Magento Forum

Do I need SSL/HTTPS for my shop? Questions about payments and SSL. 
 
Esme
Jr. Member
 
Total Posts:  6
Joined:  2008-06-22
 

Hello,

I would like some advise about safe payment systems from other shop owners so that I can be more confident - I would not want to unlease a shop that is unsafe to use)…

If I were to just take payments through Paypal (standard) would I need SSL?
If I were to take payments using Paypal Pro would I need SSL?

I’ve been playing around with Google Checkouts but as I do not have shared SSL on the hosting package, I have not been able to enter in the API callback URL, which I am assuming causes the problem of when I click to Check out with Google, it returns page not found even in Sandbox mode… Although I am not entirely sure. I would like to offer customers the option of paypal and google checkout.

Any advise would be much appreciated!

 
Magento Community Magento Community
Magento Community
Magento Community
 
WildRoses
Jr. Member
 
Total Posts:  2
Joined:  2007-11-15
 

I am also interested in knowing whether there’s a need for ssl for paypal payments.  Can anyone help. 

Thanks.

 
Magento Community Magento Community
Magento Community
Magento Community
 
nikefido
Guru
 
Avatar
Total Posts:  481
Joined:  2008-07-11
New Haven, CT
 

You will only NOT need an SSL if you’re users are entering their personal information on someone elses web page.

For instance, some payment gateways allow you to send some basic info that doens’t need to be secure (such as the order total) and then sends this info off-site to a secure location which the payment gateway hosts - the user will then complete the transaction at that web page rather than your own.

If you don’t mind losing the branding of your site (aka, having users leave your site to pay for their order) you can find a solution like this. (I don’t know off the top of my head if google / paypal work in this fashion).

General “rule” to go by with SSL’s is “Where are my customers entering their information” - if it’s on any web page off you’re server, then you need an SSL.

 
Magento Community Magento Community
Magento Community
Magento Community
 
btbc
Sr. Member
 
Total Posts:  95
Joined:  2008-06-11
 

To answer your question, first answer this question…

Would a customer expect to have their FINANCIAL and PERSONAL data encrypted?

If the answer is yes, then you absolutely will need SSL. Most customers WILL look for the yellow bar or the lock before entering their NAME, ADDRESS, AND PHONE NUMBER.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ramedia
Member
 
Total Posts:  70
Joined:  2008-05-17
 

Most carts don’t put you over to ssl on the collection of simple user data like name, address and email etc… they put you over to ssl on the collection of credit card information.  Users do not expect a secure server for simple user registration data like name, address etc… Personally, I would prefer the secure collection of all data, but that is not the case in most carts.  In the case of paypal:  standard puts you over to the site before you collect the user data, so you would not need ssl for paypal standard.  Paypal pro (formerly verisign payflo pro) is a gateway, so yes you would need to use ssl in your cart.

 
Magento Community Magento Community
Magento Community
Magento Community
 
antifmradio
Jr. Member
 
Total Posts:  13
Joined:  2008-09-23
 

ok this is EXACTLY the thread im looking for and im sorry to Tread jack it
but in light of the 1st and second comments to this thread

how would i setup my site to NOT use SSL?

i am just setting up a DEMO site so no transactions would take place in it.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ramedia
Member
 
Total Posts:  70
Joined:  2008-05-17
 

You say if you are using ssl on cart setup.  There is also an option to turn ssl on or off in the cart admin. 

System>configuration>web (leftcolumn)>secure (page tab)>Use Secure URLs in Frontend (no), Use Secure URLs in Admin (no).

This will not put “https://www.foo.com” when in the user data collection area of the site.

 
Magento Community Magento Community
Magento Community
Magento Community
 
mikej165
Sr. Member
 
Total Posts:  89
Joined:  2008-07-31
 

In my experience, an SSL certificate is an absolute necessity to help bolster your site’s credibility. Even if the payment details are not being collected on your site, other information, such as name, address, email, etc, are and should be encrypted to maintain the customer’s confidence. Since many browsers warn when sending information over an unencrypted connection, you could easily lose sales to people who get skittish when the browser tells them something that may lead them to think that things aren’t quite right with your store.

People are understandably leery when buying online and the average store is probably experiencing conversion rates that are low enough as it is. Why do anything to make them even lower? Much better, in my view, to spend the extra money for an SSL certificate and have one less thing to worry about.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ramedia
Member
 
Total Posts:  70
Joined:  2008-05-17
 
mikej165 - 25 September 2008 08:38 PM

spend the extra money for an SSL certificate and have one less thing to worry about.

Good advice.  It isn’t even that much money.  You can get an SSL certificate from GoDaddy.com, “Turbo” certificate for $20 per year. 

As far as people running away from a site because of a warning… the browser warns that every time a user tries to send any form data.  Every time you post to a blog, sign up at a site, etc....  Let’s be realistic, people turn the warnings off or disregard them.  It is not a travesty to collect user information without going to SSL.  Examples:

http://www.youtube.com/signup?next=/

http://www.facebook.com/

http://signups.myspace.com/index.cfm?fuseaction=signup

My philosophy:  don’t cater the technology to bottom dwellers, your site will suffer for it.  Cater your technologies to the fat middle.  Otherwise you might as well have all form pages SSL including your contact page, a page width of 640 pixels, no javascripting, no css, works in AOL browsers… just in case that skittish grandmom wants to make a purchase.

 
Magento Community Magento Community
Magento Community
Magento Community
 
mikej165
Sr. Member
 
Total Posts:  89
Joined:  2008-07-31
 
ramedia - 25 September 2008 09:00 PM


My philosophy:  don’t cater the technology to bottom dwellers, your site will suffer for it.  Cater your technologies to the fat middle.  Otherwise you might as well have all form pages SSL including your contact page, a page width of 640 pixels, no javascripting, no css, works in AOL browsers… just in case that skittish grandmom wants to make a purchase.

If you’re selling to techies, this is obviously not a concern. On the other hand, if Skittish Grandmom is part of your target demographic..... 8-)

 
Magento Community Magento Community
Magento Community
Magento Community
 
ramedia
Member
 
Total Posts:  70
Joined:  2008-05-17
 
mikej165 - 25 September 2008 09:10 PM

ramedia - 25 September 2008 09:00 PM


On the other hand, if Skittish Grandmom is part of your target demographic..... 8-)

My philosophy is good for all demographics.  Shoot for the middle.

 
Magento Community Magento Community
Magento Community
Magento Community
 
btbc
Sr. Member
 
Total Posts:  95
Joined:  2008-06-11
 

Yes.

If a site collects my personal information, I expect it to be secure.

Basic SSL cert = $15
Installing time = 15 minutes
Customer trusting your site and buying oodles of products = priceless

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top