For the quickie recap:
In Part 1, I laid out all the underlying parts that make e-commerce– that is, the online exchange of money for goods or services– technically happen. Here’s that graphic again.
And in Part 2, I explained the difference between hosted software/services and self-hosted software/services.
Now, I think you’re ready for the hard part (and by “hard” I really mean “intimidating”): internet security and SSL certificates.
what’s the deal with internet security?
There’s a reason why, when e-commerce first became a thing, people were afraid to enter their credit card information. In theory, the risk of putting your credit card on the internet was greater than the risk of carrying it around with you, because somehow, some way, a hacker might be able to intercept the data– without you even knowing about it.
The reality is less dramatic. In fact, I just watched a special on the CNBC news network recently about the world’s greatest hackers to date. Want to know something ironic? They got credit numbers all right. But this particular group of young men made their fortune by using the internet to hack into the systems of actual, brick-and-mortar store credit card swiping machines.
So whether coming from a machine in a store or a form online, the way we now know to protect sensitive information whenever it is electronically transferred is to encrypt it. This means distorting the data in a special, coded way. (I’m not a nostalgic Star Wars fan myself since I never did watch the movies as a kid, but if it’s helpful you might think of encryption like “the Force:” a powerful energy field that powers and protects!)
The mechanism we use to encrypt websites is to install an SSL certificate. You can Google “SSL certificate” for all the information you could want, but really, you don’t need to understand what it is. All you must know is that you need an SSL certificate to encrypt your payment pages. Well, and that failure to do so is considered illegal.
getting out of it
Sounding like something you’d rather not be involved with? The good news is you can get out of taking security measures by using services like the ones I described in Part 2: a completely hosted website (Examples: Shopify, Bigcommerce, Volusion) or a hosted payment page (Examples: E-Junkie, PayPal, Wirecard, 2Checkout.)
Should you go this route, the credit card information entered on your site is going to be encrypted. You’re just not the one who’s going to be responsible for it. Shopify or E-Junkie or 2Checkout will have set it up on your behalf.
The consequence of this is that you’ll likely be paying more. If you are tech-averse to some kind of extreme, and you factor in the cost of the time it takes to set up your own SSL certificate, then your situation could be an exception. But, in general, it’s going to cost more in monthly fees or sales percentages when things like this are handled for you.
reasons why you might have to leave it to someone else
There are also cases in which setting up your own SSL certificate is just not an option, even if you wanted to.
For instance, let’s say you have a self-hosted WordPress website, and you use Bluehost as your web hosting provider. I know from personal experience that it’s only possible to use an SSL certificate on your account’s primary domain name. So if you host 5 websites from your Bluehost account, and then you decide you want to set up an SSL certificate on the 3rd one, you will be disappointed.
Now, if you’ve never had a self-hosted website, and this doesn’t make much sense to you, don’t get hung up. I only point this out to encourage you to read up on this sort of thing in the Help section of your current host or any web host you consider using in the future so you’re well-prepared. All of them have their own rules, although you’ll find them to be similar.
(In case you’re wondering, my solution with Bluehost was to open a special Reseller’s account so I could continue to host all my websites from the same place, with separate SSL certificates.)
how to set up an ssl certificate yourself
Finally, the setting up of the SSL certificate. This is what you must do if your website is going to be 100% self-hosted. But good news: This is practically no work at all! That is, as long as you buy the SSL certificate from your own web host. Almost all of them offer automatic SSL certificate installation, so you just find where in your cpanel you can buy one, purchase it, and let the tech people do the rest.
If you were to buy an SSL certificate from another website, let’s say NameCheap.com, and you wanted to install it on your Bluehost website, then configuration would be complicated. Not impossible, of course, but there’s just some steps to go through. (If you’re really curious, you can view those here.)
But as long as you bought your SSL certificate from your web host, the only thing you have to worry about is sending your customers to https://www.yourdomainname.com/checkout for checkout rather than the regular http://www.yourdomainname.com/checkout, since that version won’t be protected.
(Note one possible hiccup: If your payment pages contain images or other resources like stylesheets and scripts with absolute URLs, you’ll need to make sure those web addresses are changed to “https” as well on the payment pages. If you don’t, your customers might get a warning in their browser that the page contains both secure and insecure elements. The solution is to use relative web addresses like “../images/yourimage.jpg” because your server will automatically load those items securely. If you need more examples of absolute URLs vs. relative URLs in order to make this change, a quick Google search’ll do ya.)
So now that we’ve gotten through all the scary stuff, I’d love to know what you think! Do you feel better now about handling security on your own website? Still prefer to have it handled by someone else? Any comments or questions welcome; leave them for us below!