Web Security Issues

Your secure web-site questions answered

What are the security issues with taking payments online?

security (3KB image)

If you have an eCommerce/eBusiness site and you want to collect payments online, you either need a secure site, or you need to securely pass the purchase details to a site that is secure, which then acts as a payment gateway or reseller and saves you having to collect or process sensitive customer data on your own site.

There are several companies providing merchant services that negate the need for a secure site and a merchant account. Two are discussed in our page on online payments.

Another way of performing card verification is though a payment gateway. Again, the secure part of the transaction takes place on another site. Technically it is very similar to the above systems, but it is financially different, and you need a merchant account.

If you think that you would rather collect and process payment details within your own site, then you probably need a warrantied SSL certificate, a card verification service and a merchant account. This is the way to go if you want to keep total control of the look and feel of the user's experience by avoiding transfers to other sites. Keep reading if this sounds like something you need to know more about SSL certificates.

What is HTTPS? Does my web site need it?

If you want to have a web site that is capable of passing information to and from your users in a safe and secure way, then you need an HTTPS enabled site and a secure certificate for SSL.

This is particularly useful for eCommerce web sites that process credit card payments or other sites that may handle private or personal data. Not only are your customer's personal payment details kept safe and secure, but your customers can verify that you are who you say you are, and check who the site they're buying from really belongs to. Anything that helps customers trust your site is useful, but genuine security is more important.

HTTPS is a system based on SSL that makes access to your web site secure. It allows you to utilise an encyption system designed to prevent anyone from listening in on the information passed to and from your web pages when accessed using HTTPS.

What is a secure certificate. Do I need one?

keys (2Kb image)

It's possible to use someone else's certificate and transfer to their site to complete the payment stage of your eCommerce. However, having your own certificate has some benefits, and the certificate itself is not particularly costly. If you have any doubts, we can help you decide what method to use.

Some merchant number issuers or card verification services may require you to have your own certificate to make online sales. Also, your own certificate can protect your entire site, and not just the payment area. This is useful if you collect or display sensitive data on many pages of your site. It can also help to generally reassure your customers because they see the padlock symbol in their browser on all your pages.

Some certificate vendors also sell 'click to verify' services: a special icon on your site allows the user to navigate to the certificate's issuing authority and see information about your company, showing that you are a genuine business. If you are performing eCommerce this can help boost customer confidence.

By having a certificate in your own name and a click to verify logo, you reduce the chance that fraudsters will try and impersonate your site somehow. You can also get insurance of various kinds.

Where can I get a secure certificate for my NetInvent web site?

As part of a web development package including HTTPS/SSL, we can recommend a certificate provider for you. If you have one of our web design packages, don't buy a certificate without talking to us first. We don't sell or resell certificates, and we don't have a special relationship with any provider, so we can offer impartial advice. It's then up to you to buy the certificate; it needs to be registered to you, but we will support you through the process.

If you have asked us to develop an HTTPS enabled site for you, the other associated costs of setting up the secure system will be included as part of your package quote.

If you just want a certificate for a non-commerce site, you could buy one for as little as AUD $20 per year. And for a certificate worthy of eCommerce you could spend as little as AUD $70 per year, though a AUD $130 certificate is what most eCommerce sites will prefer. InstantSSL, completeSSL, sslONE, GeoTrust, and DigiCert are some of the sources of more reasonably priced certificates. If you prefer higher prices then try Thawte / Verisign.

The more expensive certificates are technically just as strong encryption as the cheaper ones, but they include additional site verification and financial services, such as: fraud warranties, fraud insurance, logo site verification schemes, authorised credit card logos, etc., which are all intended to increase user confidence in the site displaying these various logos.

Web Security Summary

  • A web site built on the right technology can be very secure.
  • SSL provides support for secure pages and encrypts everything a user sends - nobody else can read the data.
  • Data theft is most easily performed by employees of the company it's stolen from - the technology is not to blame.
  • We implement strong security measures where necessary and follow good security practices.
  • Your data might even be safer on our servers than in your office.
  • You can help protect your site against most credit card fraud by following known good practice.
  • Call us to discuss security if you have any concerns.