When to use an SSL Certificate
A common question from merchants entering the world of online credit card processing is when should an SSL certificate be used on a website. SSL allows websites to encrypt sensitive data when in transit to and from a user’s web browser. This prevents hackers and other nefarious characters from stealing sensitive data being sent during an online transaction.
Based on that basic description of what an SSL certificate does it would seem to make sense that a merchant should simply make their entire website encrypted. That way they can be sure every page that needs to be encrypted is. At a glance that would seem to be a logical solution. After all, if every page is encrypted then it is safe to assume that every page that needs to be encrypted is.
But upon further scrutiny important flaws can be found in this solution:
- SSL requires the server to do more work
- SSL is not search engine friendly
Every time an encrypted page is requested by a web browser the server must first process the encryption portion of the request before sending the web page to the browser. This requires server resources to do. Encryption must be done every time an encrypted page is requested. If your site has simultaneous users this will increase the burden on the server even more.
Naturally every ecommerce website would like to be in the search engines as they can provide a lot of free traffic for a website. However, search engines cannot read pages encrypted by SSL. This prevents them from finding and reading the pages in your website and thus they cannot add your pages to the index. If you are not in their index, you simply cannot be found by searchers.
So what is the proper way to use SSL to secure a transaction? As explained above, SSL is used to encrypt sensitive data. For an ecommerce website, this would mean encrypting the information your customer submits to you during their transaction. This includes their personal information (name, address, etc.) and credit card information. Some websites collect this information on one page; some collect in on multiple pages. However you choose to implement your checkout every page that transmits your customer’s data needs to be encrypted. Your order confirmation page should be encrypted as well if you print out your customer’s personal information on it.
By only encrypting these few pages we are avoid both pitfalls of using SSL. Since only a few pages are encrypted, and these are only used by the small percentage of your site’s visitors that checkout, we relieve the server of the burden of encrypting the other pages. Plus we do not have to worry about the search engines as they do not need to index your order form or order confirmation page (as it won’t even exist until after checkout anyway).
Technorati Tags: ssl secure socket layer, ecommerce, credit card processing