Securing a site and payment options.

When securing a site are certificates like Verisign the best option to go for ?
Also if one is accepting donations for a charity, and they want to keep costs to a minimal is a 3rd party gateway a better option ?

@TruthConquers: If your secure pages are public-facing then you need an SSL/TLS certificate, otherwise users will get all sorts of browser warnings whenever they try to access your pages. I've used http://www.rapidssl.com/ before and they're pretty good.

If the charity is expecting a fairly low volume of donations then something like PayPal might be a better option - although be careful of this!

http://digitallife.today.msnbc.msn.com/_news/2011/12/07/9280634-why-paypals-bad-reputation-is-bigger-than-regretsy

Basically it's all about transaction volume. If volume is low, it doesn't make sense to spend the time and money setting up your own payment pages. If volume is high then you'll want to set up your own pages to avoid the higher transaction charges of 3rd party providers like PayPal.

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/

Thanks for the insight!

http://www.geotrust.com/ssl/extended-validation-ssl/

They are very cost effective!

Anyway thanks once again, wishing you, the elated team and families all the best for the new year.

[Edited by TruthConquers on 12-Dec-11 07:53]

@TruthConquers: You're welcome, and thanks! I hope you also have a fantastic new year.

Best wishes,
Matt

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/

Bear in mind that if you are taking credit card details ON YOUR PAGES or storing CC details at all, the website AND all your systems will have to be PCI compliant ( http://www.pcisecuritystandards.org/ ).

A SSL certificate does NOT secure your website or your database information. All that SSL does is to encrypt the communication between the client browser and the server during the HTTPS process so that it cannot be intercepted using "sniffers" or wireless "eavesdropping".

You have to ensure data security and maintain the systems so that customers financial details cannot be compromised in any way at all. This includes physical access to data as well. So just for the website you have to be running at the very least, a dedicated server in a datacentre that has already been approved for PCI compliance.

If you use a payment gateway where the customer is taken to a third party page on the gateway providers system you do not need PCI as it is the provider who needs to be compliant.

[Edited by chrishirst on 17-Dec-11 17:48]

--
Chris.
So long, and thanks for all the fish.
http://webmaster-talk.eu/

Very good points Chris! I'd forgotten about PCI. It's a lot easier just to post your checkout form to the provider's payment page, and it removes your need for PCI compliance too. It also gives the shopper confidence that they're sending their card details to an actual payment provider, rather than some site they may not trust. This is actually what we do on http://store.elated.com/ .

Merry Xmas!
Matt

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/