Many storeowners are uncertain whether they should add SSL to their site, citing various reasons, including cost and complexity of setup.
MODERN ANSWER: Yes, you should use SSL on your site. Not only does it lend to protecting sensitive information, but it is also becoming more and more important for good search engine ranking nowadays.
Now for the technical and bigger-picture explanation:
Here are the things to consider:
WHY USE SSL?
SSL encrypts communications between your customer's browser and your webserver. This means nobody can snoop on what they're transmitting to you (such as someone spying on internet traffic in a cafe or wifi hotspot, or library)
DO I NEED SSL?
If your site is collecting credit card info directly in a page inside your store (ie: not redirecting to a bank or payment gateway site to collect card info for payment) then YES you absolutely MUST use SSL to protect your customers' payment information.
HOW DOES ZEN CART IMPLEMENT MY SSL?
If you have SSL enabled in your hosting account (that's something you arrange with your hosting company directly), then you can tell Zen Cart to use your SSL URL ... and then Zen Cart will automatically use that SSL URL when presenting pages dealing with sensitive information like login, account-creation, password changes, checkout, and even your admin pages.
Zen Cart will not use SSL on pages that don't deal with sensitive information (such as a customer browsing your available products), since SSL isn't needed there. It will intelligently use SSL only on sensitive pages.
BUT MY PAYMENTS HAPPEN OFFSITE.
If your payment-collection is ALWAYS handled offsite via another gateway that uses SSL on its site, then *your* site does not "technically" require SSL insomuch as it's not handling credit card details. BUT ... if you don't have SSL enabled on your site then some spy could still steal your customers' passwords and names and addresses and email addresses when they fill in various fields on your store's site. They could then use that information to login to their accounts and impersonate them. While they couldn't make purchases using their private banking/creditcard data (since ZC doesn't store any banking/card data), they could request a cancellation of an order, or initiate communications with you under the customer's name while not actually being the customer, etc.
So, if you added SSL to your site then you would prevent the ability for such identity theft.
BUT SSL COSTS MONEY
Yes, there are typically 3 costs associated with SSL:
1. Dedicated IP address
2. Certificate itself (A dedicated certificate specific to your site is recommended. A shared certificate might work.)
3. Installation/activation of the certificate in your hosting account
WHY A DEDICATED IP ADDRESS?
Your hosting account needs to be able to offer SSL. At a minimum this typically means you'll need a plan that offers a dedicated IP address. Many plans include this for free, or offer it for a couple dollars per month.
(Aside: While the industry is just now starting to offer the ability to do SSL without requiring a dedicated IP address, this technology is in its infancy and not all browsers are smart enough to support it yet, so it may be a couple years before this becomes mainstream. In the meantime the cost of a dedicated IP cannot be avoided.)
DEDICATED OR SHARED?
A dedicated certificate is strongly recommended, both for branding and technical reasons. A dedicated certificate will use the same URL as your store does, thus branding it the same as your store. No confusion to customers. Also, a dedicated certificate will work out-of-the-box with no special setup required beyond the basics. Simply tell Zen Cart the SSL URL and flip the enable-ssl setting on and you're done.
While it's possible to use a shared certificate, this can be confusing to your customers when the URL of your store suddenly changes to your hosting company's URL when on protected pages. This becomes a branding/identity issue. Plus sometimes shared certificates are configured in very weird ways with some cheaper-cost hosting companies, and cannot be made to work with the industry standards embraced by Zen Cart (specifically if the shared-SSL server/certificate is on a separate server from where your actual store's files are located). But a shared certificate could let you run multiple stores from one IP address, if you didn't care about the branding issue.
HOW DO I INSTALL A CERTIFICATE?
Installing an SSL certificate is a subject specific to your hosting account. Work with your hosting company or follow their FAQ documentation to buy and install an SSL certificate in your hosting account.
Then make sure you can visit your site using your SSL URL without getting server errors.
And then you can tell Zen Cart to use your new SSL URL. See the FAQ below for that part.
Further Related Reading: