SSL Certificates
Discussion
SSL is a technology used to encrypt information as it goes over the web. As you don't have control of the data while in transit between your customers and your server it's prudent to encrypt any sensitive data.
An SSL Certificate is used to authenticate that you are who you say you are. The companies that used to issue them would carry out checks before giving them out. But now you can pick them up for a tenner and there is only some automated phone verification so they are pretty meaningless for much of their original purpose.
However they are what gives you the 'yellow padlock' on your site which is essential if you want people to use your site to purchase.
Note - An SSL certificate does not mean your site is secure and if you are actually taking credit card details then you'll need to be PCI compliant which is a lot more then just getting an SSL cert in place. Depending on the size of the project it might be worth outsourcing the transaction to Sagepay, Worldpay or another hosted payment processor.
An SSL Certificate is used to authenticate that you are who you say you are. The companies that used to issue them would carry out checks before giving them out. But now you can pick them up for a tenner and there is only some automated phone verification so they are pretty meaningless for much of their original purpose.
However they are what gives you the 'yellow padlock' on your site which is essential if you want people to use your site to purchase.
Note - An SSL certificate does not mean your site is secure and if you are actually taking credit card details then you'll need to be PCI compliant which is a lot more then just getting an SSL cert in place. Depending on the size of the project it might be worth outsourcing the transaction to Sagepay, Worldpay or another hosted payment processor.
Edited by rpguk on Sunday 7th February 14:06
SSL stands for secure socket later, and has been superseded by TLS - transport layer security.
When you request a web page configured to use SSL, typically using https://www.domain.com instead of http://www.domain.com, the information is encrypted during its transfer over the internet. This mostly ensures that the data being sent/received is secure.
The strict PCI networking requirements only come into force when you are storing card details.
When you request a web page configured to use SSL, typically using https://www.domain.com instead of http://www.domain.com, the information is encrypted during its transfer over the internet. This mostly ensures that the data being sent/received is secure.
rpguk said:
Note - An SSL certificate does not mean your site is secure and if you are actually taking credit card details then you'll need to be PCI compliant which is a lot more then just getting an SSL cert in place. Depending on the size of the project it might be worth outsourcing the transaction to Sagepay, Worldpay or another hosted payment processor.
It means that the data sent to your server using the SSL certificate is secure, which means if you are passing off e-commerce requests to a PCI compliant payment gateway using SSL for their API (e.g. sagepay, worldpay) then you are PCI compliant, providing you don't store some of the card details and the e-commerce system and server are configured correctly.The strict PCI networking requirements only come into force when you are storing card details.
Also something to bare in mind is that there is quite a fair few different types of SSL Certs available.
Have a read around on http://globalsign.co.uk/
Regards
Have a read around on http://globalsign.co.uk/
Regards
sonic_2k_uk said:
rpguk said:
Note - An SSL certificate does not mean your site is secure and if you are actually taking credit card details then you'll need to be PCI compliant which is a lot more then just getting an SSL cert in place. Depending on the size of the project it might be worth outsourcing the transaction to Sagepay, Worldpay or another hosted payment processor.
It means that the data sent to your server using the SSL certificate is secure, which means if you are passing off e-commerce requests to a PCI compliant payment gateway using SSL for their API (e.g. sagepay, worldpay) then you are PCI compliant, providing you don't store some of the card details and the e-commerce system and server are configured correctly.The strict PCI networking requirements only come into force when you are storing card details.
SagePay still require auditing for their 'direct' service for example even though it doesn't allow storing of details. A compromised server would still be dangerous in that it would allow details to be passed on to hackers even if there is no 'honey pot' of details in the first place.
Of course it's not the top level of PCI compliance required but it's still a headache compared to using a hosted page with no discernible benefits on a smaller project.
Edited by rpguk on Monday 8th February 10:39
Gassing Station | Business | Top of Page | What's New | My Stuff