Can you offer a secure e-commerce site on a Virtual Private Server (VPS)?
In an ideal world, one would have their on Dedicated Server and a Server Admin, but requires lots of time and $$$ and experience that I do not have!!
Debbie
What kind of e-commerce site would are you looking for?
If it’s smaller (or non-existent =p) you may be able to go with a cheaper solution (while you’re small) like a shared host. For example, GoDaddy offers several e-commerce solutions on their shared hosting plans, which are as cheap as $4.99 (though I recommend going a step up to the $7.99). http://www.godaddy.com/hosting/web-hosting.aspx?ci=9009
There are several others that offer plans similar, I’ve just used GoDaddy for years and never had a problem, so I recommend them. I haven’t used them for e-commerce though.
Why in God’s name would anyone every put an e-commerce site on a Shared Server?! 
Debbie
To be honest, why not?
It all depends what you’re storing. If you aren’t storing credit cards (which I highly highly highly recommend against) there isn’t anything so private that you have to be crazy concerned about that kind of security.
As long as you have a secure site and an SSL, you can run an ecommerce site anywhere. I don’t recommend using shared hosting normally, but it’s not a bad way to start if you have very little money coming in from it, until you build up enough to pay for VPS/dedicated.
If you’re insistent on a VPS, GoDaddy offers that too at pretty good rates. Anyone substantially cheaper than them I wouldn’t trust. =p
You are serious… 
It all depends what you’re storing. If you aren’t storing credit cards (which I highly highly highly recommend against) there isn’t anything so private that you have to be crazy concerned about that kind of security.
All of the user’s credit card information will be on my website’s form - which is on the web host’s SERVER - long before it gets sent over SSL.
So when the Shared Server gets compromised, all of the customer’s credit card information goes out the window before it ever gets to the SSL connection…
That is one obvious reason.
As long as you have a secure site
Which you cannot guarantee with a Shared Server.
and an SSL, you can run an ecommerce site anywhere. I don’t recommend using shared hosting normally, but it’s not a bad way to start if you have very little money coming in from it, until you build up enough to pay for VPS/dedicated.
And when it gets hacked and it turns out you never reached PCI-DSS compliance, and you get you * ss sued off, then what???
If you’re insistent on a VPS, GoDaddy offers that too at pretty good rates. Anyone substantially cheaper than them I wouldn’t trust. =p
They have decent rates on Dedicated Servers too, but you need to know what you are doing. And I question if a VPS is secure enough.
Debbie
If you want to make your whole site PCI compliant for that… good luck.
How most non-gigantic e-commerce sites work is they get a third party to do the credit card processing. You implement their APIs and most, if not all (it should be all) have you submit the form to their site, not yours. The service then returns control back to your site, so the user rarely ever notices that their info went somewhere else.
Also when information is submitted, it actually goes through a LOT of servers before it every reaches yours. Open up a command window and do something like tracert google.com. When you submit a form to Google, that information travels through every single one of those servers. Not all of (in fact, probably most of them) are no likely to be PCI-compliant.
An SSL certificate works by giving it to the browser. This certificate, among other things, tells the browser how to encrypt the data. The browser encrypts the data using this certificate and then sends it in it’s encrypted form, which the server then decodes.
This means that the only security you have to worry about is the same you do with any normal site. Since you will have some information you’ll want to keep confidential (like sales history), it is important to make sure it’s secure. However, if that falls into the wrong hands it’s more annoying. When you start making a few hundred a month, then you can switch to a VPS or dedicated without burning a hole in your wallet.
If you are going to go for full PCI-compliance, you’re going to need a lot of money, more than even a dedicated server, video cameras, and a lot more. 
Like I said, a shared host isn’t great (for anything large), but it’s a perfectly valid option for a start-up.
Yes, that is how PayPal works.
Most e-commerce sites that stay in business do not send there clients to another website for payment processing and hope their customers return. (Which is what traditional PayPal does.)
I will be working with a Payment gateway, but when you are on my site, you are on my site! And when you enter you credit card info, you are still on my site until you hit “Submit” at which time your credit card data is sent over an SSL connection to the Payment Gateway.
