomend in the U.S.? If a dedicated IP addrss is not a dedicater server, then what the heck is it? Why is shared SSL so bad? Hail to the osCommerce gurus! MaFunk Link to comment Share on other sites More sharing options...
Ramesh Posted April 21, 2003 Share Posted April 21, 2003 Thats what were all here for ! right on to some answers: 1.) Not a dedicatd server. just a dedicated I.P. address needed for the SSL certifcate. This cost about $20 but will vary from company to company. 2.)Most unix packages I have seen (in the U.K. and U.S. ) have all you need to get started. Mysql , PHP and a decent control panl for amdin purposes. all you then do is install OScommerce and your up and away ! Shared SSL is shared. If you want your customers to trust your business then get a proper SSL for your company. I suppose shared SSL is like a P.O. BOX (mail box) you cannot tell who is behind it !. Enjoy ! Special Effects / 3d + Flash Link to comment Share on other sites More sharing options...
orchard Posted April 21, 2003 Share Posted April 21, 2003 I would like to see some polling information about customers and SSL. Unless your are selling to software developers or extremely computer savvy people I would guess that somewhere in the 0-5% range of your customers will even know how to view a security certificate. Then only a percentage of those will know the difference between shared and unshared SSL and only of percentage of those will care. I would guess that less than 1% of customers would be able to detect and object to a shared SSL certificate. Actually in my unscientific poll of people I know, they mostly want to see the security key and not see the invalid certificate warning. Most people don't notice the URL changing when you go to the shared SSL server and some of those that notice think that means they are going somewhere extra secure as apposed to something you hacked together yourself at your site. As I say it would be interesting to see some scientific polling information about this. I would hate to spend to much time and money on something that may not matter. P.S. - Keep in mind, this is a free opinion from a non-expert who's avatar is his dog.:) In olden times the men were made of iron and the ships were made of wood; now it's the other way around. :wink: Link to comment Share on other sites More sharing options...
Guest Posted April 24, 2003 Share Posted April 24, 2003 Orchard, I beg to argue against your supposition of customer awareness for SSL. I have been an IT professional for some fourteen years or so, so I admit my view is a bit askew, but I have helped a LOT of people, ordinary lay folk, who know very well what the little padlock means in their browser. Granted, not everyone notices when it necessarily switches from secure to non-secure when just passing through web pages, e.g. looking at their bank statement online. But the defining moment occurs when they are entering their credit card information, realizing they are about to spray it across the vast ether, and questioning for themselves if it is safe or not. I believe when it comes to very personal and important information such as their available credit balance, folks are very aware of secure vs. non-secure. Just my $0.02. :D Link to comment Share on other sites More sharing options...
orchard Posted April 24, 2003 Share Posted April 24, 2003 Steve, I agree that they are very aware of secure vs non-secure and that having the padlock is critical. What I was trying to say is that they don't tend to know and/or care about the difference between shared and unshared SSL since both have the padlock displayed. In olden times the men were made of iron and the ships were made of wood; now it's the other way around. :wink: Link to comment Share on other sites More sharing options...
Guest Posted April 24, 2003 Share Posted April 24, 2003 In that regard I totally agree. I have taken a few extra steps to ensure that the URL is seamless in my shop as well. For example, the e-mails that go out do not use the SSL URL (which is slightly different), but instead use the non-secure URL. They have to log in anyway, and at that point they would be transported via the SSL, but it is all transparent to them. Link to comment Share on other sites More sharing options...
Michelle Posted April 25, 2003 Share Posted April 25, 2003 Hello All, This information has been really helpful but if you can please help me to get a particular point clear in my head. I am going to be using Worldpay for credit card transactions but I believe that my host also offers a shared SSL. Do I need the shared SSL on my site if I already use Worldpay? I guess I am concerned about someone accessing general account information of my customers. It seems that those pages should be in a secure environment also and that wouldn't be covered by Worldpay. Is that right? I should then use the shared SSL right? Any clarification would be greatly appreciated :D :D Link to comment Share on other sites More sharing options...
orchard Posted April 25, 2003 Share Posted April 25, 2003 Yes, I think your customers' account information should be protected by shared SSL. The financial part will be handled by worldpay at their web site, but customers would probably like to keep their address, etc private as well. In olden times the men were made of iron and the ships were made of wood; now it's the other way around. :wink: Link to comment Share on other sites More sharing options...
Michelle Posted April 25, 2003 Share Posted April 25, 2003 Thanks for replying so quickly. :D :D :D I just wanted to make sure that I understood what I needed to do. Link to comment Share on other sites More sharing options...
Michelle Posted April 25, 2003 Share Posted April 25, 2003 Hmmm... I am not sure if I am doing this correctly. I've got Worldpay installed and it was working fine. Then I went ahead and installed the shared ssl. Now my big concern is that in my url now I see osCsid=#### appended to the urls. The padlock is there but since that url has that osCsid info in it, isn't that a security risk. Because I am using a shared ssl cert I am not able to force cookies. Did I miss something here? Secure worldpay, padlock on my other files but osCsid in url? Really appreciate any help :) Link to comment Share on other sites More sharing options...
orchard Posted April 25, 2003 Share Posted April 25, 2003 I think the osCsid is just a session ID which is not private information, but I'm not sure and would like to hear it confirmed by one of the Believers. In olden times the men were made of iron and the ships were made of wood; now it's the other way around. :wink: Link to comment Share on other sites More sharing options...
Michelle Posted April 25, 2003 Share Posted April 25, 2003 Ok this is very helpful. So I see that I don't absolutely require an SSL cert if I am using worldpay. I guess my biggest concern was that somehow in those pages leading up to world pay that somehow my customer's information like their address or phone number could somehow be stolen or maliciously tampered with. Am I wrong in thinking that? Before I had read your responses above I had installed shared ssl in the hopes that it would protect that info leading up to worldpay and because it is shared I believe that means that I can't force cookies. I noticed that when I set force cookies to false I began receiving osCsid #s appended to the url! And that didn't seem to be very secure to me either? Sorry if I sound really daft. I just want to make sure that I do my best to protect my customer's information. Link to comment Share on other sites More sharing options...
Michelle Posted April 25, 2003 Share Posted April 25, 2003 Oops sorry about that last post. It was actually meant to go on another thread. The topics are similar though. Still trying to get it all straight. :shock: Link to comment Share on other sites More sharing options...
Michelle Posted April 25, 2003 Share Posted April 25, 2003 Hi Paul, What concerned me about the osCsid was that when I copied and pasted it into another browser window, the information about my account persisted and even though I had closed the other window, there was all of the account info etc. Scary! Link to comment Share on other sites More sharing options...
orchard Posted April 25, 2003 Share Posted April 25, 2003 I just want to make sure that I do my best to protect my customer's information.So do I, but I don't have much experience with E-commerce or databases. I have more of an engineering programming background. So if I force cookies, the osCsid stuff will go away? I would like that, but I wonder how many people have their browser set to not accept cookies. In olden times the men were made of iron and the ships were made of wood; now it's the other way around. :wink: Link to comment Share on other sites More sharing options...
Michelle Posted April 26, 2003 Share Posted April 26, 2003 Yes, if you force cookies then the oscSid stuff goes away but you can't force cookies when you use a shared ssl. If you have the force cookies on and your customer has not enabled cookies then a nice message comes on saying that the store requires cookies for the customer's privacy and safety. I think most stores require cookies, at least I think Amazon does. PS Forcing cookies will help with the spider sessions as well. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.