Welcome to the MacNN Forums.

Big Mac · Nov 15, 2011, 02:20 AM

One of the sites I help administer wants to move from retarded PayPal to an actual shopping cart/payment gateway system. The business already pays for two different hosting accounts, one of which provides a nice suite of auto-install web utilities. They have osCart installed already, for example but they haven't done much configuring to it.

The owners are wondering if it makes sense to stay with a free solution that they already have, or if it's smarter to go with a dedicated hosted shopping cart from an ecommerce company. They're thinking primarily about the security and secondarily about support. I'm also wondering about SSL with a free cart; I don't have much SSL experience. . .

besson3c · Nov 15, 2011, 02:54 AM

Originally Posted by Big Mac

One of the sites I help administer wants to move from retarded PayPal to an actual shopping cart/payment gateway system. The business already pays for two different hosting accounts, one of which provides a nice suite of auto-install web utilities. They have osCart installed already, for example but they haven't done much configuring to it.

The owners are wondering if it makes sense to stay with a free solution that they already have, or if it's smarter to go with a dedicated hosted shopping cart from an ecommerce company. They're thinking primarily about the security and secondarily about support. I'm also wondering about SSL with a free cart; I don't have much SSL experience. . .

This is a very big question.

Before you dive in, I'd suggest having this person research the costs of a merchant account to see if this is really something he wants to get into. Some payment gateways include:

PayPal Payments Pro
Authorize.net (AIM)
Psigate
Beanstream
QuickBooks Merchant Services
Amazon SimplePay

There are multiple PayPal credit card services, the pro option which allows you to process cards on your domain, so don't be too quick to dismiss PayPal (they also provide a shopping cart service).

Once you've established the costs involved, if it makes financial sense there are a number of open source ecommerce packages. Find one that supports the payment system that makes the most financial sense to you and assess whether it has good documentation, the sorts of features you would need (there are *many* features a store can have: different mechanisms for creating sales, ways of handling shipping, etc.), and is available in a language that you are comfortable working with.

Alternatively, you could write your own shopping cart system if you have some programming chops. I know this sounds scary, but a basic shopping cart UI is pretty simple. You can integrate payment options via a library such as this that works with the CodeIgniter PHP framework: CodeIgniter Sparks | codeigniter-payments . If you can find some code that has been tested and seems to work well in supporting the payment systems and accounts for all of the sorts of things that can go wrong (e.g. a credit card being refused) and seems fairly straight forward in being able to issue refunds and stuff (if necessary), this could be an option.

Otherwise, there are a number of e-commerce platforms you can look at if this sounds scary.

I'd research some costs, including the costs to build your own thing with the resources you have, write a checklist of features your store must have, and see if the features of one of these ready-made platforms lines up at a sensible cost.

There are tons of variables here to research and account for, setting up and installing an SSL cert is probably the least of your concerns comparatively speaking.

Big Mac · 03:12 AM

Thank you for the helpful reply, besson. I am familiar with gateway/merchant account costs and they're acceptable. I know that we're no longer satisfied with PayPal and its opaque corporate practices. PayPal works great, until it doesn't.

I don't think I'll be writing my own shopping cart any time soon

, but I do think if I could be confident in its security, a free shopping cart sounds like a better option than a hosted one because I know they're not complicated pieces of software that I should be able to manage myself.

But my main concern is customer security. I don't know too much about SSL certs, specifically how they're paired to specific web pages/domain names to ensure proper https security. I guess I have to read up on that. Secondarily, I don't know the ins and outs of how to configure the cart so that it communicates with the gateway correctly, but I've heard that's not difficult. The appeal of a hosted cart is that the company doing the hosting handles security, gateway/merchant matters, and has real customer support, which you can't get from a free solution.

besson3c · Nov 15, 2011, 03:29 AM

Originally Posted by Big Mac

Thank you for the helpful reply, besson. I am familiar with gateway/merchant account costs and they're acceptable. I know that we're no longer satisfied with PayPal and its opaque corporate practices. PayPal works great, until it doesn't.

