Shopping Cart System

How to ensure your shopping cart system is secure

With tales of internet fraud stealing ever more column inches; today's online shopper demands a watertight shopping cart system before they'll consider handing over their credit card details. It's a lucrative marketplace and merchants are faced with an often bewildering array of secure shopping cart systems. While new software is patented daily, most 'hacker-proof' shopping carts still rely on the same basic features:

Secure Socket Layer (SSL):

An SSL connection encrypts all data that is passed between two servers. Having established a communal 'tongue' the SSL connection then automatically converts all 'communications' into the agreed code. Most web hosting retailers allow complimentary SSL use which can be accessed by naming the page URL: https (rather than http). Cybershoppers are becoming increasingly savvy and understandably won't go anywhere near websites without secure protocols (https).

Ensure that each page of the transaction is encrypted and check that all customer data (even if it doesn't strike you as 'valuable') stored on the server is also secure. Merchants often refuse to store any credit card details on the server, even if encrypted.

Secure Payment Gateway:

A payment gateway provides a secure link between your online business and your customer's credit card processor. If you're building a shopping cart system from scratch; expect plenty of homework as Payment Gateways vary greatly in spec and cost.

These prove you are who you say you are for the customer's peace of mind. It isn't really a certificate. What you actually get is a digital key that you install on your web server for your domain. When someone views your 'certificate' they're viewing the digital key that you installed. That key identifies whom the key is for (had better be you), the domain it was intended for (had better match your domain), who issued the key, when it was issued, and when it expires.

Companies I've worked with and found to be good: Verisign http://www.verisign.com & Thawte http://www.thawte.com. This is not an endorsement of them. I'm sure there are others.

You will need to generate a key to send to the Certificate vendor and they will in turn send you the matching key. Once you receive your Key, it needs to be installed on your web server - your web host may do this for you unless you have an Admin interface in which case you may (operative word) find you can do it yourself. If in doubt, ask your web host to do it.

Some hosting firms offer a generic SSL Certificate but be careful of these. The CC statement the customer gets may have the web host's name on it for the transaction instead of yours. Number 1: that may confuse the customer; Number 2: it's bad for name recognition; Number 3 it looks cheesy. Spring the dough and get your own.

Learn more: http://www.thawte.com