SSL5 (Secure Socket Layer) is a communication method that encrypts sensitive information to safeguard it as it travels through the Internet cloud. For e-commerce sites that deal with sensitive information such as credit card numbers or social security numbers, SSL is a requirement to protect your customers from identity theft. One piece of the puzzle that helps protect you, the merchant, from liability is SSL. SSL encryption provides comfort to your customers, by ensuring that they are buying from you privately, and also by proving that you are who you say you are.
When SSL is Required
Anytime your Shopp site is set up to accept sensitive payment card information on your web site directly (onsite checkout), your site requires SSL. This means your website is responsible for taking customer credit, debit or pre-paid card information and sending it securely to a payment processor service provider. Since your site is taking and handling the information, the owner and operator of the website is responsible for making sure the information is protected. SSL is the industry standard technology to protect this information.
Getting SSL setup for your website has a few requirements:
- Dedicated SSL service over HTTPS
- Unique IP address
- Dedicated SSL Certificate
Check with your web hosting provider or server administrator to make sure your web hosting service provider supports dedicated SSL service.
Most do, but it’s worth checking out before you get too far into things. You may need to contact your web hosting provider’s technical support to find out. While you’re at it, you might ask if they will set up the SSL service, the unique IP address and the SSL Certificate for you.
If your host does support SSL, you may need to double-check that the hosting service account you are subscribing to actually includes SSL service. If you do not have SSL service through your web hosting provider, you have 3 options:
- Ask your hosting provider’s technical support team to give you dedicated SSL support (it never hurts to ask.)
- Upgrade your hosting service to a package that includes dedicated SSL service.
- Go shopping for a new hosting provider that has dedicated SSL support included in their service offerings.
If your hosting package supports and includes SSL service, you can move on to the next steps: getting a unique IP address and a signed SSL certificate.
Unique IP Address
A unique IP address must be used for your dedicated SSL certificate (See the SSL Certificate section below.) You’ll need to get the unique IP address set up before you can get your SSL certificate. Many web hosting providers, including some that offer SSL service, place all websites on a single, shared IP address. Contact your hosting provider’s technical support to determine if they can provide a unique IP address for your site.
Requesting a unique IP address for SSL means that you will most likely have extra charges added to your web hosting plan. The world is running out of IP addresses, so it’s beginning to cost a premium to have a unique address for your website. Some hosts may already be at their limit of provisioned addresses. If that’s the case, then a new hosting provider with IP space for your e-commerce site may be required.
Once you’ve got SSL support enabled and a unique IP address set up for your website, you’re ready to buy an SSL Certificate. The SSL Certificate has a twofold purpose.
The SSL certificate is key in securing communications between your website and your customer’s computer. Its second purpose is to verify the identity of the website owner (you or your business).
Like a traveler’s passport, an SSL Certificate is signed by a trusted third-party to authenticate its contents. It will be necessary to buy an SSL certificate from an SSL certificate vendor. SSL certificates are actually leased for a limited time period and must be renewed regularly for continued use. Most certificates can be bought for anywhere between 1-5 years. There are a number of SSL certificate vendors to choose from and all offer essentially similar service. Here are few you might look into:
- Shopp (Trustwave) Certificates
- Network Solutions
Unsupported SSL Services
Proxy SSL service is NOT suitable for e-commerce because it introduces a potentially insecure link into the communication chain.
Proxy SSL Services
Some hosting providers can provide a Dedicated SSL Certificate for your site, but do not offer a unique IP address. They generally do so by using what is known as a proxy SSL service.
Proxy SSL services create security problems for e-commerce websites. Proxy SSL may be using an unsecured connection between your hosting provider’s SSL server to your site. This is a problem because the connection is not secured from end to end. Also, proxy SSL is not supported by most e-commerce software (including Shopp).
For these reasons, it is not recommended to use a hosting service that uses proxy SSL. Shopp may malfunction if installed on a site that uses proxy SSL.
Shared SSL Service
Shared SSL Service is incompatible with e-commerce
Some hosting providers use what is called shared SSL service. Shared SSL Service uses your hosting provider’s SSL Certificate for not only your site, but all the sites hosted by your provider. For e-commerce, this is bad for a number of reasons.
First, and most seriously, any other site that uses the same shared SSL service can potentially eaves drop on your customer’s transaction. This is obviously a severe security risk.
Secondly, your customers are more likely to abandon shopping on your site, because they will only be able to see that they are talking securely to your hosting provider, and not to you.
Lastly, because Shared SSL hosting usually changes your site address to accomplish a secure connection, most e-commerce software will be incompatible, including Shopp.
While it is true that getting a hosting solution that provides full private and dedicated SSL for your site will be more expensive than using proxy SSL or shared SSL, savings in this area may actually create functional problems, as well as increase your liability. Properly securing your site with a dedicated SSL certificate on a dedicated IP address will ensure a good functioning e-commerce site, reduce your liability, and may actually increase sales.