SSL certificate required for BluePay Module?

[sports guy]

I am wondering if a SSL certificate is required/recommended for the BluePay Module? (http://www.bluepay.com/developers/payment-modules)

Here is my dilemma. I have a zen store already set up with this BluePay module and all is working fine. This store already has a security certificate installed and dedicated IP adddress (for the SSL) and it works just fine.

Now that my client wants a second site with a completely different BluePay account, I am wondering if I have to have another SSL certificate to connect the Bluepay for the new site. The module does not say anthing about SSL. Obviously settting up another certicate and dedicated IP would be more work, and would then need its own hosting account if this were the case.

Bluepay said it was "Recommended" to have a SSL, but if no credit card information is being passed, really how serious is it? Of course they would say it's recommended. The bluepay settings have a secure URL to send the client for payment, an account ID and secret key. Seems to be just like Paypal on the surface, in that you send to another URL to pay and then it sends the order information (minus the CC info) back to the store. What do you think? Do I really need a SSL for this module?

[kobra]

I would get a cert and IP for this new site JMO

[sports guy]

OK thank you Kobra, I appreciate the feedback.

[RodG]

Do I really need a SSL for this module?

No

Cheers
Rod

[sports guy]

That is what I was thinking Rod. Obviously I would like to save the owner the monthly expense of a SSL and dedicated IP address, plus can put him on hosting from his other store. This can easily save him approx $300 per year.

It just seems like a SSL is overkilll and is costly in comparison. For what? My thinking is if a hacker really wanted in the store he/she would gain entry. After all if governments and large corporations can't secure their sites from hackers what hope do I have. Even if this ever happened, then what would the hackers score? The get names and addresses (not that I would ever want this to happen). But they wouldn't even get credit cards, so whats the benefit to them? If this were a $50 a year security measure or the database was accepting CC number I could see, but the payment is not even being made on our ZC site.

Of course I also do not want to be foolish either.

Any more feedback would still be appreciated, I am still debating.

[DrByte]

My thoughts: http://www.zen-cart.com/content.php?332-do-I-need-SSL

[RodG]

SSL will NOT protect a site from hackers. It will protect the data from being "sniffed" as it traverses the Net, and that is pretty much all it does. The data itself is unencrypted when it is being entered, therefore subject to keyloggers, and in most cases it is stored unencrypted on the destination servers where most hacks take place. IOW SSL is only significant for the few microseconds that the data is in transit.

IMO it gives a false sense of security because so few people understand its limitations.

Cheers
Rod (Adv dip in Network Security)

[melsleight]

The BluePay Zen Cart module does need a SSL certificate. The customer's credit card card information is posted from the customer's web browser to the server running Zen Cart. The module then posts the payment information to the gateway which responds with the transaction results. SSL is needed to protect the first step between the customer and the web server.

Mel Sleight
Integration Support
BluePay Processing, Inc.
BluePay Processing, Inc.

[RodG]

The customer's credit card card information is posted from the customer's web browser to the server running Zen Cart..

Why? That is both inefficient and foolish.

The module then posts the payment information to the gateway

Why not cut out this middle step, like most (if not all) the other payment processors do?

SSL is needed to protect the first step between the customer and the web server.

It's much safer/secure to bypass this intermediate step.

Mel Sleight
Integration Support
BluePay Processing, Inc.
BluePay Processing, Inc.

I guess I'll never be using (or recommending) BluePay then. I can see it now, if a customers CC gets compromised in any way, you guys can (and probably will) deny accountability. It would be too easy to resist... "No, it wasn't *our* servers that leaked the CC data, therefore it must have been leaked by the merchants store".

There is no need that I'm aware of for the merchant (or their server) to handle the end users CC details at all. I'm always willing to update my knowledge in these matters though.

Regards
Rod Gasson
Adv dip Network Security.

[melsleight]

RodG makes a good point. While customer post to shopping cart to gateway is more common we are seeing a shift from that model. We also have a hosted payment form option that does not require a SSL certificate for the Zen Cart server. We'll update our module to use that model instead of the traditional model. It should be ready in a few weeks. I'll post here when it is ready.

Mel Sleight
Integration Support
BluePay Processing, Inc.