Secure Hosted Payments

Secure Hosted Payments LogoIt is exciting to finally have Secure Hosted Payments for WooCommerce live and ready for action. It has literally been years in the making. Combining simplicity with security is a tricky thing to do. Let me share a couple reasons why we built this app and why it might be something you’d be interested in checking out. It’s not often that “best” and “easiest” come together in the same place.

Secure Hosted Payments for WooCommerce

The name pretty much says it all, this service provides a secure, PCI compliant hosted payment page for your WooCommerce website. Over the last few years, e-commerce and WooCommerce have grown and, with that, the requirements for running a safe and secure e-commerce website have become more and more strict. Gone are the days when you might just write a PHP script to send credit card data to a payment gateway. If your web server touches any of the credit card information (often called cardholder data) then you have a long list of requirements and controls your server and website need to meet in order for your payment gateway to issue you an account. Secure Hosted Payments was built to maximize both the security and the ease of processing payments for your WooCommerce site.

Self-Assessment Questionnaires Explained

For small to medium e-commerce sites (which includes the vast majority all WordPress based stores) you need to comply with what is called a Self-Assessment Questionnaire. There are two different questionnaires that apply to most stores. There is the “easy” one called the SAQ A. Then there is the “hard” one called the SAQ A-EP.  More specifically, the SAQ A has about 13 questions where you essentially state that a third party handles the details of processing payments for your site. The SAQ A-EP is 139 questions containing a lot of questions most people can’t even understand much less actually comply with. For example, here are the first two questions on the form:

  • Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?
  • Is the current network diagram consistent with the firewall configuration standards?

The list goes on for over 130 more questions.

How To Avoid The Hard Questions

The SAQ A is clearly the questionnaire you want to fall be able to use so that you can answer your 13 questions and move on with your business. In order to use the SAQ A and avoid the painful questions of the SAQ A-EP you have to meet a few conditions. For e-commerce stores, the big condition is this:

All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s).

The two methods of meeting this requirement are currently:

  1. Use an iFrame to pull in the payment form hosted by a PCI compliant server where your customers enter their credit card data.
  2. Use a secure payment page hosted on a PCI compliant server.

Other solutions such as posting the cardholder data directly to your payment gateway from the HTML form on your site or using JavaScript to send the cardholder data both fail to meet the criteria for using the SAQ A because all elements of the payment page needs to originiate from a PCI DSS validated provider.

Why Not Just Use An iFrame Then?

There are two items which may give you pause when considering the option of securing your customers payments with an iFrame. First, you have to buy and install your own SSL certificate. This adds cost and complexity to your hosting account. You’ll probably need to get a dedicated IP address for your site and you have to renew your SSL certificate at least once per year. In other words, there is added cost and hassle.

The more concerning issue, however, is that it isn’t very hard to hack an iFrame. A malicious snippet of JavaScript can find it’s way on to your site or a hacker could in some other way just change one little URL and start pulling the source for your iFrame from a bogus server. All you have to do is change the iFrame tag from something like this:

to something like this

Neither you nor your customers would have any idea that they were sending credit card data to criminals because your site’s checkout page would still look the same. You’d still have the SSL lock and everything. There is no visual warning that your site was hacked and you customers credit card data is getting sent to the bad guys.

The Safest Option

The most secure option is to have your entire payment page hosted on a secure, PCI DSS compliant server – and that is what Secure Hosted Payments for WooCommerce is. Here are the reasons why Secure Hosted Payments is most secure option for running a secure WooCommerce site:

  • You don’t need your own SSL certificate
  • Your entire page is securely hosted
  • No hackers can access or change anything even if your WordPress site is hacked

Seamless Customization Is The Difference

There are other hosted payment page options out here. Some payment gateways offer a hosted payment page service. Also, there is PayPal which acts as a 3rd party payment processor. What makes Secure Hosted Payments for WooCommerce different from all other hosted payment pages is you skin your payment page with your WordPress theme. Even though your payment page is hosted on a 3rd party PCI DSS server, it still looks exactly like the rest of your WordPress site. Other service might let you pick colors or upload a logo, but Secure Hosted Payments actually imports your WordPress theme with a single click to provide a seamless experience. Your customers won’t even think the left your site.

The Best AND The Easiest

How often can you say that the same solution is both the best AND the easiest. Normally you would say something like, “Well, you can do it this way and it’s easy, but if you really want to most secure solution you need to do this harder thing.”

With Secure Hosted Payments for WooCommerce you can take the easy route and have the best, most secure solution.

If you’re looking for a great way to keep your payments safe and secure, head over to Secure Hosted Payments for WooCommerce.

2 thoughts on “Secure Hosted Payments

  1. Rick says:

    How does this compare to Cart66 Cloud? Should we be transitioning to this new product instead?

  2. Lee says:

    Hi Rick. Secure Hosted Payments is just a way to allow WooCommerce stores to use our platform for secure hosted payment pages. Cart66 Cloud offers a whole lot more than just a secure payment page. Cart66 secures your product definitions (so hackers can’t change the prices), all your customer data, the shopping cart contents, your order history, etc. Every aspect of your ecommmerce data is secured by Cart66 in addition to providing a secure hosted payment page that looks exactly like your WordPress site. So, there’s certainly no need to transition to Secure Hosted Payments unless you wanted to use WooCommerce. A lot of people find Cart66 easier to use and more affordable since you get all the tools you need in one package. If you have any other questions, just let me know. Thanks for stopping by 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *