Myth: I Use a Payment Gateway Like PayPal So Do Not Need an SSL Certificate
I hear this every single day. “I use PayPal do I need an SSL Certificate?” This is often followed by incorrect advice: “You don’t need an SSL certificate if you use PayPal”, “No need to waste money on SSL if you use a payment gateway”.
From web designers, developers, helpful friends, e-commerce advisers, forum users, twitterati and the man in the pub. It is probably one of the most dangerous pieces of advice I have come across.
I have talked previously about unsecured login forms and how bad they are. That discussion is mainly from a security perspective. The same issues in that article exists in this situation where you have a standard http website using a payment gateway like PayPal. You have to send data to your payment gateway from your website. This data is not secured.
E-commerce sites generally collect data from the user before sending them to the payment gateway. This data is usually information like name, address, email. All personal information. This information is being submitted via a non-secure form and is therefore at risk of interception or manipulation.
Customer Confidence: Poor Conversion
Security is also as much about perception as it is reality.
These are a couple of recent tweets showing customers who have had second thoughts about purchasing from a website because the order form was not secure. In both cases the payment pages were handled by a payment gateway which was loaded over https. However the order form hosted on the website was just plain old http.
Users are becoming more security conscious. How many customers did not purchase because they did not think the site was secure? You may even want to consider going 100% HTTPS and enjoy the extra conversions that provides.
How many sales are you loosing by not having an SSL certificate?