Payius Guide to SSL certicates in ecommerce
Page 2 Table of Contents 1 About This Guide...3 1.1 Purpose...3 1.2 Audience...3 1.3 Prerequisites...3 1.4 Related Documents...3 2 SSL - The Basics...4 2.1 General...4 2.2 SSL and PCI DSS...4 3 How to Compare Certificates...5 3.1 Certificate Grade...5 3.2 Customer peace of mind = High conversion rate...5 4 Common myths about SSL certificates...6 4.1 My cert is, so my server is compliant...6 4.2 If my server is non-compliant I have to buy a better cert...7 5 Making your server compliant through configuration...7 5.1 Apache...7 5.2 IIS...7 6 Testing your certificate...7
Page 3 1 About This Guide 1.1 Purpose The purpose of this guide is to explain all about SSL certificates. This includes: The basics of SSL certificates How to compare certificates Common myths about these certificates SSL certificates and PCI DSS compliance SSL certificate testing 1.2 Audience This guide is intented for either merchants or their developers. It should be considered while a decision is made as to what method you are going to use to integrate to the Payius payment gateway. 1.3 Prerequisites This guide has no prerequisites. 1.4 Related Documents This guide should be considered in conjunction with our Guide to choosing an Integration Method.
Page 4 2 SSL - The Basics 2.1 General An SSL (Secure Socket Layer) certificate is a digital certificate that is installed on web servers and is used to encrypt traffic sent to that server, whether it be from a customer's browser when they are viewing your site or from another web server sending secure data for processing. It puts the S in HTTPS. A single SSL cert will have many different methods of encryption (up to 11) and each of these can support many levels, measured in bits. Each combination of these is called a cipher. The connecting client machine also has a list of ciphers that it supports, and when it initially connects to the host it sends this list to the host, which then chooses the strongest cipher that they both support, and they both use this to encrypt the traffic thereafter, until the connection is closed. The higher the bit rating ( bit depth ) of a cipher the more difficult it is for an unwanted party to decrypt. Common bit depths are 40, 56, 128, 168 & 256-bits. In 2004 a standard home computer could break a cipher in a little under two weeks, testing a million keys per second. A bit key would take 10 19 millennia to be decrypted by the same computer. All merchants that accept credit/debit card information MUST comply by PCI DSS rules. These rules are wide ranging and complicated, but suffice to say that one of them ensures that all sensitive card information must, by law, be stored and transported using at least encryption. On the internet this encryption is supplied by SSL certificates. 2.2 SSL and PCI DSS If your company has a breach of security and after the schemes descend on you to investigate you are found to be non-compliant, they can fine you for every card number that was breached. When this happens, a reasonable estimate of the fine works out at about $1,000 per card number exposed.
Page 5 3 How to Compare Certificates 3.1 Certificate Grade Surprisingly, the price of a cert generally does not depend on how secure it makes your data, it depends on the grade of the cert. There are a lot of different grades of cert out there. The grade has nothing to do with how secure it will make your traffic, but more to do with how reputable you are as a company. A budget certificate can cost only a few Euro a year, and will require no verification at all. This certificate will not look very secure to your customers though. The higher the grade of the certificate the more investigation the Certificate Authority will do into your company before issuing it to you, therefore incurring the higher cost. At the time of writing this, Payius's live server has a VeriSign EV (Extended Validation) certificate. This is the strongest grade certificate that money can buy and it offers full Green Bar security for browsers that support it. You can see this by visiting https://payments.payius.com. This gives customers the utmost peace of mind when entering their sensitive card information, however this certificate costs $2,500 per year. 3.2 Customer peace of mind = High conversion rate This is what it's all about. As mentioned before, the more expensive certs are generally no more technically secure than the cheap ones, so it all comes down to your customers peace of mind when entering their card details. The more you do to reassure them the higher your conversion rate will be. Ideally all sites would have certs as good as ours, but they are too expensive for most small/medium sized merchants. For this reason, Payius offer our cert to be used, by redirecting customers to our secure Hosted Payment Page to enter this info. This page can be highly customised to look like your site, and therefore not raise any alarm bells. We find the combination of our green bar certificate and a well customised payment page greatly outweigh the percieved negative of redirecting to another site to enter card details.
Page 6 4 Common myths about SSL certificates The first myth about SSL certs is that they use SSL, whereas this is often not the case. TLS (Transport Layer Security) is very similar to SSL, but not the same, and became the industry standard in about 1998. The combination of the two is generally referred to as SSL though. 4.1 My cert is, so my server is compliant SSL certs are generally very misunderstood and this is compounded by the way certificate authorities (CAs - companies that issue SSL certs) advertise their products. Most CAs only document the highest cipher strength that their certificate offers, and do not tell you the lowest. PCI DSS require that the minimum cipher strength that your server will support is s. Many companies believe that because they bought a 256-bit certificate they are PCI DSS compliant, when in fact their server supports s and 56-bits as well. For example, https://www.microsoft.com at the time of writing this, supported these ciphers: Cipher Name AES256-SHA DES-CBC3-SHA DES-CBC3-MD5 AES128-SHA RC4-SHA RC4-MD5 RC2-CBC-MD5 RC4-MD5 DES-CBC-SHA DES-CBC-MD5 EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 EXP-RC2-CBC-MD5 EXP-RC4-MD5 Cipher Strength 256-bit 56-bit 56-bit As you can see there are 7 ciphers supported that are under s in strength,
Page 7 meaning that this server is not PCI DSS compiant. 4.2 If my server is non-compliant I have to buy a better cert Another myth is that if your server is non-compliant because of the reasons stated above, that you have to go and get another certificate, one that is compliant. This is not the case, as the lower ciphers can be disabled very easily in the configuration of your web server, whether it be Apache HTTPD or Microsoft IIS. See the next section for more information. 5 Making your server compliant through configuration 5.1 Apache To do this in Apache HTTPD you need to set the following settings in your main config file (normally apache2.conf or httpd.conf): SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM 5.2 IIS Follow this guide: http://support.microsoft.com/kb/245030 6 Testing your certificate Payius provide a free SSL cert testing service. Just e-mail support@payius.com with the URL of your secure server and we'll send you back the results.