Zen Cart, SSL, Payment Gateways etc.

[lloyd_borrett]

G'day,

I'm in the process of setting up a Zen Cart v1.3.5 based online store for an Australian client here on a JaguarPC Longhorn account. While I can find my way around XHTML, CSS and PHP reasonably okay these days, the details of SSL Certificates and payment gateways are totally new to me. So I'm hoping someone here might be able to help me out with some advise.

I understand that to properly run a online shop, we will need a SSL certificate. My understanding is that JaguarPC have free shared certificates, but these are probably not the go for a professional online shop. Have I got that right?

To get a SSL certificate specific to our domain name, we will need a dedicated IP address. I understand JaguarPC can provide this. Correct?

But which SSL certificate provider should we go with? The range of prices (from $20 to $10,000) seems huge, and most of the descriptions of all of the different product offerings look the same to me.

It appears Verisign are a major player, along with GeoTrust and Thawte. (I think I saw something saying the last two are actually both owned by Verisign.) I have also seen references to C-o-m-o-d-o.

So which certificate provider should we be looking at, and what is the product offering will we really need?

Do JaguarPC resell any of the SSL certificate offerings? If so, what are our choices, and what would you recommend?

The shop already has a merchant credit card facility with a major Australian bank. The bank offers a service whereby shoppers paying by credit card are taken over to the bank's payment gateway pages, and then returned back to the shopping site. I just don't think this looks professional, or works well functionally for the online shop users.

So I believe we'll need to use a third-party payment gateway to handle the credit card approval process. Is my thinking on this okay?

Just what are our options? And just what do we need to consider when choosing a 3rd-party payment authorisation provider?

I'm guessing that the payment authorisation provider will need to know how to interface to some gateway at the Australian bank?

I'm also guessing this will limit the choice of providers we can select from?

I understand that we could also sign-up with PayPal so that people could purchase store goods using their PayPal accounts. And that we can even go to a level via PayPal where PayPal handles credit card authorisations for us? Or is that just for businesses without a merchant account facility.

So what works best?

What are the traps beginners like me should be looking out for?

Any help you can provide will be much appreciated?

Best Regards, Lloyd Borrett.

[Connie]

Jag can provide the dedicated IP. I think the cost is around $1.00 per month.

I always buy my certificates through Jag. I believe the cost is around $55.00 per year.

In addition to the gateway (I use authorize net), you will need a merchant account. I use Total Merchant Services.

[jason]

Lloyd,

As far as SSL certificates go, functionally all are about the same. You'll want to go with something that offers at least 128-bit encryption, but I think most providers are offering this on all of their certificates these days.

The role of the SSL certificate is two-fold, however. In addition to just serving as a key to encrypt data transmission (the functional part), the certificate also serves as a trust mechanism between the business and the customer. When you buy an SSL certificate, the issuer does a sort of background check on your business and verifies that, at minimum, the business is legit. The bigger issuers have better name recognition, so a customer may feel better about a company of which they have no prior knowledge when they see the Verisign site seal vs. the Job Blow $10 Certs site seal.

Certificates also come with what is called a warrantee, which is an insurance policy from the issuer that your business is legitimate. In theory, if a site's customer was to loose money because they trusted a certificate issued by Xyz Corp., but Xyz Corp. didn't do a proper check into the company behind the site to find out they were just scammers, then the warrantee would cover the customer' losses up to the amount of the warrantee. Some companies, such as Comodo, use this as a marketing tool--functionally there is no difference between any of their certificate products, but the lowest priced one carries almost no warrantee whereas the highest priced one carries an industry-standard warrantee.

Comodo certificates are also what's known as chained certificates. Whereas most certificate companies have worked with browser vendors to have their certificates trusted by the browsers, Comodo's root certificate is trusted by a third party certificate and the third-party cert is trusted by the browsers. This type of certificate works with all current browsers, but may cause problems with older ones like Netscape 4.

Code:

Normal certificate trust:
Browser ---> Issuer's Root Cert ---> Site's Cert

Chained certificate trust:
Browser --> 3rd Party Root --> Issuer's Root --> Site's Cert

As for cerdit card processing, ithe first thing I would do is see if the Australian bank supports any standard merchant gateways.. ZenCart supports plugins for card processing and there is a good chance you'll find a plugin that works with something the bank supports. Beyond that I doubt I can be of much help, as banking systems in the US probably differ to those in Austrralia.

Here, typically what happens is that the gateway connects the site to a bank (or a company that processes credit cards for a bank), the trnasaction takes place, and the funds received are deposited into an account of the company running the site. The mechanics of communicating with the gateway are handled by ZenCart (assuming appropriate plugins are available), so there isn't much work to be done of your part in that respect.

PayPal offers a couple of different services. Their basic service works much like the bank's: the user is taken to PayPal's site to entier their payment details and is then sent back to your site when done. They also offer mechanisms to handle the payments from your site entirely, but these services do have restrictions where you can use them (some are US only). It isn't uncommon for merchants to accept both PayPal and direct credit cards.

I hope this helps.

--Jason

[lloyd_borrett]

G'day,

Thanks guys. So it looks like step one is to go ahead and get a static IP address and a Comodo SSL Certificate via JaguarPC.

Now I still have to work out how to handle the credit card authorisations.

As I said, the client already has an Internet merchant credit card account with the Australian bank.

Zen Cart supports a few payment gateways out of the box, with support for many more being available as add-ons.

So now we just now have to find out which payment gateways are supported by this particular bank.

Best Regards, Lloyd Borrett.