Announcement

Collapse
No announcement yet.

(alleged) 'lack of confidence' in my site security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    (alleged) 'lack of confidence' in my site security

    Hello Community - I've got an Actinic shop and (appended below) is an extract quoted from an email from a 'well-meaning' IT consultant suggesting that there's some 'lack of confidence' in my site security. I've got no idea whether it's just a 'scare' or if there's any 'truth' in what's written below? Anybody able to offer any views?

    quote from an email received yesterday:
    "I am an IT consultant who specialises in web applications - my apologies if
    this email is a bit techy - i'm just trying to be helpful {honest}.
    I wanted to place an order on your website, but I didn't because of lack of
    confidence in your security!
    Your website indicates that you manage secure payments:
    "When the order is placed at our website, credit card numbers are encrypted
    using 128 bit encryption. They are only decrypted after they reach our
    computer..."

    However, the page where you ask for credit-card details is NOT secure.
    {it does a POST request to
    http://www.xxx.com/cgi-bin/os000005.pl} this is via the standard HTTP protocol which is UNENCRYPTED, thus allowing
    customer credit card details to be intercepted by undesirables, and
    contradicts your security statement quoted above.

    I figured this may be an issue you are unaware of and may want to speak to
    your web site hosting company ASAP as at best you may be losing the odd bit
    of business, and at worst you are liable to potential legal action.

    Once again, the intention of this email is intended as a friendly - public
    spirited bit of information sharing - so my apologies if it comes across as
    a bit alarmist!"

    #2
    The guy is correct to an extent, you need to change your information. I see your using sage pay so no need for a secure checkout, some might argue but i have found on standard checkout pages (address details) this makes no difference

    so
    change the wording about 128bit - this i think is standard actinic wording and does not apply to you
    tell people what you are using and that its safe
    oh and you bounce to psp is not working, a search here will tell you how to fix that

    Comment


      #3
      What encryption method do you think you use on your site?

      The choices are using a PSP such as Actinic Payments or Worldpay, using Paypal, or using your own SSL certificate, Actinic's shared SSL service or the Java Applet. None of the last three being recommended.

      Chris

      Comment


        #4
        Looking at your site you're not collecting card details to download and process yourself so you don't need ssl encryption for the information you are gathering. What you do need to do however is change the wording that he picked up on saying you are downloading details using encryption, rather say that you're not downloading them at all or something similar.

        Some people prefer to see ssl on all the cart pages but it is not actually necessary.

        Comment


          #5
          you don't need ssl encryption message ...

          Thanks to Darren B, cbarling & drounding for your prompt and helpful replies ... we'll change our message to something a bit more appropriate.

          Comment


            #6
            "However, the page where you ask for credit-card details is NOT secure."

            This bit, however, is incorrect as you are using Sage Pay. He is referring to the checkout in your shop where addresses are collected, not credit card details.

            Aquazuro - designer stainless steel accessories

            Comment

            Working...
            X