So hosting an e-commerce site on a Shared Server is foolish.
In fact, even if you use the traditional PayPal - go to their site and then hope the user returns to yours - model, you still run a greater risk that your Shared Server could be hacked and thus pollute the process.
If the Shared Server gets hacked, and the hackers make it to your website, it doesn’t matter what you do from that point forward with handling payments.
Also when information is submitted, it actually goes through a LOT of servers before it every reaches yours. Open up a command window and do something like tracert google.com. When you submit a form to Google, that information travels through every single one of those servers. Not all of (in fact, probably most of them) are no likely to be PCI-compliant.
If I am working with a PCI-compliant Payment Gateway, then the connection should be directly between my website and their site.
An SSL certificate works by giving it to the browser. This certificate, among other things, tells the browser how to encrypt the data. The browser encrypts the data using this certificate and then sends it in it’s encrypted form, which the server then decodes.
This means that the only security you have to worry about is the same you do with any normal site. Since you will have some information you’ll want to keep confidential (like sales history), it is important to make sure it’s secure.
And if you have the unfortunate luck of being on a Shared Server with a porn site and a bit torrent site, then you are likely as safe as having an apartment in an aparment complex where your neighbors run a crack house! (The whole complex still burns down.)
However, if that falls into the wrong hands it’s more annoying. When you start making a few hundred a month, then you can switch to a VPS or dedicated without burning a hole in your wallet.
If someone got onto the Shared Server my site was on, they could steal Database Configuration (read passwords!!) info and compromise all of my customer data. They could also capture the data the user enters on my website BEFORE it makes it to PayPal or a Payment Gateway…
If you are going to go for full PCI-compliance, you’re going to need a lot of money, more than even a dedicated server, video cameras, and a lot more.
I’m sorry, but that is an ignorant statement.
If you knew anything about e-commerce, then you would realize the CC Payment Processor and Payment Gateway I am going with require some level of PCI-compliance…
It is not un-attainable, it just requires homework.
Like I said, a shared host isn’t great (for anything large), but it’s a perfectly valid option for a start-up.
I disagree 110%.
Debbie
If I am working with a PCI-compliant Payment Gateway, then the connection should be directly between my website and their site.
This isn’t physically possible unless you take the ethernet cable in your computer and plug into their server.
When you communicate with ANY website (or anything over the Internet, period) you are first routed to your router, your modem, a relay point for your server, and then dotted along various servers all over the planet on a path which eventually ends with you reaching your destination. They then create a response and the journey believes again.
How most non-gigantic e-commerce sites work is they get a third party to do the credit card processing. You implement their APIs and most, if not all (it should be all) have you submit the form to their site, not yours. The service then returns control back to your site, so the user rarely ever notices that their info went somewhere else.
Just because you are submitting a form to their site doesn’t mean the user every even sees their site.
Also, the SSL takes care of the encryption and security between the client and your server.
Now, if you’re server does get hacked, there is trouble. However being on a reputable shared host where they take care of the configuration for you is likely to be more secure than a VPS (or even dedicated) which you configure yourself. Most shared hosts isolate each website from one another so much that it’s very difficult to hack them through the server. Most are hacked by faulty code, which is the same exact risk on all options (including hosting the physical server in your own living room).
In fact, with the rise of virtualization, the difference between a shared host and VPS are a matter of resources, not structure. For example, I noticed GoDaddy now allows SSH access for their shared hosting accounts. This likely means that each one is a virtual server… i.e., a VPS.
For passwords, if you are storing cleartext passwords in your database there are other issues to worry about.
I also want to point this out: the fact that e-commerce shared hosts are even offered, at that software like Zen Cart has “certified” shared hosts means that not only is it relatively safe, it’s done all the time. If it wasn’t these guys wouldn’t offer this because it’d be way too much of a risk.
Also, my last statement was an exaggeration, but not by that much.
To be fully PCI-DSS compliant requires a whole lot. You have to get it tested repeatedly and all kinds of stuff that is very difficult to do for a small company.
