I am slightly new to e-Commerce. Currently setting up an osCommerce store. Nevertheless, I am interested in finding out more information about SSL.

If I obtain access to a secure server, do I place an order form on it that asks for people's cc details along with shipping destination, product info etc ? On submit where is this information stored/sent to?? Can it be sent to an email account like form mail (only it is encypted along the way)????

I guess what I'm trying to find out is: If I go down the route of a secure server, what is the entire process? ie. how does it work ?

Thanks in advance, J

In terms of a step by step list, you'll need to setup all of the following for most implementations:

1. A hosting account (or server) with SSL capability
2. Your own SSL secure certificate (in most cases)
3. Your own merchant account
4. Your own payment gateway account
5. osCommerce installed on your server along with the SSL certificate and configured properly for use with the gateway

Thanks very much for the quick response cdgcommerce...

PART 1
--------
Is it possible to setup osCommerce linked to:
a) a payment gateway or else
b) internet merchant account and payment service provider,

without SSL. I thought the payment gateway or PSP accepted responsibility for the security?

PART 2
--------
Also, if I want to sell for example, only 4 products and I script an order form for the buyer to enter their cc details etc. This will obviously need to be on a secure server. Is it possible to proceed without the need of a PSP/payment gateway? i.e. using an offline PDQ machine. If so, what needs to happen when the buyer clicks 'Confirm Purchase'.

Again TIA, J

Yes.....OsCommerce has direct integrations with many gateways that will allow you to use the secure server of the gateway and not have to go out and buy your own. If it was Authorize.Net you were looking at then you would want to look at the SIM method of connection not AIM. AIM is if you have your own secure server.

John

In regards to your question below you could do just that and integrate to the Authorize.Net SIM connection. In this case your customer would not be entering the Credit Card information on your site. This method would allow you to avoid buying a secure server. Check out this link for information on the SIM method of connection with Authorize.Net:

http://www.e-onlinedata.com/merchantaccounts/SIM_guide.pdf

Hope this helps!

John

--------
Also, if I want to sell for example, only 4 products and I script an order form for the buyer to enter their cc details etc. This will obviously need to be on a secure server. Is it possible to proceed without the need of a PSP/payment gateway? i.e. using an offline PDQ machine. If so, what needs to happen when the buyer clicks 'Confirm Purchase'.

Again TIA, J [/B][/QUOTE]

You can setup osCommerce for use with various third party processors and payment gateways that have the capability to provide the secure ordering page on their side.

For instance, there are contributions for PayPal, 2Checkout and many others where the ordering page is on the side of the processor and not on your own server.

Now if you are wanting to setup a secure order form to process your sales by another means - definitely check with your merchant account provider first to make sure that the method you choose is acceptable to them and for the type of account that you have.

At minimum, you would then want a secure page setup and you would then need to securely be able to receive that information in an encrypted and secure format. (i.e. PGP-encrypted email or another suitable format)

It is really advisable under most circumstances to just have the data transmitted and handled by a payment gateway. Trying to maintain security for card data is a non-trivial process and you'd want to review things such as the Visa CISP guidelines as a starting point on that.

Please let me know if this answers your question or what we can all help you further on.

Thanks to both of you for your great replies.

I didn't realise there was as much to the secure order form... I thought it was a lot simpler. Is this method (secure order form - with no payment gateway) employed by many people.

I guess I'll stick to osCommerce with payment gateways. Regarding the low budget and low no. of products alternative, I suppose I'll use Paypal's merchant tools of simply "Buy Now" or "Add to Basket".

Thanks again, Jamie

Only thing I have on this is that if you have your own secure server you need to make sure your IT person keeps up on all the security risks. This is nothing to be lax in. One hack and all information is now in somone elses hand.

One night you are all ok, Next morning you a wreck.

I have never been around a ecommerce server that has been hacked but I have been around many many other servers that have been hacked.