Question on SSL/cerdit cards.

Anon

O.K my host ISP has an SSL server already that I can use. They told me I would have to apply for a SSL server certificate at Verisign or Thawte. In order to do this I generated a self signed certificate and my ISP said I would have to submit this to verisign to get the SSL working properly.

My question is what exactly does this mean? Does it mean I will have to write the code to validate the credit cards and process them on my SSL server since it will be on my domain name? Or does verisign take care of that?

I'm new to this and was wondering what's the best way to collect credit cards and dump the cash into my merchant account. Anyone else use this method to set up their SSL server and begin taking cards online?

Thanks.

Anon

They want you to make a certificate. There's tools available to do this.

http://www.thawte.com/certs/server/keygen/contents.html

After you've made one, Thawte or Verisign will kinda, put a stamp on it and send it back to you. The only thing this does is make it so your users don't get an error stating that the cert is from an untrusted source. You can very eaisly just create your own cert and use it and it will work, but your visitors will get a warning untill it's signed.

Hope that helps.

Anon

O.K. then what? After I have the https:// working do I write the page to collect the cards and put money into the merchant account?

Seems like all this certificate does is make communications secure between my users and the server. The merchant account and credit card processing would be an entirely different thing right?

Thanks

Anon

Yes it would be. https only secures the connection between the browser and the server. As far as the transaction, the vendor should supply you with some means of having secure communications. For us, we use signio, they gave me a linux binary that I pass command line args to which creates the secure connection.

Or you can use paypay 🙂

Anon

O.K.

Guess I will have to do some more research on the payment options.

Thanks.

kparker

Seems like all this certificate does is make communications secure between
my users and the server.

Actually, it's the HTTPS itself that makes it secure. All the certificate does it tell visitors to your secure site that you managed to convince Verisign or Thawte that you really are the person or entity you claim to be, and that you legitimately own the rights to the domain name that you wish to certify. And perhaps a few other things, too, but it's not very extensive in terms of what they do.

The merchant account and credit card processing would be an entirely
different thing right?

Indeed. Let me second Jason's recommendation of signio (now part of
verisign)--though in the recent project I worked on using signio, we
used the entry-level version of their processing that was entirely web-
based: you link to a secure page of theirs for the actual card entry, and then they link back to you if the charge goes through. Completely adequate for small and medium transaction volumes, and the price is right.