Benjamin Dyer of e-commerce supplier SellerDeck explains that although an SSL certificate can be very useful for an online shop, it’s not the only security precaution you need
An SSL certificate allows your website to display the secure padlock when people visit it. One of the first lessons you learn when you shop online is to look for this padlock as proof a website is secure.
There are two reasons people like SSL certificates:
With these in mind, here’s my guide to the myths of SSL. Read it carefully to understand why other security precautions are just as important as SSL.
The whole point of an SSL certificate is to protect sensitive data as it travels between a customer’s web browser and your website server. However, there is no knowing how that data is stored or what happens to it once it has reached its destination.
Like any security precaution, it would be a mistake to regard SSL as unbreakable - especially when there’s evidence to the contrary. For instance, a group of hackers broke one form of SSL encryption using 200 Sony PlayStations.
In short: the message here is that you shouldn’t assume your website is hacker proof just because you have an SSL certificate.
Having an SSL certificate on your website means that, at some point, one of the Certificate Authorities which issue SSL certificates has validated your identity, or that of your business.
However, there are many types of SSL certificate. They can cost from as little as £20 a year all the way up to thousands of pounds. Unsurprisingly, the level of validation varies with each certificate type. A cursory check might not be enough to confirm a website is reliable and trustworthy enough to do business with.
SSL is ideal for scrambling credit card information as it’s sent across the internet. But it’s what happens next that is important – and remember, SSL has nothing to do with keeping data secure once it’s been received by your website.
In fact, if you store credit or debit card data yourself, you need to comply with the Payment Card Industry Data Security Standard (PCI DSS).
Becoming PCI-compliant is a huge undertaking, so the simplest approach is to use a PCI-compliant payment service provider (PSP) like PayPal, WorldPay or SellerDeck, from my own company.
If you go down that route, you don’t even actually need your own SSL certificate, as your PSP will encrypt payment card data for you. (It’s still a good idea to get one though, to add extra security and build trust with your customers.)
In conclusion, SSL certificates have been with us for a long time. They remain the best, most secure way to prove your website’s identity and protect data while it’s being transferred. However, for your customers’ sakes, it’s important you go beyond an SSL certificate and take further precautions to secure your online shop.