Can I use my own shared SSL for credit card orders ?

[BlizzardUK]

I run a website for my parents, they use shared SSL for credit card transactions (as well as PayPal). Simply speaking, on their current website (NOT Prestashop) when someone places an order, the shopping cart then sends the order via SSL to a secure webpage where my parents view the credit card numbers and then manually charge them via a home terminal (it is not sent to the bank via the net).

 

The SSL used is https://ssl.securesites.com

 

I want to move their site over to Prestashop, they have a spin off site using Prestashop that I made for them for old second hand items, and it has proved to be very good, but that currently only accepts PayPal. Is there any way I can get Prestashop to accept payments via our own shared SSL ? If so, what payment option do I use in the settings, or is another module needed to be bought ?

 

So in simple terms Prestashop Checkout =====> Own shared SSL ======> We view card numbers stored in SSL website

 

If it s something that needs to be paid for, then that is fine, currently though I am just sounding things out to see what would be needed.

 

Thanks for any help.

Edited May 4, 2012 by BlizzardUK (see edit history)

[bellini13]

i'm not sure what you are meaning by a shared SSL in this use case. it sounds like you are saying that the customers place their order on "your store" (merchant), but are redirected to another site (payment provider) to collect payment details (credit card or paypal).

 

Could you describe in more detail what that other site is (the payment provider)? Do you host those payment pages, or are they hosted by a third party?

 

I just need a better understanding before I can advise you.

[BlizzardUK]

Hi. Yes, that is correct, on our own checkout the credit card numbers are sent, via SSL, to a website that we login to, so then when logged in to the site we can charge the cards by using our own handheld terminal (we read the numbers from the secure site page and manually input them in to a hand held terminal that is connected to our bank).

 

The payments go to the website mentioned in the first post : https://ssl.securesites.com

 

It is from there that we log in to get our results.

 

Perhaps I am using the wrong terms when I say shared SSL, as we had someone else who created the shopping cart and payment way, but the above is from what I know and what we do.

Edited May 4, 2012 by BlizzardUK (see edit history)

[bellini13]

Ok, it would seem possible to do what you want within prestashop, however a module will need to be built that can accept the credit card information, and send it securely to "secure sites" and place the order in a "pending" status. to do this we would need the integration documents from securesites.com. This documentation would describe how to transfer the credit card information to them using "SSL".

 

another option is to purchase the "offline credit card" module, which will accept the credit card information from the customer on your site, and store it in the prestashop database securely. you would then access the prestashop order from the back office, retrieve the credit card information, and manually input using your hand terminal. if successful, then you update the order status to accepted. As you may know, this may not be PCI compliant, and so you may not want to pursue this option.

[BlizzardUK]

Thanks for your great help. Regarding the PCI compliance issue, I know that on our checkout there is a small icon at the bottom that you can click which then says.....(see attached photo).

 

I will have to find out more info from both my parents and our checkout designer, but what I do know is that we get checked out quarterly to make sure we are compliant. I am guessing this is by instruction from our bank, as I remember they said security needs to be very strict. How they find out though, I am unsure. I do know the security company run a scan on our IP, but how the bank knows, I am not sure, as I think they are a separate company. That is such a shame about the offline credit card module, as that would be perfect if it wasn't for the compliance issue.

 

You mention a special module could be made, that would be excellent, but how much would such a module cost to be made ?

 

Thanks for your help, it has been very useful. If you want to do a dummy test on our website, then let me know and I will make sure we know it is fake and not a real order, if you let me know name you will use on the order form. I will PM you our website if interested. Oh and I think the checkout designer has used the Dansie Shopping Cart code.

Edited May 5, 2012 by BlizzardUK (see edit history)

[rturner]

I kind of like Bellini13's advice on the Offline Credit Card module and just let Prestashop do the rest. I think the module is under $100 and it works fine. Since you're purchasing a secure certificate for SSL anyway, and you're processing the card details later with your merchant bank, why not keep it all on your site? From what I can see the only reason to pay more for a credit card gateway is because you have so much volume that you don't have time to process the cards individually and you need real-time processing.

[bellini13]

@rturner, the problem is, the offline credit card module stores the credit card information in a manner that is not PCI compliant. The database is on a server exposed to the internet, it would likely not pass requirement 1.3

 

Requirement 1: Install and maintain a firewall and router configuration to protect

cardholder data

Firewalls are devices that control computer traffic allowed into and out of an organization’s network,

and into sensitive areas within its internal network. Routers are hardware or software that connects

two or more networks.

1.1 Establish firewall and router configuration standards that formalize testing whenever

configurations change; that identify all connections to cardholder data (including wireless); that

use various technical settings for each implementation; and stipulate a review of configuration

rule sets at least every six months.

1.2 Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except

for protocols necessary for the cardholder data environment.

1.3 Prohibit direct public access between the Internet and any system component in the cardholder

data environment.

1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct

connectivity to the Internet that are used to access the organization’s network.

[BlizzardUK]

Yes, unfortunately it is the compliance bit, our bank needs it, so without compliance we wouldn't be allowed a credit card terminal.

 

Any idea how much it would cost for a custom made module for payment going securely to the payment website ? As I say, the Dansie checkout allows this, so I would guess the code could be modified for a module ?

[Dh42]

With the cost of a ssl certificate about 10-15usd a year and an ip address about the same why would you even want to use a shared certificate. Just use a credit card processor that will allow you to capture the card and charge it later manually. Then you do not have to worry about pci compliance, it is stored in their system.

[bellini13]

it is not a shared certificate, please read the post.

[Dh42]

Opps, but my advice is still applicable. Most people process cards like that so they do not have to comply with pci requirements. But if you use someone like auth then all you have to comply with is a written report. They can hold the card and you can manually run it later. While at the same time a lot of banks use them for their cc processing solution.