Payius. Guide to SSL certicates in ecommerce



Similar documents
Swedbank Payment Portal Implementation Overview

Exinda How to Guide: SSL Acceleration

Web Security: Encryption & Authentication

Building Customer Confidence through SSL Certificates and SuperCerts

Protect your CollabNet TeamForge site

WorldNet TPS. Guide to Integration Methods

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Websense Content Gateway HTTPS Configuration

What is an SSL Certificate?

Basics of SSL Certification

White Paper: Addressing the POODLE Security Vulnerability in Progress OpenEdge

Web Presence Security

Apache Security with SSL Using Linux

What s Your HTTPS Grade? A Case Study of HTTPS/SSL at Mid Michigan Community College. Brandon bkish@midmich.edu

Security Features of SellerDeck Web Sites

Installation Procedure SSL Certificates in IIS 7

Apache SSL Certificate Deployment Guide

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Western Australian Auditor General s Report. Information Systems Audit Report

SSLSmart Smart SSL Cipher Enumeration

Apache, SSL and Digital Signatures Using FreeBSD

Rocket UniVerse. Security Features. Version April 2014 UNV-1123-SECU-1

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 Part Number: E April 2016

Securing your Online Data Transfer with SSL

Apache Security with SSL Using Ubuntu

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL.

DataStealth and your PCI-DSS audit

EXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper


DEPLOYMENT OF I M INTOUCH (IIT) IN TYPICAL NETWORK ENVIRONMENTS. Single Computer running I m InTouch with a DSL or Cable Modem Internet Connection

Why are we changing Security Partners?

Beginner s Guide to SSL Certificates

BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options

Industry Leading Encryption Balanced Offerings from domain validated to secure EV certificates Mobile Device Capability Full Service and Support

Contents. Securing Servers in Compliance with PCI Data Security Standard 4

Internet Banking System Web Application Penetration Test Report

Spreed Keeps Online Meetings Secure. Online meeting controls and security mechanism.

i2b2: Security Baseline

SSL/TLS: The Ugly Truth

BEGINNERS GUIDE BEGINNERS GUIDE TO SSL CERTIFICATES: MAKING THE BEST CHOICE WHEN CONSIDERING YOUR ONLINE SECURITY OPTIONS

Alaska Alternate Assessment. Website Security Assurances

Extended Validation SSL Certificates

MAKE YOUR WEBSITE SAFE & SECURE

E-commerce Shopping Carts Digital Cert. Merchants

Integrated SSL Scanning

Chapter 17. Transport-Level Security

Parallels Plesk Panel

Zed E-Commerce and WebCRM 7.5. Release Notes 11/29/2011

Gain a New Level of Trust with Extended Validation SSL Certificates

Connection Broker Managing User Connections to Workstations and Blades, OpenStack Clouds, VDI, and more. Security Review

White paper. How to choose a Certificate Authority for safer web security

Ecommerce

The USP Maker for the hosting industry Welcome to my presentation Christian Heutger WorldHostingDay

SSL Certificates 101

Configuring Secure Socket Layer HTTP

Frequently Asked Questions. regarding CIB Bank Zrt. s. ecommerce online card-acceptance service

Automated Vulnerability Scan Results

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

Tel: Tel: +44 (0) Comodo Group.

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Setting Up SSL on IIS6 for MEGA Advisor

BEGINNERS GUIDE TO SSL CERTIFICATES: Making the BEST choice when considering your online security options

SSLSmart Smart SSL Cipher Enumeration

Cisco SSL Encryption Utility

Implementing Secure Sockets Layer on iseries

HMRC Secure Electronic Transfer (SET)

PCI Compliance Updates

IIS Reverse Proxy Implementation

White Paper. Enhancing Website Security with Algorithm Agility

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Alaska Alternate Assessment. Website Security Assurances. June App3.6_Test_Site_Security

The Impact of Extended Validation (EV) Certificates on Customer Confidence

Extended Validation (EV) SSL Certificates. Key to Online Success for you and your customers

Comodo 2048 bit SSL Certificates. Security for your online business now and long into the future

Integrated SSL Scanning

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Information Technology

BASIC CLASSWEB.LINK INSTALLATION MANUAL

Certificates, Revocation and the new gtld's Oh My!

SSL Accelerated Services. SSL Accelerated Services for the LM5305-FIPS. Feature Description

Securing Servers in Compliance with PCI Data Security Standard 4

understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

PCI DSS COMPLIANCE DATA

BANKING SECURITY and COMPLIANCE

Accepting Ecommerce Payments & Taking Online Transactions

Part 1: Common Mistakes in E-commerce and Best Practices

How to configure HTTPS proxying in Zorp 5

Technical Document. NiagaraAX SSL Connectivity Guide. August 30, 2012

WHY YOU NEED AN SSL CERTIFICATE

Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios Supplementary scenarios

Overview of Extended Validation (EV) SSL

Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS

PAYU HUNGARY KFT. PAYMENT INFORMATION. PayU Hungary Kft. T: Budapest, F:

Mobile Services Security: Mobile Platform Security. AF Security

Encryption. Administrator Guide

Transition Networks White Paper. Network Security. Why Authentication Matters YOUR NETWORK. OUR CONNECTION.

