# If I use CubeCart or ZenCart do I need an SSL?



## JTNO

I was just confused by a post I saw earlier, but if I use cubecart or zencart and accept credit card payments on my website through these programs do I need an SSL certificate? Thanks for the help.


----------



## myk5

You have some options relating to how credit card transactions happen on your website. If you use Paypal, for example, that would mean you're using Paypal's service to encrypt the date and make the transaction secure.

If you're using a bank to handle the credit card transaction, then the responsibility for making the transaction secure is your responsibility.

An SSL certificate enables you to make a secure encrypted 'https' page, for the moment a customer enters credit card data. The brand of the ssl certificate can be reassuring to some customers. Some browsers change the color of the address bar when it can verify the identity behind an ssl certificate, giving more reassurance to a customer.

Last year when I was buying SSL certificates I found the most well known certificate, Verisign, is also the most expensive and has some of the weakest encryption - you're paying for the brand. The best deal I found was the godaddy SSL certificate, which has some of the strongest encryption and some of the most affordable pricing.


----------



## Rodney

JTNO said:


> I was just confused by a post I saw earlier, but if I use cubecart or zencart and accept credit card payments on my website through these programs do I need an SSL certificate? Thanks for the help.


Yes, if you have your own merchant account to accept credit cards, you would need to purchase an SSL certificate to be installed on your webhost to use in conjunction with cubecart/zencart/oscommerce.

That way, when it comes to the final checkout screens, the customer will be browsing your site via the https (instead of http) version of your website address. There's usually a setting you need to change in the shopping cart to enable SSL checkout.

I usually get the Quick SSL certificate from ThePlanet for $49 https://ssl.theplanet.com/?SslType=QuickSSL


----------



## E-Dawg

Setting up the SSL (Secure Socket Layer) is pretty technical and requires good webmaster skills. You must purchase it, usually from your web host and the better the encryption the more costly the SSL.

If you do not have at least intermediate webmaster skills, setting up a cart integrated with merchant account and SSL can be daunting. In the beginning it might be more efficient to stick with Paypal as you will use their SSL and payment gateway.

It works very well and offers many options even down to the graphic Buy Buttons. Their fees are reasonable as well. Setting up your own merchant account will cost you a set-up fee and other assorted per transaction and monthly fees.

As far as the Godaddy SSL..Being a former tech support specialist there, I'm just saying, avoid.

Good luck!


----------



## apt5tees

Re: SSL Certificates-- new to the forum here--however, I am currently employed at a major Certificate Authority and can answer questions on SSL Certs. Two things I would like to point out are that there are different Validation levels with SSL and two, in many states, it has become law that if you are directly accepting CC, you MUST be PCI compliant. *www.pci*securitystandards.org


----------



## pdpatch

A common myth in the US is that "By law you must be PCI Compliant" There is no such law State of Federal, some credit card companies and Payment Gateways suggest or require you be in Compliance with PCI standards. Now if you get hacked or have a compromise, the credit card companies can try and fine you and other things. But if you refuse to pay then you can't do credit card transaction. So most people assume it's the law, but it's not. Now compromised personal data is another issue that there are some state and federal laws about.

In the US the payment and Banks transaction are regulated by Federal Law not state Law.

As far as a SSl goes, Its not required. But the perception your customers will have if you don't have one, is that that will go some place else that has one. 

So the bottom line is no you don't have to, but if not you, will not get good customers.

Tom


----------



## apt5tees

pdpatch said:


> A common myth in the US is that "By law you must be PCI Compliant" There is no such law State of Federal, some credit card companies and Payment Gateways suggest or require you be in Compliance with PCI standards. Now if you get hacked or have a compromise, the credit card companies can try and fine you and other things. But if you refuse to pay then you can't do credit card transaction. So most people assume it's the law, but it's not. Now compromised personal data is another issue that there are some state and federal laws about.
> 
> In the US the payment and Banks transaction are regulated by Federal Law not state Law.
> 
> As far as a SSl goes, Its not required. But the perception your customers will have if you don't have one, is that that will go some place else that has one.
> 
> So the bottom line is no you don't have to, but if not you, will not get good customers.
> 
> Tom



Depends on your state for PCI being law--google it.


----------



## pdpatch

the below link is to the PCI site that maintains the PCI standard:

PCI Compliance Guide Frequently Asked Questions

Here it say's it's not the law.

"PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, AMEX, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences."


But when ever you collect payment that has been made using a credit card. The you should have signed a agreement or contract. 

When you did it has a clause in it, about having your web site in compliance with the PCI standard. Some really old contracts may have not been updated. but in all new once for legitimate Merchant providers and Gateways its there.

If your does site gets compromised and it's traced to you, Most likely the card companies who back the cards (Visa, Master Card, ect), will levy a fine against you. If you refuse to pay then fine. The will arrange for you not to be able to use you merchant account, and most likely sue you for the cost of fixing it.

There are some reporting requirements if your site does get compromised and you should book mark the above site to assist you. If you following the reporting requirements at the link then your liability will be reduced.

Tom


----------



## mikediablovt

At a minimum you should use an SSL certificate to put potential customers at ease. For the $89 they cost, they let the customer know their Credit Card Info is passed encrypted to the server.

Mike


----------



## WYSS

I'm using Zen with out SSL (I plan to get one later) I have a PayPal merchant account, which allows me to accept credit card payments from people who DON'T have or want to use a PP account.


----------



## myk5

WYSS said:


> I'm using Zen with out SSL (I plan to get one later) I have a PayPal merchant account, which allows me to accept credit card payments from people who DON'T have or want to use a PP account.


Understand what SSL actually does and what people think it does.

SSL, what it actually does is encrypt information being sent from a web browser to a web server, in the case of credit card information this is critically important.

To low information web surfers, an SSL certificate is a magical thing that makes their visit to your website safe and suggests you are an honorable vendor. It does this because many web browsers will turn different colors if the ssl certificate doesn't exists, exists an is out of date, exists for a different domain than the one you are visiting.. often turning the menu bar red or issuing an explicit warning.

This is how Verisign is so popular, they have brand name recognition. But if you look at the strength of the encryption used, verisign may be the weakest ssl (it was about 4 years ago when I researched this all thoroughly). The graphic design of the logo you place on your site alerting people to your ssl, is as or more important to web surfers than the fact it works, and is almost as important as the name recognition.

That said, if Paypal actually collects the credit card information and on a separate domain than your domain, that is, you customers do not give you credit card information at all, they enter it in a pop up or other page from PayPal's domain, with Paypal's SSL - then there is no reason you must have SSL for your domain.

Except it does feel more professional to a web surfer if they do not leave your domain to secure their purchase. It should, SSL certificates and merchant services aren't dirt cheap.


----------

