Authorize.Net and SSL

[Cienwen]

Hello all,

This is my first Zen Cart so my questions may seem painfully simple.

I am deciding on my payment methods and wanted to know if I use Authorize.Net do I need to purchase a SSL Cert for my site. I can't seem to figure this out. My host says that if I am using a PHP based shopping cart that I need a SSL Cert but if I use a third party such as Authorize.Net do I still need the SSL Cert.

Any help you can offer would be great!

Cienwen

[TracNez]

HI Cienwen,

Yes I believe you do need it. My Client is using Authorize.net and he just called today and said they asked about our SSL.

So unless they have different packages, I think you need it.

I haven't figured out what I need to do yet to link our SSL in with Authorize yet, that' swhat I came here for.

[Sermonzone]

Your host should help you with the SSL setup. This is where Zen Certified Hosting is really handy.

I use Auth net and don't remember having to tell them anything about the SSL. You will have to go through the setup in Zen Cart admin, on the Auth.net website and I think I even had to call to confirm some stuff. A little tedious but mine has given ZERO problems since setup 6 months ago.

[Sermonzone]

PS. You DO want your own SSL certificate. Looks more professional and .... there is that security issue too.

[TracNez]

Most Hosts will provide you with at least a shared certificate and help you with it.

On my host, is was just a manner of logging on to the admin panel for my host, and noting what the SSL URLs were.

And yes, you'll have to use the Authorize.net module in ZenCart Admin as Sermon pointed out,

Good Luck and feel free to ask more questions,.

Your host should help you with the SSL setup. This is where Zen Certified Hosting is really handy.

I use Auth net and don't remember having to tell them anything about the SSL. You will have to go through the setup in Zen Cart admin, on the Auth.net website and I think I even had to call to confirm some stuff. A little tedious but mine has given ZERO problems since setup 6 months ago.

[rbjb]

Yes, you do need an SSL cert. I wouldn't set up a cart for a client without one. With or without authorize. net. I recently set up two carts for clients and the one that used authorize. net was told by his bank (his merchant account) that they would not do business with him without one. The other one did not use any merchant account and I told them that I did not want to do business with them if they were not willing to spend the $50 per year to do it right.

It's not a big deal to set up an SSL cert. If your web hosting company can't or won't do it for you find another web hosting company. It was not a problem for me as I own my web hosting company.

To set up an SSL cert on a site you should have a dedicated IP address with your hosting company. The dedicated IP address might cost you an extra $2 or $3 per month in hosting fees. You can use a shared cert with a lot of companies but in my mind it is not professional to use a shared cert. SSL certs can be purchased for around $15 per year from good companies. I purchase all of the certs for my customers from another web hosting company that sells them for $14.95 for one year. This is a limited time offer from this company, but it's been a limited time offer for two years. I set one up for a client last night and it took me about 30 minutes to buy it and set it up.

These things are only important for those buyers that are smart enough to click on the "lock" to check out the cert before they buy. I for one will not buy from an online merchant that is using a shared cert because I know they are cutting corners.

Ray

[TracNez]

I recently set up two carts for clients and the one that used authorize. net was told by his bank (his merchant account) that they would not do business with him without one.

...

These things are only important for those buyers that are smart enough to click on the "lock" to check out the cert before they buy. I for one will not buy from an online merchant that is using a shared cert because I know they are cutting corners.

Ray

Yes that was my experience with Authorize.net as well, as I posted upstream.

Regarding the "cutting corners." Sure they are trying to save money, but it's not any less secure that I know of, except for the fact that the Certificate owner may not match your domain name. Do you have any reason to believe it is less secure?

[rbjb]

Speaking as a merchant when I make an online purchase from someone for the first time it is comforting to know that the cert has been purchased by the web site I am buying the merchandise from.

It is quite possible for anyone with a bit of knowledge to "lease" a dedicated server for under a $200 per month and set up a shared certificate on it. Then that person could create any number of scam web pages and have them all use the same shared certificate.

With individual certificates it is much more difficult to put together such a scam. You would have to have a certificate issued to each web page by the certificate company. Before issuing a cert all companies have some degree of verification. The more you spend for the certificate and the better (and better know the cert company) the better the degree to verification is required.

The low cost certificate that I use for myself and my clients checks the following:
You first have to give them the CSR request from the server
Then the do some checking through the whois database
You have to use email address from that domain during the process
Then they require a verification phone call to finish the process.

If all matches up then they issue the cert which has to be installed on the server by someone having root access to the server.

With a shared certificate none of this verification takes place. Now if you spend more money with this certificate company they give you not only the certificate but a seal the uses encryption to further allow the merchant to verify that this web site did actually purchase the cert and it has been checked that this website certificate was indeed purchased by that web site.

If your client can afford it then it is even better security if they add a BBB seal or the like to the web page. All of these things inspire confidence in the buyer that they really are dealing with who the web page claims to be. In addition the customer has the confidence in knowing that before the purchase is made that the merchant went to the trouble to provide all the proof that the merchant could provide, that they really are who they say they are.

With the shared cert you have none of this other than knowing that the web site is on the server that the owner of the server purchased the cert. Now that would be enough for me, if for example, the shared server certificate owner was Microsoft or Google. It would not be enough for me it the server certificate was issued to Joe's Cut Rate Web hosting company in China and the web site name was http://www.sendmeyourmoneyandiwontcheateyou.com

Ray

[TracNez]

It would not be enough for me it the server certificate was issued to Joe's Cut Rate Web hosting company in China and the web site name was http://www.sendmeyourmoneyandiwontcheateyou.com

Ray

Hey! That's my cousin's site in China!

j/k ]

'thanks for the post

[Cienwen]

Thank you all for the input. I will purchase the single SSL Cert and do it right!

Thanks again.

Cienwen