When your Web Developer tells you that you need an SSL certificate to make your eCommerce website fully operational, your eyes will probably glaze over, and you'll wonder when the spending money bit stops and the making money begins.
The SSL Certificate is the final piece in the eCommerce jigsaw.
Without it, you can't trade. Using SSL is not compulsory, but if you choose not to use it, the consequences are similar to driving a car without insurance.
You may well lose data through theft and customers credit card details will be stored in plain text format for all the world to see. Without securing the data transferred, it becomes visible to anyone with knowledge of how to view it.
Simple packet capturing is the most prevalent exploit and guides showing people how to do it are all over the internet.
In that respect, you may argue that ANY data transferred via an input form (such as a contact form) should be encrypted. Google has stated for years that making your entire site run using SSL is an option, but the reality is that using it for a whole site consumes more server resources and makes your site run slower as a result.
This is why SSL is only used primarily in the places where it needs to be used – secure transfer of sensitive data.
In addition to the possibility of losing sensitive data to hackers, you'll also fall foul of the Payment Card Industry Data Security Standard (PCI DSS) which is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.
If you have an internet merchant account for doing business on the internet and don't take steps to make sure your transactions are secure, then you'll be liable to a hefty fine and possibly lose your merchant status.
It is up to you to make sure that you comply with PCI DSS and your suppliers will take a dim view if they discover you are not compliant. So not only could you lose your merchant account but also your payment gateway services into the bargain.
Run a mile from any web developer that suggests you don't need the expense of an SSL certificate.
So now you know why you need it what is it, and how does it work?
There are three types of SSL Certificate:
Extended Validation, Organisation Validation and Domain Validation. Of these three for eCommerce purposes, it is a domain validation certificate that you need to have. This verifies that you are the owner of the domain.
See this article for an in-depth look at the different types of SSL certificate.
The certificate issuing authority issues the SSL certificate, which is a small data file. It digitally binds a cryptographic key to the server details. When this file is present, it activates the https protocol when called for, and this is when you see the padlock appear in your browser toolbar letting you know that the data being transmitted is now secure.
Hosted Payment Gateways
The most common way of eliminating all of the hassles that go with buying and installing an SSL certificate is to transfer the buyer from your site to a payment gateway at the point of purchase.
In this way, no transactions are recorded on your server, and everything is handled remotely.
Services like PayPal, Sage pay and Cardstream all offer this service so that all of the secure data processing is handled on their site and you get a record (usually by email) of the transaction that took place minus all the encrypted data information.
Hosted payment gateways are a quick and easy solution for anyone wanting to set up an eCommerce store, but they do have a significant drawback in that you can't customise the checkout experience.
The form you send people to process their payment will be a generic form, and the most you'll usually be able to do is to alter some CSS in the header and footer to match the colour of your site and upload a company logo.
If making the shopping experience as seamless as possible is essential to you then a hosted payment gateway is not the option, and you'll need to go down the road of an eCommerce solution with an SSL certificate on your server.
Incidentally, eCommerce website builders like Shopify or EKM use a “shared SSL certificate” on their mainstream plans which act like a hosted payment gateway page. You can upgrade this to a premium plan to customise the checkout process if it is an important consideration.
SSL certificates tell the customer that you are encrypting their data, and it is secure. Many people refuse to enter their credit card details unless they see the secure padlock appear. Quite rightly too.
If you are capturing any credit card information, then you'll need an SSL so that you don't fall foul of PCI DSS compliance laws.
Payment providers will not work with you if you don't provide them with transaction data that is encrypted with SSL.
You can use a Hosted Payment solution where the payment processing takes place on your merchant providers server and then returns the customer to your site after they have completed the purchase. In this case, you won't need an SSL
Now you know how, why, and if you need an SSL next up I'll tell you how to work out what eCommerce transaction fees you will need to pay.