Design & Development

Ask an Expert: ‘Is An SSL Certificate Necessary If I Use a Hosted Payment Solution?’

“Ask an Expert” is an occasional feature where we ask ecommerce experts questions from online merchants. For this installment, we address a question about the necessity of an SSL certificate when the merchant uses a hosted payment service. The question comes from Mamie Newsom. She’s the owner of SAN’s Essential Baskets, a seller of customized gift baskets.

For the answer, we turn to Massimo Arrigoni. He’s the co-founder of EarlyImpact, which makes ProductCart, a pioneering licensed shopping cart software platform, and SubscriptionBridge, a hosted subscription-management and recurring-billing solution.

To submit a question, email David Maier, staff writer, at david@practicalecommerce.com and we’ll attempt to address it.

Home page, SAN's Essential Gift Baskets.

Home page, SAN’s Essential Gift Baskets.

Mamie Newsome: “Can you tell me about SSL certificates? My ecommerce website, SAN’s Essential Baskets, sells customized gift baskets. When customers purchase a basket, they are routed to PayPal’s site to collect the payment information. I don’t see that information, including the customer’s name.

“I do not have an SSL certificate because they are so expensive. However, I also believe that because I do not have a symbol of secure processing, that my sales suffer as a result. What can you suggest as a remedy outside of spending hundreds of dollars for a certification? Thank you, any help you can provide would be appreciated.”

 

Massimo Arrigoni

Massimo Arrigoni

Massimo Arrigoni: “Whenever sensitive information is exchanged between a client (web browser) and a server, a secure connection should be used. This is not limited to payment information. A password, for example, is certainly a piece of sensitive information. That means that any form where a customer is asked to register or log in should post that information to the server via the encrypted, HTTPS protocol.

“For example, go to the Twitter home page at http://twitter.com/ and log off (in case you are already logged in). The page is not a secure page, but if you look at the source code, you will see that the two forms that exist on the page both post information to secure pages located at https://twitter.com/.

“The same applies to your website or web store if you are asking customers to register or login, regardless of which payment system is used for payment processing. The only exception to this is if your store is not asking customers to register or login at all, which may be the case if the only payment system active on the store is an alternative checkout process such as PayPal Express Checkout, Google Checkout, or Checkout by Amazon.

“Prices for SSL certificates have come down dramatically over the last several years. Your web hosting company can very likely provide and install an SSL certificate for you for under $100 per year, or you could purchase a certificate from a company like Comodo for under $70 per year.”

PEC Staff
PEC Staff
Bio   •   RSS Feed


x