Ecommerce, SSL and SSL Certificates
I've put this blog off - it can be confusing stuff. But frankly, given the number of merchants involved in online sales or ecommerce - now's the time. You need an SSL certificate if you sell online, supply a site log in, process sensitive data or simply want to instill trust.
SSL was introduced in 1994 - and stands for Secure Socket Layer. SSL is the standard for ecommerce transaction security enabling encryption of all of your customers sensitive data, including credit card and other uniquely identifying information. Todays recommended minimum encryption standard is 128 bit and in order to provide this you'll need a SSL certificate with SGC (server grade cryptography) capability.
SSL Certificates. This digital certificate sits on your secure web server and is used to to perform the actual encryption. Each certificate has what is called a private and public key. The private key encrypts data, the public key deciphers it. When a customers web browser points to a certified domain - the SSL technology authenticates both the domain and the browser. A unique session "key" is established as is an encryption method and a secure transaction can be made.
There are different types of SSL Certificates such as -
- organizational validated (ov)
- domain validated (dv)
- most recent - extended validated (ev)
SSL Certificates trigger the browser to display a closed padlock and the https prefix in the browser window. With an EV certificate, besides a more vigorous application process, the browser bar is color coded green to indicate the top validation in SSL and turns red when an unsecure or untrustworthy site is encountered.
Where do you get an SSL certificate? XBS recommends SSL certificates issued by CA's or certificate authorities. These businesses verify your domain name, your business and your authority to apply for such a certificate amongst other things based on the type of certificate applied for.
Your e-commerce payment gateway can make life a little simpler by providing you, the online merchant, with a customizable payments page hosted on their site. This is the least expensive method, as it uses the gateways SSL certificate (shared) instead of your own. In addition, the gateway's server stores the sensitive data on it's own PCI DSS compliant server leaving the merchant risk free (regarding data storage). There's a few cons though, the biggest one being your customer leaves your site at the time of payment, as well as a loss of control in the order process. This might be a great, cost effective approach for a new online merchant.
If you have a busy site though - you'll probably want your own payments page with your own SSL Certificate. Pricing is all over the place, and providers offer a variety of types of certificates - so due diligence as usual. Your web developer or merchant account provider (XBS) can easily assist you in your purchase. Certificates must be renewed. Some gateways such as authorize.net provide certificates at deeply discounted prices through partnerships with providers.
SSL technology is not an option for ecommerce merchants, it's a must have. This article only touches on the basics of secure socket layer technology. Statistics show that our customers are becoming internet savvy and will increasingly refuse to do business with ecommerce merchants who don't display SSL basics and signage.
So be secure and prosper.