WPP and SSL

[Zinfandel]

Ruff... Sniff sniff...

I've been going over alot of the PayPal documentation, and in a document entitle "Disclosure & Payment Compliance" on page 9, the following paragraph speaks of their SSL use.

[FONT=GillAltOneMT]The security of your information, transactions, and money is the top priority[/FONT]
[FONT=GillAltOneMT]at PayPal. PayPal Fraud Protection Services leverages the Secure Sockets Layer[/FONT]
[FONT=GillAltOneMT](SSL) protocol, which provides crucial online identity and security to help[/FONT]
[FONT=GillAltOneMT]establish trust between parties involved in e-commerce transactions. Your[/FONT]
[FONT=GillAltOneMT]customers can be assured that the website they’re communicating with is[/FONT]
[FONT=GillAltOneMT]genuine and that the information they send through web browsers stays private[/FONT]
[FONT=GillAltOneMT]and confidential.[/FONT]
[FONT=GillAltOneMT]Moreover, using SSL with an encryption key length of 128 bits (the highest[/FONT]
[FONT=GillAltOneMT]level commercially available), PayPal automatically encrypts your confidential[/FONT]
[FONT=GillAltOneMT]information in transit from your computer to PayPal’s servers, which are heavily[/FONT]
[FONT=GillAltOneMT]guarded both physically and electronically. These servers sit behind a monitored[/FONT]
[FONT=GillAltOneMT]electronic firewall and are not connected directly to the internet, so your private[/FONT]
[FONT=GillAltOneMT]information is available only to authorized computers.[/FONT]

The statement that is of specific interest

[FONT=GillAltOneMT]PayPal automatically encrypts your confidential[/FONT]
[FONT=GillAltOneMT]information in transit from your computer to PayPal’s servers,[/FONT]

leaves things unclear as to whether it is required of us to obtain an SSL certificate. Having said that, I could not find where SSL certification is succinctly stated as a requirement anywhere in the PayPal docs.

And if not an SSL certificate, it may be wise to have some kind of TRUST inducing visual aide.

What is the skinny on the matter?

[kobra]

Elliot,
If this was for PP's standard payment or IPN - then a customer does not enter info until connected to PP and this is a https: connection and it is their SSL that is used.

If PP Pro Flow?? then info is entered on your site and your customer does not leave your site - So you will need and are required by the gateway - PP in this case - to have an SSL

[Zinfandel]

Thanks Kobra,

I let my lack of understanding rear it's ugly head.
But, after thinking about it, I actually got to understanding that what they meant in the Disclosure and Compliance Document pertains to transmissions to and from PayPal, but not those between the customer's client PC and the hosting web-server where my site sits.

I get it now...

Thanks!

[wentsul]

Kobra,

I'm currently using zen cart with minimal knowledge of its underpinnings. I've been trying to read up on whether or not you MUST have SSL set up on your site to use PayPal Pro + Zen Cart.

From my understanding, zen cart sends all the user data over to paypal using CURL, so therefore the user's CC information is encrypted and zen cart abides by the TOS of paypal with or without the site having a SSL certificate.

This seems all good and might be the reason for the many forum posts I've read saying that SSL is not necessary but is good for costumer piece of mind. However, before the information is sent from zen cart over to paypal, it goes through a minimum of two requests to the zen cart server in the confirmation and completion processes. During these requests, anyone listening on the network would be able to see the user's CC information in plain text.

Is there something I'm missing. Could you just confirm whether or not to fully protect the users CC information throughout the entire process, using zen cart + pay pal pro, you MUST have SSL installed?

Thanks,

Michael

[kobra]

it goes through a minimum of two requests to the zen cart server in the confirmation and completion processes. During these requests, anyone listening on the network would be able to see the user's CC information in plain text.

Exactly why you must have SSL for your site - I as a customer will not be entering my info on a non-secure connection...

I have not checked PayPal Pro Flow but others like Linkpoint require that you specify the htpps address - (need SSL to enable htpps:)