Bit of a newibe question regarding SSL Certificates and Payment Processing, I’m building an on-line shop and have got to the payment processing part.
I’m going down the Merchant Account / Payment Gateway route, rather than the third-party (PayPal) route.
What I need to know if whether I need to buy an SSL Certificate for my site as standard practice, and if I do, is it just the checkout/payment pages or the whole site?
If it is just the checkout pages, do I link to the pages through SSL like so:
It depends how the integration to SagePay works. If they host the web page that is used to collect the payment information and your app never comes in contact with the credit card data then you should be out of pci scope.
…or would it automatically recognize…
Using /etc/httpd/conf.d/ssl.conf (or .htaccess in a local directory) you can force all connections to checkout.php to be ssl only.
You might as well also put https in the link too.
Hold on though, if I’m getting Merchant Services to handle the money and say someone like SagePay to secure the payment from the customer, do I still need to worry about PCI PA_DSS compliance, or would SagePay be covered? Then I would just need to secure the connections?
If you are going to host your own page for collecting the sensitive payment info, you are going to want to have that page secured with an ssl cert as a bare minimum. If you host that checkout page, you will also come into scope of the pci data security standards and your application must also be certified for pci pa-dss compliance.
A less painful solution would be to work with a payment gateway that offers a customizable secure checkout page such as www.paymentsgateway.com and their SWP Checkout solution. By using SWP Checkout, you and your application are pulled out of scope of PCI and you can also eliminate the need for an SSL cert.
