Information on Merchant Accounts,
Ecommerce and Credit Card Processing

January 24th, 2006 by Jamie Estep

SSL Certificates for Online Merchants

Filed in: Ecommerce, Merchant Accounts |

When processing credit card and other electronic forms of payment over the internet, security is a major concern. A SSL (Secure Socket Layer) certificate enables your website to maintain a secure connection between the user and your website. To access a web page over a secure connection, all you need to do is replace the ‘http://’ with ‘https://’ in the address bar. The extra ‘s’ denotes that you would like the connection to be secure. When a secure connection is established, a small padlock will appear in the lower right corner of the web browser window.

A secure certificate can be obtained in 1 of 2 ways…

Generating your own certificate:
SSL Certificate ErrorYou can generate your own certificate through your web server or web host if they allow it. This method is easy and theoretically perfectly secure, but when you do this, your visitors will be prompted with an ugly error message, as seen in the picture on the right, if they try to access your website through a secure connection.

Buying a certificate from a trusted issuer:
By purchasing a certificate from a trusted issuer, you will eliminate the ugly error message associated with generating your own certificate, but you will also be showing your visitors that you care enough about their security, that you site is secured by a trusted 3rd party organization. When you setup a certificate with a trusted company, they will normally do some sort of business verification to ensure you are who you claim to be. Once approved by the issuer, you will generate a document called a CSR (Certificate Signing Request) with your web server. This document contains pertained information to your business and website, and is encrypted. The issuer will then verify that the encrypted data is correct and matches to the data that they have about your company. Once verified, they will issue a secure certificate, and you can copy and past the encrypted code into the correct file on your web server.

Now when you type https://yourwebsite.com, instead of http://yourwebsite.com, a small lock will appear in the lower right corner of the site indicating the site is secure.

Common Problems:
The most common problems when getting setup with a SSL certificate are not specifying the correct sub domain when your certificate is issued, and having non-secure elements on a web page.

Incorrect Sub Domain:
When you setup your certificate you must specify the exact url the SSL is going to be applied to. https://www.mysite.com is not the same as https://mysite.com. If you setup a SSL certificate for the www version, it will not work for the non-www version, and vice-versa. Make sure you do this right from the start, as most issuers will not give you a second chance if you mess this up.

Non-secure elements on a web page:
Sometimes your certificate is setup and installed, and you get an error message about a page containing insecure items on it. This is normally caused by images or javascript that are linked from a non-secure version of the website.

For images Use:
<img src="./images/thispict.jpg"/>
and not:
<img src="http://www.mysite.com/images.thispict.jpg"/>

The second image will create an error message, because it is not hosted on a secure domain as denoted by the address (http://).

Where to get a SSL Certificate:
SSL certificates vary in price from one trusted issuer to another, even though they do the exact same thing. When you get a SSL from a 3rd party, you are paying for the endorsement of their name as well as the security. A very well trusted organization like Verisign charges more for a secure certificate than a less know issuer. You are also paying for the verification process. The more in depth the verification process, the more expensive the certificate is, and the more trusted the name of the issuer is.

Recommended certificate issuers by price (L to H):
Godaddy SSL: http://www.godaddy.com/gdshop/ssl/ssl.asp
Geotrust: http://www.geotrust.com/
Thwate: http://www.thawte.com/
Verisign: http://www.verisign.com/

Comments are closed.