If you ask your site visitors to enter credit card or other sensitive information then yes, you need an SSL Security Certificate (you’ll also need a dedicated IP address).
Using SSL means that the data sent to and from your visitors web browser is encrypted before being transmitted over the internet. Having a Certificate issued for your site by a recognized Certificate Authority (CA) helps to assure your visitors that their data is secure.
Beyond the technical stuff needed to encrypt data, the purpose of a Certificate is to promote trust … can your visitors trust your site with their information? They will likely look for some or even all of the following to help them with their decision:
- A web address that starts with https://
- A closed padlock on the browser.
- The browser address bar highlighted in green indicating an Extended Validation Certificate has been issued.
- A dynamic site seal from a recognized CA displayed on the page.
- The same domain name for the Certificate holder and the website they’re visiting.
- Browser warnings indicating a problem with the Security Certificate or signing CA.
When you’re shopping for an SSL Certificate you’ll want to keep those same things in mind and ask yourself how the features of the various Certificates will help to earn your visitor’s trust.
Certificates are typically purchased in 1-year increments and many Certificate Authorities offer multi-year Certificates at a discount. For a single domain, prices range anywhere from $20/yr for a standard certificate to over $1,400/yr for a true 128-bit Extended Validation Certificate. So be prepared to shop around to compare prices and features.
So what exactly is ‘sensitive information’?
Credit card information is pretty straight forward … cardholder name, credit card number, CVC, and expiry date should definitely be sent via SSL.
Passwords should be encrypted too. Not only because a hacker may gain access to the one account, but because people often use the same password for multiple accounts. As soon as one of their accounts is compromised the hacker then has access to all the others with that password. Unfortunately there seems to be an increasing number of web site login forms that are not using SSL. For people who are logging in from unsecured networks, like the local coffee shop wi-fi, unencrypted passwords are even more of a concern.
There are many other bits of personal and company confidential data that should be protected from prying eyes … financial, medical, and legal data, and information used for identification (Driver’s license, Social Insurance, and Health Care numbers etc.). This list is not exhaustive and each web site should have security needs evaluated on a case-by-case basis.
But I’m not running a huge company and I just want to accept a few payments. Is there an alternative?
Yes there is. You can let someone else handle the credit card information. Once your customers are ready to checkout they are re-directed to the secure site of your chosen merchant services provider where they enter all the information necessary to process the payment. PayPal is a popular choice for this type of service, but there are many other payment gateway providers to choose from as well.
The downside to this approach is that your customers are taken away from your site to complete the sale. You’ll need to decide if this break in continuity is important to you and if the cost of the SSL Certificate is worth it in order to provide a more integrated customer experience.
My hosting provider is offering a shared Certificate. Can’t I just used that?
Yes, you can. The real question is ‘do you want to?’ Our answer to that is probably not. A shared certificate is not registered to your domain. It’s registered to the hosting company (at best). Site visitors viewing the details of the certificate will see that the certificate has been issued to an entirely different person or company who they may or may not know … not something that is likely to boost the apparent trust-worthiness of your site.
On the other hand, if all you need is to secure the login to your WordPress dashboard or other CMS admin area a shared Certificate may be sufficient and likely much more cost-effective.
I’m a web site developer and I need SSL for a sandbox environment but I don’t want to purchase a Certificate.
Test environments are good places to use self-signed Certificates. With a self-signed Certificate you still get the SSL encryption without having to pay for a standard Certificate but you’re effectively vouching for yourself. That’s ok if your site visitor already knows and trusts you, but not so good otherwise. Also be aware that self-signed Certificates cannot be revoked if compromised or otherwise invalidated. Don’t forget to check with your hosting company to be sure they allow self-signing. And remember that you can also go with a shared Certificate if self-signing is not an option.
Here are a few good WordPress related resources: