Requirements for an e-commerce site.

1) As far as I know, you would only need your own SSL certificate if you wish to transfer information securely yourself (Taking the customer's name and address, for example, might give peace of mind to the customer if they knew it was done securely). If you are using PayPal to handle payments in their entirety, you do not need your own SSL certificate.

2) Not sure, sorry. All I would suggest is make sure the little padlock icon (or whatever your web browser uses to indicate you are browsing a secure page) is displayed.

3) Again, not sure. Sorry :)

Hello everyone.

I am currently building a website for a business I plan to start up sometime this year. I have a few questions as to what the requirements are for an e-commerce site and best practice for some parts. I will number the questions so that they can be answered by simply numbering the answers.

1. SSL Certificate
One thing I will likely be doing when the site launches is using a third party such as PayPal to handle payments to begin with. I know that PayPal uses it's own site/SSL Certificate to take the payment but would I still require an SSL Certificate on my site even if I don't hold any personal information at all?

2. Checkout
I will at some point have my own checkout system (at which time I will have a valid SSL certificate). What testing should I do to make sure it is as secure as possible?

3. Terms & Conditions/Privacy Policy
I know that I will need to specify exactly how any information held will be used and specify any and all activity which would result in a ban but I want to make sure I'm not missing anything. What things must I cover in the Terms & Conditions and Privacy Policy?

If I think of any other questions, I'll post them.

Hello,
Answer to your questions are very much possible. I am associated with a company Need eCommerce who can give you the best possible solutions. Here only u can relax and we can take care of all your problems regarding developing ecommerce sites.
If U wish we can talk about it in detail.

cheers!
andy
andy[dot]mathew10[at]gmail[dot]com

1. You always need an SSL certificate on an ecommerce site. There are several reasons for this - for example the https facility, and customer credibility. There are exceptions, such as when you operate within a specialist ecommerce hosting facility that provides this sort of facility even to independent websites, if they are physically located within that host's building (for example 1st Easy).

2. There is only one answer that can be given regarding web security - and especially that of ecommerce sites - the owner is most unlikely to be able to fix it, improve it, or audit it. Server security is a specialist field and the reason so many websites are exploited is that people think they can do it themselves. And, sometimes, they start with good intentions, but then it all slides. A test you can make: find websites running a popular ecommerce application for which plenty of info and support is available. Check to see if they have implemented the latest patches and upgrades (might require some specialist knowledge). A surprising number haven't, meaning they are open to attack by those with the knowledge and motivation.

Contract with an expert - or pay the price. When building your site you can follow the detailed security directives for your ecommerce app, that are given for all well-run projects / apps. Research server security and fix what you can. By the way, the security and security support your hosts provide is by far the most important thing you pay them for - and you do get what you pay for. :)

Do what you can - then recognise that there must be holes that you will never be be able to find or fix. You don't repair your own TV, you take it to an expert - what would you know about it? And it's the same for website security.

Note also that plugins have their own security issues. All dynamic sites (those running off a database) use plugins to increase their functionality. Don't install a plugin unless you have checked its security in some way. For example there might be a security section at the ecommerce apps's central site, with good/bad plugins listed (check Joomla CMS for a good example of this), plus a regular security bulletin (you need to get on this).

3. The required ToS and similar site docs vary according to locality. If you are running a business, it might be an idea to ensure you've got it right, so I suggest you get some advice from an expert. If you google Chip Coooper, he's a web law expert who provides a full set of stock website docs for a very low fee. And get on his newsletter.

So basically - it's possible to do some of this stuff as a beginner, although you need to be very good indeed at research in order to get it half-right. But a business owner is not normally going about it the right way if they are happy with 'half-right'. You should be trying to be the best.

I'm a web business manager so I've seen it done every which way. In general, aiming for the best quality achievable is the right way. The secret of course is to do that within budget - and that's the hard bit. :)

1. You always need an SSL certificate on an ecommerce site. There are several reasons for this - for example the https facility, and customer credibility. There are exceptions, such as when you operate within a specialist ecommerce hosting facility that provides this sort of facility even to independent websites, if they are physically located within that host's building (for example 1st Easy).

2. There is only one answer that can be given regarding web security - and especially that of ecommerce sites - the owner is most unlikely to be able to fix it, improve it, or audit it. Server security is a specialist field and the reason so many websites are exploited is that people think they can do it themselves. And, sometimes, they start with good intentions, but then it all slides. A test you can make: find websites running a popular ecommerce application for which plenty of info and support is available. Check to see if they have implemented the latest patches and upgrades (might require some specialist knowledge). A surprising number haven't, meaning they are open to attack by those with the knowledge and motivation.

Contract with an expert - or pay the price. When building your site you can follow the detailed security directives for your ecommerce app, that are given for all well-run projects / apps. Research server security and fix what you can. By the way, the security and security support your hosts provide is by far the most important thing you pay them for - and you do get what you pay for. :)

Do what you can - then recognise that there must be holes that you will never be be able to find or fix. You don't repair your own TV, you take it to an expert - what would you know about it? And it's the same for website security.

Note also that plugins have their own security issues. All dynamic sites (those running off a database) use plugins to increase their functionality. Don't install a plugin unless you have checked its security in some way. For example there might be a security section at the ecommerce apps's central site, with good/bad plugins listed (check Joomla CMS for a good example of this), plus a regular security bulletin (you need to get on this).

3. The required ToS and similar site docs vary according to locality. If you are running a business, it might be an idea to ensure you've got it right, so I suggest you get some advice from an expert. If you google Chip Coooper, he's a web law expert who provides a full set of stock website docs for a very low fee. And get on his newsletter.

So basically - it's possible to do some of this stuff as a beginner, although you need to be very good indeed at research in order to get it half-right. But a business owner is not normally going about it the right way if they are happy with 'half-right'. You should be trying to be the best.

I'm a web business manager so I've seen it done every which way. In general, aiming for the best quality achievable is the right way. The secret of course is to do that within budget - and that's the hard bit. :)

Thanks for your help and advice.

I won't be paying a host as I will be setting up my own servers. I have experience setting up servers and ensuring security for them so I know about required settings and such. I haven't worked on a site that required an SSL certificate before as everything I've made requires no personal information.

The website itself will be completely built by me (except payment handling at first which will be handled by PayPal or another trusted checkout system) so I can be sure that I know exactly what is happening and if there's errors, I can fix it ASAP. Before the site even goes live, I will be testing it fully to ensure security.

Fine.

ZenCart have some resources on ecommerce security you could look at.

To decide which software to use, though, you need to make a list of your priorities and set the order of those requirements according to your preference. That will tell you which to choose.