Using the FDO Remote Access Portal

How To Protect A Web Application From Attack From A Trusted Environment

Transcription:

Payius Guide to SSL certicates in ecommerce

Page 2 Table of Contents 1 About This Guide...3 1.1 Purpose...3 1.2 Audience...3 1.3 Prerequisites...3 1.4 Related Documents...3 2 SSL - The Basics...4 2.1 General...4 2.2 SSL and PCI DSS...4 3 How to Compare Certificates...5 3.1 Certificate Grade...5 3.2 Customer peace of mind = High conversion rate...5 4 Common myths about SSL certificates...6 4.1 My cert is, so my server is compliant...6 4.2 If my server is non-compliant I have to buy a better cert...7 5 Making your server compliant through configuration...7 5.1 Apache...7 5.2 IIS...7 6 Testing your certificate...7

Page 3 1 About This Guide 1.1 Purpose The purpose of this guide is to explain all about SSL certificates. This includes: The basics of SSL certificates How to compare certificates Common myths about these certificates SSL certificates and PCI DSS compliance SSL certificate testing 1.2 Audience This guide is intented for either merchants or their developers. It should be considered while a decision is made as to what method you are going to use to integrate to the Payius payment gateway. 1.3 Prerequisites This guide has no prerequisites. 1.4 Related Documents This guide should be considered in conjunction with our Guide to choosing an Integration Method.

Page 4 2 SSL - The Basics 2.1 General An SSL (Secure Socket Layer) certificate is a digital certificate that is installed on web servers and is used to encrypt traffic sent to that server, whether it be from a customer's browser when they are viewing your site or from another web server sending secure data for processing. It puts the S in HTTPS. A single SSL cert will have many different methods of encryption (up to 11) and each of these can support many levels, measured in bits. Each combination of these is called a cipher. The connecting client machine also has a list of ciphers that it supports, and when it initially connects to the host it sends this list to the host, which then chooses the strongest cipher that they both support, and they both use this to encrypt the traffic thereafter, until the connection is closed. The higher the bit rating ( bit depth ) of a cipher the more difficult it is for an unwanted party to decrypt. Common bit depths are 40, 56, 128, 168 & 256-bits. In 2004 a standard home computer could break a cipher in a little under two weeks, testing a million keys per second. A bit key would take 10 19 millennia to be decrypted by the same computer. All merchants that accept credit/debit card information MUST comply by PCI DSS rules. These rules are wide ranging and complicated, but suffice to say that one of them ensures that all sensitive card information must, by law, be stored and transported using at least encryption. On the internet this encryption is supplied by SSL certificates. 2.2 SSL and PCI DSS If your company has a breach of security and after the schemes descend on you to investigate you are found to be non-compliant, they can fine you for every card number that was breached. When this happens, a reasonable estimate of the fine works out at about $1,000 per card number exposed.

Page 5 3 How to Compare Certificates 3.1 Certificate Grade Surprisingly, the price of a cert generally does not depend on how secure it makes your data, it depends on the grade of the cert. There are a lot of different grades of cert out there. The grade has nothing to do with how secure it will make your traffic, but more to do with how reputable you are as a company. A budget certificate can cost only a few Euro a year, and will require no verification at all. This certificate will not look very secure to your customers though. The higher the grade of the certificate the more investigation the Certificate Authority will do into your company before issuing it to you, therefore incurring the higher cost. At the time of writing this, Payius's live server has a VeriSign EV (Extended Validation) certificate. This is the strongest grade certificate that money can buy and it offers full Green Bar security for browsers that support it. You can see this by visiting https://payments.payius.com. This gives customers the utmost peace of mind when entering their sensitive card information, however this certificate costs $2,500 per year. 3.2 Customer peace of mind = High conversion rate This is what it's all about. As mentioned before, the more expensive certs are generally no more technically secure than the cheap ones, so it all comes down to your customers peace of mind when entering their card details. The more you do to reassure them the higher your conversion rate will be. Ideally all sites would have certs as good as ours, but they are too expensive for most small/medium sized merchants. For this reason, Payius offer our cert to be used, by redirecting customers to our secure Hosted Payment Page to enter this info. This page can be highly customised to look like your site, and therefore not raise any alarm bells. We find the combination of our green bar certificate and a well customised payment page greatly outweigh the percieved negative of redirecting to another site to enter card details.

Page 6 4 Common myths about SSL certificates The first myth about SSL certs is that they use SSL, whereas this is often not the case. TLS (Transport Layer Security) is very similar to SSL, but not the same, and became the industry standard in about 1998. The combination of the two is generally referred to as SSL though. 4.1 My cert is, so my server is compliant SSL certs are generally very misunderstood and this is compounded by the way certificate authorities (CAs - companies that issue SSL certs) advertise their products. Most CAs only document the highest cipher strength that their certificate offers, and do not tell you the lowest. PCI DSS require that the minimum cipher strength that your server will support is s. Many companies believe that because they bought a 256-bit certificate they are PCI DSS compliant, when in fact their server supports s and 56-bits as well. For example, https://www.microsoft.com at the time of writing this, supported these ciphers: Cipher Name AES256-SHA DES-CBC3-SHA DES-CBC3-MD5 AES128-SHA RC4-SHA RC4-MD5 RC2-CBC-MD5 RC4-MD5 DES-CBC-SHA DES-CBC-MD5 EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 EXP-RC2-CBC-MD5 EXP-RC4-MD5 Cipher Strength 256-bit 56-bit 56-bit As you can see there are 7 ciphers supported that are under s in strength,

Page 7 meaning that this server is not PCI DSS compiant. 4.2 If my server is non-compliant I have to buy a better cert Another myth is that if your server is non-compliant because of the reasons stated above, that you have to go and get another certificate, one that is compliant. This is not the case, as the lower ciphers can be disabled very easily in the configuration of your web server, whether it be Apache HTTPD or Microsoft IIS. See the next section for more information. 5 Making your server compliant through configuration 5.1 Apache To do this in Apache HTTPD you need to set the following settings in your main config file (normally apache2.conf or httpd.conf): SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM 5.2 IIS Follow this guide: http://support.microsoft.com/kb/245030 6 Testing your certificate Payius provide a free SSL cert testing service. Just e-mail support@payius.com with the URL of your secure server and we'll send you back the results.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information