November 3, 2016
HTTP & HTTPS – What’s It All About?
The easiest way to tell if a website is secure is if the website has https:// in front of it and a lock icon. You may already be familiar with this from having visited ecommerce websites and seeing something like this in your address bar:
Most websites pass unencrypted information from the website browser to the server. But if a site uses “Secure Hypertext Transfer Protocol” (https), the information is encrypted. This is especially needed for ecommerce sites.
Certainly it is critical and absolutely necessary for credit card information to be encrypted. Another common scenario: if your website enables your customers to create accounts with passwords, you should use encryption as well.
SSL certificate options
Https is provisioned with the use of an SSL (Secure Sockets Layer) certificate. There’s a cornucopia of options. You can get certificates for use on just one domain or for multiple domains and subdomains. Take a look at namecheap.com to see some examples.
A great option to consider is an EVS (extended validation) certificate. This certificate uses an special visual indicator: the name of the company is shown in green in the address bar to the left of the website address. It’s a cue that boosts your customers’ confidence – making it more likely they will make a purchase. An ecommerce vendor also has to jump through more hoops to obtain this kind of certificate.
You need a dedicated IP address for your domain if using a secure certificate. Well, it’s possible to use a certificate without one, but older browsers may display a warning message.
It’s not just for end users
People using CMS’s (content management systems) such as WordPress – even if they do not really pass sensitive information – can also benefit from a secure certificate. Most hosts provide a free secure certificate (usually not suitable for the front end) that is useful for protecting admin logins. You can make https mandatory on admin directories and login pages – but will need a techie to modify one of your site’s configuration files (usually the .htaccess file) to reroute http requests to https for these areas.
The “https everywhere” initiative
HTTPS Everywhere is an initiative by EFF and The Tor Project. Google takes many criteria into consideration for search engine placement. Recently, Google started factoring in https. Think about it – it makes sense. If a business is investing in its presence by making a site more secure, it’s an indicator that the site is more legitimate and should be ranked higher in search engine results. Google is even recommending that normal, non-ecommerce sites use https.
Site speed and website hosting
One drawback to using a secure certificate is that it slows down websites. It can be quite a drag – especially on sites that use CMS’s like WordPress.
You can get around this problem by using a faster host such as Digital Ocean and optimizing your site with a caching plugin.
Can I secure the payment pages only?
This is technically OK, but may cause problems if you are integrating with Google Marketplace and similar services. Using SSL on every page on is also a confidence booster for your customers. Many are accustomed to looking for the secure lock icon and may leave your ecommerce website if they don’t see it on all the pages.
Are you taking card information right on your website – or is it only taken by your merchant account’s gateway? Do you have a lot of transactions? What method are you using for your payment gateway (e.g., AIM, CIM, SIM, DPM for Authorize.net)? Using an SSL certificate may not be enough.
If you are taking down credit card numbers on your site – even if encrypting via SSL en route to a gateway – you may have to jump through some additional hoops to become PCI compliant. It depends on your practices and host setup. This is something that you should research before committing to a specific ecommerce strategy.
You may purchase hosting that is specifically configured for PCI compliance rather than undertake the labor to do this yourself. Because a PCI-compliant host is more expensive, it is probably a good idea for most small ecommerce businesses to use a page hosted on their payment processor’s website instead.
Lakenetwork is a family-owned business providing website design and development for companies, professionals and organizations in the Cleveland, Ohio area and beyond. We specialize in providing the most cost-effective and appropriate solutions for clients’ online needs. We are located in Eastlake, Ohio.