I don't think I'll be writing my own shopping cart any time soon

, but I do think if I could be confident in its security, a free shopping cart sounds like a better option than a hosted one because I know they're not complicated pieces of software that I should be able to manage myself.

But my main concern is customer security. I don't know too much about SSL certs, specifically how they're paired to specific web pages/domain names to ensure proper https security. I guess I have to read up on that. Secondarily, I don't know the ins and outs of how to configure the cart so that it communicates with the gateway correctly, but I've heard that's not difficult. The appeal of a hosted cart is that the company doing the hosting handles security, gateway/merchant matters, and has real customer support, which you can't get from a free solution.

To setup SSL your domain needs to served from a dedicated IP address (you'll need to check if your host provides this as an option), you'll need to have the cert created, and you'll either need to have your host install it or install it yourself if this is a VPS.

This cert will secure all traffic between the user's browser and the server so that the credit information that is sent is encrypted. This is all the cert will buy you in terms of enforcing security, it doesn't force encryption between your server and the payment gateway. These plugs for supporting the various payment gateways will initiate connections to these gateways with something like cURL, and these libraries will be responsible for SSL handshaking between the two points. cURL is used by a lot of stuff and it does indeed support SSL handshaking, so traffic can be encrypted, but there are no guarantees that there will not be bugs that can be exploited, older versions with security issues if you are on a shared host, etc.

Really, as far as you're concerned all you can do is ensure that traffic is being encrypted, and you are running a version of whatever transport you are using that has no known problems (cURL is often implemented via a PHP extension for PHP based e-commerce solutions). There is risk involved with some sort of hosted e-commerce solution too, although the whole liability thing is different.

If you are comfortable with the risk of trusting that an open source e-commerce thing and are comfortable with installing and setting up something like this, go for it.

An SSL cert is not server specific, it is domain specific. IOW, if you change hosts, as long as your domain stays the same and the web server type is the same your cert will continue to work just fine.

Big Mac · 04:06 AM

Very interesting, thank you very much. So let me ask you this, if SSL is pretty easy to deal with, why isn't nearly everything SSL encrypted? (Especially for major sites that can easily afford the certs.) Speed/resource penalty? Apathy?

Also, let's say I want to have all my cart pages secured. I have a subdomain store.mydomain.com that currently points to my store in unencrypted form. How does the process go to get SSL running?

1. Buy SSL cert for domain name.

2. Do Something in CPanel???

3. Pages are magically encrypted/Profit

besson3c · Nov 15, 2011, 04:14 AM

Originally Posted by Big Mac

Very interesting, thank you. So let me ask you this, if SSL is pretty easy to deal with, why isn't nearly everything SSL encrypted? Speed/resource penalty?

Yes, that, the costs of an SSL cert, needing a dedicated IP address for it, the extra complexity, the inconvenience of having to install new certs whenever old ones expire, etc.

Also, let's say I want to have all my cart pages secured. I have a subdomain store.mydomain.com that currently points to my store in unencrypted form. How does the process go to get SSL running?

1. Buy SSL cert for domain name.

2. Do Something in CPanel???

3. Pages are magically encrypted/Profit

Pretty much, but with the caveats that your host supports SSL cert installation, that your transactions with your payment gateway are encrypted, and you of course need secure practices with your site in general (e.g. do not email user's passwords to them), secure all forms against attacks such as XSS (cross site scripting) to not expose your database, keep dependencies up-to-date or insist that your host do this.

You'll also definitely want to make sure that your practices are compliant for your legal protection. I can't remember the four letter acronym but there is a credit card transaction standard. The cliff notes of this is that you do not store CVV codes, you never show entire credit card numbers (just the last four digits), you encrypt everything, etc.

besson3c · 06:00 AM

The standard is PCI, 3 letters, not 4

https://www.pcisecuritystandards.org/