I'm pretty new to Ecomm...
I'm setting up a basic deployment of nopCommerce, that will only use (for now) PayPal Express. So when user goes into checkout... they will be re-directed to the nice safe world of PayPal - so there is no worry about transmission/ interception of credit card details.
BUT I'm still worried... if I don't use SSL - am I leaving a security hole regarding the user's nopCommerce registration account credentials?
Is SSL necessary if only using PayPal Express?
- 8
- 40
- 12.11.2009
- United Kingdom
Thanks for replying.
Unfortunately I didn't get much from it - whatever thoughts / understanding you have... is not clearly put across. Developers do this a lot - they may understand something well, but are loath to take time to explain fully... :(
One thing - don't you mean that... don't need SLL if DO use PayPal?
And isn't this only true for non-DIRECT versions that will leave the original (non-SSL) site?
Unfortunately I didn't get much from it - whatever thoughts / understanding you have... is not clearly put across. Developers do this a lot - they may understand something well, but are loath to take time to explain fully... :(
One thing - don't you mean that... don't need SLL if DO use PayPal?
And isn't this only true for non-DIRECT versions that will leave the original (non-SSL) site?
MVP
- 1794
- 14506
- 07.10.2009
- United Kingdom
i think uk legislation requires ssl anywhere on a site where personal information is provided - i put a post
https://www.nopcommerce.com/Boards/Topic.aspx?TopicID=1942
i think one of the links there might help - i'm not completely sure where 'best practise' becomes 'legal requirement'
https://www.nopcommerce.com/Boards/Topic.aspx?TopicID=1942
i think one of the links there might help - i'm not completely sure where 'best practise' becomes 'legal requirement'
- 35
- 175
- 10.11.2009
- Canada
I don't know that you're legally required to protect customer information by using SSL, however it IS a requirement of most Merchant and Gateway providers before they will issue your merchant id.
I say that with a caveat. If you use a gateway provider that perfoms the transaction completely off your site, then there's no requirement or benefit of having a certificate installed on your site. You would have to consult the terms of your provider.
On the flip side, if you collect personally identifing information from your customers then everyone expects you to treat it responsibly. By allowing customers to register on your site (but not perform CC transactions) you don't have to use ssl, but it would be nice.
If you are collecting credit card information on your site, then I believe legally you need to encrypt the data, and with PCI compliance, there are numerous other laws you will need to comply with as well.
I'm talking from a Canadian perspective. I don't now about UK.
I say that with a caveat. If you use a gateway provider that perfoms the transaction completely off your site, then there's no requirement or benefit of having a certificate installed on your site. You would have to consult the terms of your provider.
On the flip side, if you collect personally identifing information from your customers then everyone expects you to treat it responsibly. By allowing customers to register on your site (but not perform CC transactions) you don't have to use ssl, but it would be nice.
If you are collecting credit card information on your site, then I believe legally you need to encrypt the data, and with PCI compliance, there are numerous other laws you will need to comply with as well.
I'm talking from a Canadian perspective. I don't now about UK.