Hi Chaps, Bit of a newibe question regarding SSL Certificates and Payment Processing, I'm building an on-line shop and have got to the payment processing part. I'm going down the Merchant Account / Payment Gateway route, rather than the third-party (PayPal) route. What I need to know if whether I need to buy an SSL Certificate for my site as standard practice, and if I do, is it just the checkout/payment pages or the whole site? If it is just the checkout pages, do I link to the pages through SSL like so: <a href="https://www.domain.com/checkout.php">Continue to Checkout</a> or would it automatically recognise that the page/directory is protected?
You do not need ssl for the whole site. You only need it on the pages that your customer enters secure information on, and it's a good idea to securely host the thankyou page as well. This is to prevent any potential non-ssl page error when you redirect to the thankyou page. You can put ssl on your shopping cart page if you would like, but it's not necessary for security sake. Yes, you would link to the secure pages as you posted. When testing, make sure that the checkout page in the address bar reads https.., and that there are no ssl errors on the page. These would be indicated by a popup error box in firefox or internet explorer, or a broken padlock in the browser. Errors are usually caused by using images, javascript, or css that is linked from a non-secure address. When integrating with the payment gateway, make sure to post to a secure address with the gateway as well. This is usually standard but sometimes gateways allow non-ssl for testing. Lastly, when you post your customer's checkout form to the script that processes it on your site, make sure to post to a https address as well. So in all, to have a secure checkout: https on the checkout page Post to a https page to process the form Connect to a https url with the gateway Make sure there are no ssl errors You should use htaccess or another method to prevent the checkout page from being accessed via http at all.
Cool, thansk for the reply, are there resources/checklist on how to make sure that the application is PCI PA-DSS compliant?
Hold on though, if I'm getting Merchant Services to handle the money and say someone like SagePay to secure the payment from the customer, do I still need to worry about PCI PA_DSS compliance, or would SagePay be covered? Then I would just need to secure the connections?
If you are distributing an application you need to be PA-DSS compliant. If not, you would make sure to validate yourself as PCI-DSS compliant.