FYI, you don’t HAVE to get tested to BE compliant… you have to get tested to get CERTIFIED as PA-DSS compliant (or HIPAA compliant), which is required to CLAIM compliance.
It’s not necessary to CLAIM compliance to be in business.
Disregarding the rest of the conversation above, there are only three things to understand regarding hardware requirements for e-Commerce:
-
If you’re using PayPal or Google Checkout, you can use shared hosting.
-
If you’re using a Payment Gateway and not storing CC info, you can use a single slice.
-
If you’re storing CC info, you should have minimum 2 dedicated servers (1 web, 1 db) and two firewalls (redundant) in a locked cage.
Cheers.
I agree with that.
I’d like to reiterate though that many shared hosts nowadays, thanks to the ease of virtualization, are essentially a mini-VPS, but just as secure. Not all, but some (and the number is probably growing).
No cPanel hosts are included in that.
cPanel can be used on single servers as well as virtual hosts, etc. cPanel doesn’t exclude the use of virtualization.
I still say you can use a shared host for a Payment Gateway site, virtualized or not.
The odds of a shared host being hacked through the server are far less than the odds of any server getting hacked because of faulty server-side scripts.
I won’t win this fight though and that isn’t the main point of this topic, so I’ll cut this off here.
Back on topic, GoDaddy is still a good source of VPS and dedicated servers. =p I’d also avoid HostGator. We had three servers through them and they are pretty pricey for what you get.
Not at all.
Until the user presses submit on a form, the information is only on their computer.
Correction.
Okay, but if my server (i.e. Shared Server) is compromised, then it is possible that they can hi-jack the user’s credit card information BEFORE it is sent over SSL.
Also, if the Shared Server is compromised, they can potentially get customer data from several sources (e.g. cookies, sessions, database, cached pages and files) and take over the customer’s data and the transaction.
Much harder for that to occur on a secure VPS or Dedicated Server.
Debbie
The SSL is always in place.
How an SSL works:
- User connects to page.
- The browser downloads the SSL cert.
- The user enters information.
- The browser encrypts the data with the SSL cert.
- The browser sends the encrypted data to the server.
- The server decrypts the data with the SSL cert.
It’s never transmitted unsecurely.
Yes, if the server was compromised, it can be caught, only on the server. However, like I said before, the odds of a shared server being hacked through the server is almost nil. Almost all hacking of sites are done through faulty server-side scripting (SQL injection, bad PHP code, etc).
Right, but the trick is your shared server is only as secure as the other 999 tennants scripts. Do you trust your neighbor to keep his wordpress install up to date?
Server wide compromises do happen nonetheless, even at big hosts, ask fasthosts, media temple, dreamhost etc. I generally agree that dedicated/vps are more secure as long as they are well maintained. If you’re a systems administrator there are additional security measures you can install that won’t generally be available on shared hosting.
That is certainly true.
I would never put an e-commerce site that generated even $500/mo on a shared host, since it can easily pay for it’s self.
However, my argument for shared hosting is if you’re not even making $100, and you aren’t storing any overly sensitive information on there, the cost-to-risk comparison makes it so you could reasonably host an e-commerce site on a -reliable- shared host, at least until it started to pay for itself on a VPS.
If you can afford a VPS or dedicated without putting yourself in a hole that you might not get out of, then go for it.
Hosting it on a cloud server could also be a reasonable solution. I know Rackspace clouds are essentially fancy VPSes and they cost as low as $0.03/hr (for 256MB). I usually recommend no less than 1GB for a production site ($0.12/hr) and 512MB for a dev site ($0.06/hr). We’ve been using them at work for various purposes and have had nothing but good things with them so far.
Having an SSL certificate does nothing with an HHTP connection.
Yes, if the server was compromised, it can be caught, only on the server. However, like I said before, the odds of a shared server being hacked through the server is almost nil. Almost all hacking of sites are done through faulty server-side scripting (SQL injection, bad PHP code, etc).
That was a complete contradiction.
If some yahoo on the same shared server as me has bad PHP or suffers from SQL injections, and the server gets compromised then MY WEBSITE is also at risk. And if my website is at risk, then all of that SSL stuff goes out the window…
Debbie