1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Legal Stuff] Need some help or advice from experienced web designers

Discussion in 'BlackHat Lounge' started by B_Fish, Nov 27, 2014.

  1. B_Fish

    B_Fish Regular Member

    Joined:
    Feb 7, 2012
    Messages:
    212
    Likes Received:
    53
    Occupation:
    Student
    Location:
    Indiana, USA
    Home Page:
    Bhw Family I need some help.

    So I've landed a local business for a web design package in which I'll build them an entirely new website with content, images, and everything they need. I've done a few websites before with other small businesses and have them sign a pretty generic contract basically outlining the terms and conditions along with what I will do and for how much. The big difference in this deal is they're wanting to do some ecommerce. They want to be able to sell some of their product online and have it set up to where customers can pay online and either have it shipped to them or pick it up in store.

    Now, since I've never done an ecommerce website for anyone besides myself, I've never set up a contract outlining terms and conditions of ecommerce. What I'm worried about is someone hacking into their site, stealing credit card info, hacking their paypal, somehow getting into their bank accounts, etc. Basically any situation where they have money stolen out of their account. They do a relatively decent amount of business and once this gets set up, they'll have at least hundreds going through the payment processor every month.

    Now I know I'm just the designer and I've stated that, but I'm helping them set up the hosting and getting their domain transferred (they already had a very basic site). If something were to happen, say their site gets hacked and someone money is stolen from their account, the hosting company would be accountable correct? Does anyone know of any resources that could help me outline a contract to give me the position that if something like this happened I'm not accountable for any losses associated with the situation?

    Secondly, how important is it to have an SSL certificate? From what I've already from a simple Google search, it seems almost essential for online transactions, but I want to get your all's opinions too. Also, what kind of SSL certificate should I be purchasing? I'm using NameCheap and they seem to have a huge selection that I almost don't know what to choose.

    Finally, does anyone know of any information regarding PCI (Payment Card Industry) standards? I stumbled upon some of that information when reading about SSL certificates and I've never heard of any of that.

    Thanks again you all!

    -B_Fish
     
  2. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    You can easily create a wordpress + woocommerce site. I have done it quite easily on my first attempt. I googled this to start/learn:
    Tutorials wordpress woocommerce setup

    But then I also used a custom theme/template (I created it), so I can't tell you much about the woocommerce specific themes available online (both free and paid versions are available, and there are plenty of woocommerce plugins/addons you can use).

    Re: SSL certificate: If the seller is collecting direct payments then he needs SSL (Http + SSL) or else if he is just using WP+woocommerce and using a third party payment processor the the site can do without SSL. That's what I got to know from my Indian payment processor when I began my own ecom site. It (site without SSL : using the "httpS") may not be completely secure though and you need to do more research. If you want to keep the customer on your ecom site (and not send them to the payment gateway's secure https site) while they are paying then you need the SSL, and the payment gateway will / may suggest you this as and when they inspect your site to authorise you to use their payment gateway...

    Read about it here:
    Code:
    http://docs.woothemes.com/document/ssl-and-https/
    If you want to add SSL to woocommerce site, then Google (for example):
    SSL for woocommerce

    Anyway, if your site takes your cusotmer to the payment gateway's site for payment of your items then then CC / payment-related info is stored on the very secure payment gateway site, and so you need not worry much about the CC info being hacked from your site. Although a hacker can get any info if he/she wants to, but that's another issue. :)

    May be my information above is not completely accurate but that's what I know, and am using WP + woocommerce (plus a lot of other things like plugins, php codes, etc on it), and (free) payumoney payment gateway to collect payments from Indian customers securely.

    Additionally (for my Indian friends here, becuase the payment gateway mentioned and which I am using is India-specific only):

    I haven't opened a company yet, and the above site is used as an "individual", which needs no formal opening of a company which requires a lot of conditions to be fulfilled. (This info is for my Indian friends here who may wish to have a small ecom site created, but who have no formal company formed so that they can have bigger payment gateways attached to their site). Payumoney is a free and a good secure payment gateway for Indian and performs transactions from Indian customers. They have another version which accepts Indian as well as international payments too. As far as I know, Payumoney is the only FREE India-sepcific payment gateway available which is also available to Indian "individuals" as well as Indian companies.

    For collecting international payments, you can use the free Paypal alongwith the above payment gateway which collects payments from Indian customers.

    HTH
     
    Last edited: Nov 27, 2014
  3. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    Re: regarding using the SSL (i.e. using https:// instead of the normal http://), I checked just now in my niche, and found that most of the biggest sellers are not using the https:// for their ecom site. Also they are using third party payment gateway to do oney transactions.

