Home – New Forums Selling online SSL Certificate

  • This topic is empty.
Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #997793
    Leisa D
    Member
    • Total posts: 563
    Up
    0
    ::

    Is it necessary to purchase an SSL certificate if using Stripe as the payment gateway? (if SSL is not included in hosting, eg. in the case of Volusion and hosted WP it’s a separate cost)

    #1213996
    Peter – FS Administrator
    Member
    • Total posts: 1,889
    Up
    0
    ::

    Hi Leisa, I think you do from my understanding but hopefully one of our resident ecommerce/web crew will have a definitive answer for you.

    #1213997
    John Debrincat
    Member
    • Total posts: 963
    Up
    0
    ::
    Leisa D, post: 256174, member: 1348 wrote:
    Is it necessary to purchase an SSL certificate if using Stripe as the payment gateway? (if SSL is not included in hosting, eg. in the case of Volusion and hosted WP it’s a separate cost)
    Hi Leisa my recommendation is to always have an SSL certificate regardless of the payment provider. It is not just payment information that needs to be protected.

    Recently there has been a move to ensure every page on a website is protected by SSL. This change has been supported by Google and will possibly provide your website with improved Google search results.

    Google also announced earlier this year that in July Google will begin to show any website without HTTPS (i.e. SSL cert) as “Not Secure” in Chrome.

    John

    #1213998
    starboy
    Member
    • Total posts: 15
    Up
    0
    ::

    Yeah, Google will heavily punish sites without an SSL certificate, and like John said, Chrome users will be immediately notified if they are using a site without one. An SSL doesn’t just protect payment data, but things like registration data, login data, etc. This will explain things more. Definitely worth picking up one if it’s not in your package from the site provider.

    #1213999
    elissa.doxey
    Member
    • Total posts: 145
    Up
    0
    ::

    There’s a free SSL certificate that I used for one site a couple of years ago – Let’s Encrypt – which I think was okay, but you had to update it every 90 days or so. Might be an option if finances are tight?

    #1214000
    MikeDav
    Member
    • Total posts: 163
    Up
    0
    ::

    Hi Leisa,
    The benefits of an SSL far outweigh the cost. As mentioned by Elissa you can get free ones (which are a bit higher maintenance) or ones costing as little as $10 per year. Personally, I would suggest getting a known brand (for slightly more money) that also helps you increase the trust value of your site.

    #1214001
    winchweb
    Participant
    • Total posts: 37
    Up
    0
    ::

    You don’t need your own SSL for Stripe – that’s kind of the point of the service (same as Paypal), ie. they take care of the whole security thing. Your website asks the payment service (Stripe/Paypal) to get an amount of money, and all that comes back is a “Got it” or “Didn’t get it” message for the website to handle as appropriate.
    However, as mentioned a couple of times, it is very highly recommended that you get an SSL certificate for your website and that the site is set to use it automatically (ie. redirect people visiting the non-secure http://yoursite.com.au over to the secure https://yoursite.com.au, where the wee “s” at the end of http is for “secure”).
    The free SSL providers do need renewing every 90 days – but renew automatically. No extra maintenance at all, and you get the green padlock to indicate it is a secure/confidential connection between visitor & website.
    In due course, the likes of Google (with their Chrome browser) will be showing a red warning sign up in the address bar and maybe even a big warning message in the middle of the screen if your website asks for any data (eg. email address for newsletter signup). Won’t give visitors a warm-and-fuzzy confidence in your business…!
    So now is the time to make sure your website has SSL, regardless.

    #1214002
    John Debrincat
    Member
    • Total posts: 963
    Up
    0
    ::
    winchweb, post: 257000, member: 57755 wrote:
    You don’t need your own SSL for Stripe – that’s kind of the point of the service (same as Paypal), ie. they take care of the whole security thing. Your website asks the payment service (Stripe/Paypal) to get an amount of money, and all that comes back is a “Got it” or “Didn’t get it” message for the website to handle as appropriate.

