(Biz Related) Help me settle a debate in reference to SSL and Using Gateways
 

My friend is starting to sell some his shit online , He wanted to initially use paypal web payments to start (ie : person is sent to PP secure pages to use his CC or login using his PP account) then sent back upn order to his site for the order confirmation...


I told him to add a SSl Cert on the order process no matter what cause he will need it eventually when it gets a merc account....so when customer enters his name , addy and so on to register on site to create account to order he will be on HTTPS

He think cause the person is being sent to PP and he isnt collecting CC info he doesnt need it....

Now anybody want to shed some light on this cause I am not a expert and told him what I think should be done.

-JDL

Hi Juicy,

It's allways best practices to have all signup / acct creation process in secure mode (https)

Some sites don't secure signup, etc but I think it's best for the consumer, etc.. If he is going to use a cert for the cart anyways best to use it it for all..... It's cheap btw and is professional to the customer...

If you are transferring any personal information whatsoever, go SSL. No reason not to with how cheaply they area available to boot. Near 15-20 dollar range at godaddy if memory serves.

when any sensitive/private/personal information is being passed by web site's forms over "public" pipes it always best idea to carry this communication in SSL encrypted envelope.

always got amazed how sponsors would collect SS#'s over HTTP in the past, i'm sure many sponsors still don't use SSL on their webmaster signup forms even today

I cancel any request like that that does not go to a secured page.

You are all correct, everything submited on the page should be secure, but what Juicy is saying is that friend feels nothing is being submitted on HIS website, which is true. It's like saying that adult pay sites should have an SSL when they are using CCBill. Most do not have their own SSL because nothing is being entered on the non secure page, they are directed over the payment provider's website, which is secure.

So, your friend is technically right, but like you said, if he plans to use his own merchant account at some point, he will need an SSL. At this point there is nothing to secure. The add to cart and order now links will all take the customer to PayPal where they will login securely.

Even the express paypal checkout methods still transmit personal information... maybe not cc#s... address alone, hell name transfer alone would cause for warranting ssl. And with how cheap ssl is... it shouldn't even be debate, if you run a website that includes any user forms whatsoever... just get it.

Agreed :)