Author: Jim Conners (Google+)
Rating: 10.0
Pages: 1|2|3|4|5|6|7|8|9|10|11|12|13|14
When accepting payments online you will be asking your customers to transmit very sensitive information across the Web. By its nature the Internet is not secure. Anything transmitted is sent as plain text and can be read by anyone who intercepts the message at any point during the transmission. Although most users do not understand the technical aspects of how the Internet works, they do know that their information needs to be protected at all times. Additionally, most merchant account providers will not establish a merchant account for an ecommerce website unless it secures the order form and any other page that captures sensitive customer information.
So how do we ensure that we protect our customers' information and satisfy the merchant account provider? We need to install an SSL Certificate on our website. SSL stands for Secure Socket Layer which is a protocol for transmitting private documents via the Internet. SSL works by encrypting data that is transferred over the SSL connection. You can recognize a secure page using SSL by the lock icon that appears in the browser. Newer browser also turn the address bar a different color to make the fact that the page is secure obvious.
Once you install an SSL certificate on your website you can make your pages secure by calling them with the https:// protocol. This is slightly different then using the normal http:// protocol used for common web pages.
A common question from merchants entering the world of online credit card processing is when should an SSL certificate be used on a website. SSL allows websites to encrypt sensitive data when in transit to and from a user’s web browser. This prevents hackers and other nefarious characters from stealing sensitive data being sent during an online transaction.
Based on that basic description of what an SSL certificate does it would seem to make sense that a merchant should simply make their entire website encrypted. That way they can be sure every page that needs to be encrypted is. At a glance that would seem to be a logical solution. After all, if every page is encrypted then it is safe to assume that every page that needs to be encrypted is.
But upon further scrutiny important flaws can be found in this solution:
Every time an encrypted page is requested by a web browser the server must first process the encryption portion of the request before sending the web page to the browser. This requires server resources to do. Encryption must be done every time an encrypted page is requested. If your site has simultaneous users this will increase the burden on the server even more.
Naturally every ecommerce website would like to be in the search engines as they can provide a lot of free traffic for a website. However, search engines cannot read pages encrypted by SSL. This prevents them from finding and reading the pages in your website and thus they cannot add your pages to the index. If you are not in their index, you simply cannot be found by searchers.
So what is the proper way to use SSL to secure a transaction? As explained above, SSL is used to encrypt sensitive data. For an ecommerce website, this would mean encrypting the information your customer submits to you during their transaction. This includes their personal information (name, address, etc.) and credit card information. Some websites collect this information on one page; some collect in on multiple pages. However you choose to implement your checkout every page that transmits your customer’s data needs to be encrypted. Your order confirmation page should be encrypted as well if you print out your customer’s personal information on it.
By only encrypting these few pages we are avoid both pitfalls of using SSL. Since only a few pages are encrypted, and these are only used by the small percentage of your site’s visitors that checkout, we relieve the server of the burden of encrypting the other pages. Plus we do not have to worry about the search engines as they do not need to index your order form or order confirmation page (as it won’t even exist until after checkout anyway). 3
Having your own SSL certificate on your website does come with special requirements for your web hosting. To host an SSL certificate on your website you must have a dedicated IP address. This means that your host must support dedicated IP addresses. It also means if your website is live and you wish to add an SSL certificate to your website that your site will almost certainly be moved from a shared IP address to a dedicated IP address. This usually means there will be a minor disruption in service for your website (or a big one if your host botches the move).
A common practice for ecommerce stores is to use the SSL certificate offered by their webhost to use one on another ecommerce store they own or operate. Although this can technically be effective under certain circumstances it is not a good idea. The reasons are:
Because an SSL certificate is attached to a single domain if you share an SSL certificate with another website, you must host the secure pages on the website the SSL certificate as been assigned to. This means the URL of the secure pages will not contact your domain name but the domain name of the site with the SSL certificate. Some customers may see this as a sign that your store is either unsafe or unprofessional.
If a savvy customer decides to inspect the SSL certificate of the website they are viewing they can see that the certificate they are viewing does not match the website it claims to be from. Even if you make your remotely hosted secure pages match the look and feel of your website this information will contradict what their screen says. This may cause them abandon the sale as they may see it as unsafe or unprofessional.
Because the site hosting the secure pages are not on your own website you lose some control over the technology available to you. Some things such as sessions and cookies will not carry over to the new website and, if the secure pages are hosted on an entirely separate server the odds are you won't have access to your database as well. This will limit your capabilities to develop a professional and seamless checkout experience.
There are different levels of certification available for SSL certificates.
Lower end SSL certificates only verify the domain name on which the certificate will be used. This is satisfactory for most web browsers and they will display the lock icon, or in the case of modern browsers they will change the color of the location bar in a web browser, and show the user that their sensitive information will be securely transfered back and forth from thew web server. These SSL certificates are the least expensive and can be obtained in less then an hour.
The next highest level of SSL certificates take verification a step further. They verify that the company applying for the certificate exists and is indeed the company securing the website. Usually this requires the certificate authority providing the SSL certificate to contact the company in some fashion to verify their information. These certificates are not clearly different to most Internet users as most browsers do not clearly differentiate them from domain-only SSL certificates.
High assurance SSL certificates take verification to a whole new level. An extensive background check is performed for each applicant for one of these certificates. Factors that are considered include:
These certificates are expensive and only corporations are currently allowed to apply for one. The only browser that recognizes high assurance SSL certificates is Internet Explorer 7 which will turn a user's address bar green if one is detected.
To learn more about high assurance SSL Certificates read our blog posts High Assurance SSL Certificates Make Their Debut and Microsoft Squeezing the Small Ecommerce Shop?.
They are several SSL certificate providers available. Below is a list of the more popular providers available:
3 When to use an SSL Certificate
Domain Names | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | Web Hosting