    Lots of people confuse the need to encrypt data (use an SSL) and payment card industry data security standard requirements (PCI DSS). There is a need to ensure card data when transmitted over the web is encrypted. When you use a payment method with a hosted payment page they (the payment provider) generally also provide the encryption for that page. Systems like Stripe and PayPal are basically hosted payment pages meaning that the card data is entered on their website and not yours.

    BUT there is a lot of other sensitive data that needs protection such as the customers personal information. If your business turns over $3 million or more then you now need to have a method in place to protect data and there is a mandatory notifiable data breach scheme. This does not mean that you won’t be liable for data losses if your business turns over less. So clearly you always need to encrypt data that is transmitted over the web it is just good practice. Use of Stripe or PayPal will not mitigate this as both of those systems can pass back sensitive data and in PayPal’s case if using Express Checkout will pass back personal customer data to your website.

    Personally I do not recommend free certificates as they are harder to manage. I would always recommend a known certificate provider and get a certificate that will last 2 or 3 years.

    John

    #1214003
    winchweb
    Participant
    • Total posts: 37
    Up
    0
    ::
    John Debrincat, post: 257011, member: 2969 wrote:
    Lots of people confuse the need to encrypt data (use an SSL) and payment card industry data security standard requirements (PCI DSS). There is a need to ensure card data when transmitted over the web is encrypted. When you use a payment method with a hosted payment page they (the payment provider) generally also provide the encryption for that page. Systems like Stripe and PayPal are basically hosted payment pages meaning that the card data is entered on their website and not yours.

    BUT there is a lot of other sensitive data that needs protection such as the customers personal information. If your business turns over $3 million or more then you now need to have a method in place to protect data and there is a mandatory notifiable data breach scheme. This does not mean that you won’t be liable for data losses if your business turns over less. So clearly you always need to encrypt data that is transmitted over the web it is just good practice. Use of Stripe or PayPal will not mitigate this as both of those systems can pass back sensitive data and in PayPal’s case if using Express Checkout will pass back personal customer data to your website.

    Personally I do not recommend free certificates as they are harder to manage. I would always recommend a known certificate provider and get a certificate that will last 2 or 3 years.

    John

    Hi John – can you expand a bit on how free certificates are harder to manage? The AutoSSL service by CPanel doesn’t require any intervention at all once setup. Is there some other issue/area to be aware of?

    #1214004
    John Debrincat
    Member
    • Total posts: 963
    Up
    0
    ::
    winchweb, post: 257012, member: 57755 wrote:
    Hi John – can you expand a bit on how free certificates are harder to manage? The AutoSSL service by CPanel doesn’t require any intervention at all once setup. Is there some other issue/area to be aware of?
    Hello Tony if you do some simple Google searches you will see that lots of people have issues with AutoSSL in CPanel.

    But more importantly not everyone uses CPanel hosting.

    Regards

    John

    #1214005
    winchweb
    Participant
    • Total posts: 37
    Up
    0
    ::

    Fair point. All my clients are on CPanel, and it works a treat. From what I can see, the only problems are from people using outdated webhosting or webhosters that want to make more money. The general advice seems to be go with a free SSL service unless there’s a specific requirement for a high-grade SSL (eg. independent verification that an organisation owns a website etc). Ecommerce sites may fall into the latter category of course.

    #1214006
    Steve the Bartender
    Member
    • Total posts: 48
    Up
    0
    ::

    I use Let’s Encrypt for all my websites too, [USER=1348]@Leisa D[/USER]. My WordPress websites are hosted using Siteground. Their shared hosting has been really good, especially when I was first getting started. We’ve since upgraded to Cloud Hosting due to a much higher volume of traffic.

    We use Stripe too and have always had a SSL certificate. Firstly instance was a paid cert with a WordPress website, then we moved to Shopify with a free certificate and now have a handful of free Let’s Encrypt certificates with our Siteground hosting. It’s relatively easy to set up if you are tech savvy.

    I’m not too sure about implementing it with Volusion though, couldn’t come up with anything after a quick search…

    Hosted WordPress websites come with SSL through Let’s Encrypt too, read here.

    Another good option is Shopify which also issues free sitewide SSL certificates…

    Good luck!

Viewing 12 posts - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.