    To check in your niche, google:
    buy <your niche product> -ebay -amazon -<whatever pro marketplaceslike ebay/amazon are occupying the top SERP spots>

    That will display the normal customer sites selling your products. Then click on some and see if they are using https:// for their site, and also check which payment gateway they are using.

    hth :)
     
  4. B_Fish

    B_Fish Regular Member

    Joined:
    Feb 7, 2012
    Messages:
    212
    Likes Received:
    53
    Occupation:
    Student
    Location:
    Indiana, USA
    Home Page:
    Thank you both, it does help a little bit.

    Also if the business is using paypal pro, is there a need for an SSL certificate?
     
  5. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    Re: Paypal Pro, I am only using the Standard version, so I don't have any idea about PP Pro... but you may contact PP directly and also read the following to get more information.

    If you're in US or other such western country where correct knowledge about payment gateway is of utmost importance, legally too, then my humble advice to you would be to get your questions answered directly from Paypal support, either through email or through the telephone. In the past, Paypal has been asked similar questions by me through email only (ofc, because I live in india, and it would cost me a lot to call their US office -- their India office is a jkoe... lol), and they have always promptly answered my queries.

    On a forum, you might get mixed answers, so imo, it is best to contact their support team directly.

    Please check this:

    https://www.paypal.com/cgi-bin/webscr?cmd=_wp-pro-integration-outside

    Also there is their 'contact us' link on the left side of that page which you can also use.

    HTH
     
  6. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    Just found this which should help you :):

    Code:
    https://www.paypal.com/sg/cgi-bin/webscr?cmd=_payflow-pro-faq-outside
    ~Quote:
    Security and Reliability

    Do I need a Secure Socket Layer (SSL) certificate if I use Website Payments Pro?

    Yes. With Website Payments Pro, your customers enter their credit card information into a form that you host on your server. To protect your customer's payment information transmitted over the Internet, you will need an SSL certificate on your web server. Learn more about https://www.paypal.com/sg/cgi-bin/webscr?cmd=xpt/Marketing/merchant/CompatibleSSLCertPartner-outside

    ~Unquote (Highlight mine)
     
  7. B_Fish

    B_Fish Regular Member

    Joined:
    Feb 7, 2012
    Messages:
    212
    Likes Received:
    53
    Occupation:
    Student
    Location:
    Indiana, USA
    Home Page:
    Awesome, thank you for that link, that helps out a lot. I hadn't seen that page, so that's a big help.


    Another thing. If my customers are going to PayPal to complete the purchase and they submit their information there, do I even have to worry about PCI compliance standards?

    Thanks
     
  8. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    As a web-designer/developer for your e-merchant clients, your site for them has to be fully compliant imo.

    See this:
    Code:
    [URL]https://www.pcisecuritystandards.org/[/URL]
    Code:
    [URL]https://www.pcisecuritystandards.org/smb/[/URL]
    Look at the topics and note them down. Then do the research to bring you up to date on what concerns you now. As a merchant who is developing a e-com site for yourself, or as a developer of a hi-Q professional merchant site for others, you need to know what issues (security esp the money-transactions related) concern a merchant and his e-com site.

    If you don't find good information on that site, you can at least copy-paste the topics into google and search for details. I think that it will cover most of your doubts in toto.

    Whatever comes to your mind concerning these topics, do a google search -- you will come across exclusive details on about everything! Note down everything and take points... you will soon become a pro executive in your field, and it will ofc aid all your merchant customes. That would as well cover most of the '100% Customer Satisfaction Gaurantee' fulfillment of your business! Remember, Site Security is one of the most important aspects of any ecom site... don't ever try to store any of the sensitive card related data on your site or the server... let the professionally-managed payment gateway do it (on their very secured site) for you or for your e-merchant clients.

    P.S.:

    Taking precautions to not leak any confidential data from the ecom site, or not allowing scammers/hackers as fas as possible on the site, not storing the serious natured CC-etc related confidential data on the site is a small part of being 100% (PCI, etc) compliant imo. IMO, it is better to let the payment gateway handle the payments and you should allow the customer go to their site to pay, then to handle the payments on our own site (which is not present in a fully controlled atmosphere of own own data center obviously).

    Almost all the customers will never mind going to a payment gateway, for example the paypal site, to pay for your product. Anyway, they come back to your site after the payment is done, and then you can do more marketing on a Thank You page before this whole sales transaction is completely closed. :)
     
    Last edited: Dec 1, 2014