Announcement

Collapse
No announcement yet.

Is a website SSL really needed if you're using a secure PSP?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Is a website SSL really needed if you're using a secure PSP?

    As a first time user of Actinic business v10, could you please clarify some website security requirement queries I have?

    As I've been developing my webstore I wanted to make it as secure as possible and I experimented with the SSL settings for checkout pages and customer login. As I'm a Fasthost user, I quickly came across the well reported issues (on this community), namely that you can't make this work with Fasthosts, you need to put the whole webstore on SSL (unless anyone knows different?).

    However, if I decide to use a PSP such as SagePay, I believe there is actually no need to use a SSL on my website at all, as that is provided by the PSP? No credit card details will be entered or recorded on my website but will only be entered via the PSP's virtual terminal. Is that correct? Alternatively, if you do use a SSL on your website to record customer's credit card details, that immediately means that you are responsible for becoming PCI-DSS compliant and this is very expensive? Is that also correct?

    What about the recording of customers' names and addresses for delivery purposes? Is it a requirement that they must be recorded using an encrypted SSL? As a new user, I'm assuming that customers' names & addresses will be stored on my own computer/website and I will need to register as a data controller under the Data Protection Act 1998 annually, and it is a criminal offence not to register? Is that correct? The advice given on the Information Commissioner's Office website www.ico.gov.uk is that all customers personal details (e.g. names & addresses) should be stored using encryption. Is that the normal practice for Actnic users? If so, doesn't that mean that a SSL is essential for all webstores even if you use a secure PSP, as you will still be recording customers' names & addresses even if you don't store their credit card details?

    #2
    Not sure if these answers are universal but here goes.

    We don’t use SSL on the site because like you we use a PSP which handles the payment pages securely. However, we do occasional get complaints from customers that the site is not secure.

    We were told that we did not need to register for data protection when I enquired.

    Will be interested to hear what others say.
    www.butterflies-healthcare.co.uk
    www.viteyes.co.uk - vitamins for macular degeneration
    www.natorigin.co.uk - natural/organic cosmetics and skin care for sensitive skin & eyes
    www.butterflies-eyecare.co.uk - eye drops, vitamins and other eye care products
    www.prescription-swimming-goggles.co.uk - optical and prescription swimming goggles

    Comment


      #3
      You don't need SSL if you use a PSP but I think you do need to register as a Data Controller.

      Comment


        #4
        Hi Martyn,

        As far as I can see from this link on the ICO site, then you don't need to register as a data controller if you're only holding the data for advertising or accounts purposes (Question 9):

        http://www.ico.gov.uk/upload/documen...ment_guide.pdf

        As for encryption, then this extract from one of the FAQs implies that is only necessary if you are holding financial information:

        Q: What security measures should I have in place to protect personal information on laptops?
        Where the information held on a laptop or other portable device could be used to cause an individual damage or distress, in particular where it contains financial or medical information, they should be encrypted.

        PCI-DSS compliance has been answered a multitude of times if you search. Provided you don't process card payments through your computer and only use a card machine or Sagepay then it's easy and free.

        Personally we do have SSL on our checkout pages as customers seem to be happier but it's not strictly necessary.

        Hopefully someone else will be along to confirm my understanding.
        www.silvermoonbeads.com - Gemstones, Pearls, Hill Tribe sterling silver, Swarovski and Findings.

        Comment


          #5
          Originally posted by orcahouse View Post
          PCI-DSS compliance has been answered a multitude of times if you search. Provided you don't process card payments through your computer and only use a card machine or Sagepay then it's easy and free.
          If I understand you correctly, you are implying that it's OK to collect card details onto your computer and then process the payment using a PDQ-type machine - if so then you would need PCI-DSS compliance as you are storing the card details on your computer.

          Obviously if I've misunderstood you then ignore that comment
          Elysium:Online - Official Accredited SellerDeck Partner
          SellerDeck Design, Build, Hosting & Promotion
          Based in rural Northants

          Comment


            #6
            Hi Goz,

            Having re-read my post I can see how you might have inferred that. Happy to concur with you - What I was trying to say is that, without getting into the details from other threads, if you can avoid having any card details on your computer then PCI-DSS compliance is much simpler but still necessary.
            www.silvermoonbeads.com - Gemstones, Pearls, Hill Tribe sterling silver, Swarovski and Findings.

            Comment


              #7
              If you are using a PSP then you don't need to apply for PCI-DSS compliace - the PSP does instead.

              Comment


                #8
                Thanks to you all for your comments. The only issue that remains for me then is whether to jump ship from Fasthosts (a bit disappointing as I just signed up for 1 year) to another webhost in order to be able to use a SSL for the customer login & checkout pages. If, as James said, customers sometimes express a concern that a website doesn't seem secure, then it may be preferable to to use a SSL for the login and checkout pages to improve customer confidence, even though the PSP will provide the security and be PCI-DSS compliant.

                Comment


                  #9
                  Many people use SSL on the checkout pages but most don't. Some people say it makes a difference to dropouts, others don't. It's a mixed bag unfortunately and the choice is yours.

                  As for leaving FastHosts - well that may be a blessing in disguise anyway considering the number of issues we have seen with Actinic on FastHosts over the years.

                  Comment


                    #10
                    We stopped using SSL in checkout a couple of months ago (after 5 years) and haven't noticed any difference in orders, and haven't had any complaints. I think if you explain the checkout process at the beginning ("we use secure PSP etc") then these days that probably is enough.

                    Aquazuro - designer stainless steel accessories

                    Comment


                      #11
                      In an ideal world, if SSL worked without problem and didn't slow things down, it would be a good idea to have. The reality is that even the biggest players online cannot get this area right and the confidence that this area is supposed to produce, is sadly worsened by it not working correctly. I even seen hosts who cannot get this area correct, it's just not worth it, the secure message that pops up on so many occasions is far far worse than not having one in the first place. SSL sucks, I absolutely detest it personally, it just doesn't work well enough to even be a consideration IMO.

                      Comment


                        #12
                        Martyn, are you aware that Actinic does both hosting and a payment service?

                        Chris

                        Comment


                          #13
                          Thank you Chris, yes I am aware that Actinic can provide hosting and payment provider services. I did talk to them about it but I chose Fasthosts because I'd already bought my domain names from them and they were offering a 50% discount for the first 6 months for their business web hosting. Regarding a PSP I'm considering SagePay due to their low charges but I am aware that there are some good features in the payment pages of the Actinic software that are only available/usable when using Actinic Payments.

                          Comment

                          Working...
                          X