|
Some Basic Questions & Answers
Q: What are “secure certificates?”
A: A secure certificate assures customers that the server they are
accessing belongs to the company it claims to belong to. A valid certificate
means that the customer can have confidence that the data they are submitting
is indeed going to the right place. Additionally, secure certificates enable
data from the customer’s web browser to the merchant’s server to
be transmitted in an encrypted, and thus secure, format.
Q: How is one used?
A: The Certificate resides on our server. It creates a secure connection
between the shopper’s browser and our server. Any data the shopper sends is
then encrypted for transmittal to the server.
Q: Where can I get one?
A: You can order Thawte certificates from us—as a reseller,
we can purchase for less and pass the savings along to you—we can apply
for the certificate on your behalf, the initial purchase fee, and subsequent
annual renewals, being charged to your SoVerNet account.
We will also install other certificate brands such as Verisign, should you
prefer to obtain your certifcate elsewhere. The Setup fee for all certifcates
is $150.
We currently provide 3 certificate options. All 3 are 128-bit capable. They
differ only in the degree of stringency applied to the verfication of your
business entity (and thus the degree of assurance provided to your customer),
and the Super/SGC has the ability to step-up older browsers to 128-bit encryption.
The other 2 drop back to 40-bit when encountering a browser not 128-bit capable.
The Standard Certificate validates the business entity itself, the authority
of the applicant to order the certificate, the validity of the domain name.
Issuance takes roughly 2 days.
SSL123 certificates validate the domain registration and the applicant's authority
to order the certificate. Issuance takes just a few minutes.
Super/SGC certificates validate the business entity, the authority of the
applicant, the domain, and incorporate extensive encryption algorythms allowing
them to bump up a browser’s encryption capabilities. This is particularly
critical for international businesses as browsers capable of 128-bit encryption
were, for many years, prohibited from being sold internationally. Hence there
are many more 40-bit-limited browsers still in use by overseas customers, than
in the US.
| |
SoVerNet
new/renew |
Thawte
new/renew |
Setup |
Standard Web Server Certificate |
$185/$145 |
$199/$159 |
$150 |
SSL 123 |
$135/$135 |
$149/$149 |
$150 |
Super/SGC |
$415/$370 |
$449/$399 |
$150 |
Contact hostmaster@sover.net for
details.
Q: What is a Certificate Authority?
A: A “Certificate Authority” is a trusted third-party,
similar to a passport office or a Certified Public Accountant. Certificate
Authorities are responsible for issuing, revoking, renewing, and providing
directories of digital certificates. Certificate Authorities must follow rigorous
procedures for authenticating the individuals and organizations to whom they
issue certificates. All digital certificates are “signed” with
the Certificate Authority’s private key to ensure authenticity. The Certificate
Authority’s Public Key is widely distributed. See Public-key
encryption.
Q: Now that I have a secure certificate I can start taking credit card
orders, correct?
A: Just having a secure certificate doesn’t mean that you are
ready to open up shop on the Internet. There is still much to accomplish behind
the scenes.
- You must determine your need for a shopping
cart.
- You must decide how you are going to process the credit card orders.
Q: How do I determine my need for a shopping cart?
A: The main determining factor is your product or product mix. If you
only have one or two products to sell, you may be able to get by without any
type of shopping cart, just a simple order form. With this order form you could
use PGP (Pretty Good Privacy), an encryption program that can be setup
to send you encrypted credit card information via email.
If you have a number of products arranged across a multi-page site, and want
your customer to be able to browse your pages, picking items at will with the
selections stored for check-out at one central screen, it would be a good idea
to have some sort of “shopping cart.” There are many products on
the market that will work on our servers. Basically, you can choose any form
of shopping cart software you like, as long as it will work within our guidelines.
- It must work on the BSDi (a version of UNIX) platform.
- It must run with one of the scripting languages that we have chosen to
run on our web server: perl 5, PHP4. This will exclude any products that
require any additional languages to be present, such as ASP or Cold Fusion.
We can not provide direct support for any of these products, nor will we guarantee
that all of these products will work on our system.
You will most likely find it necessary to have a working knowledge of CGI scripting
and should familiarize yourself with our CGI reference page.
Q: What is PGP?
A: PGP or Pretty Good Privacy® is a powerful cryptographic software
suite that enables people to securely exchange messages, and data with both
privacy and strong authentication. It utilizes a dual-key system—private-key
and public-key. PGP is probably the most widely used email encryption program.
Much info may be found through http://cryptography.org/getpgp.htm
PGP encrypts the information between
the customer's email program and the
server. Authentication identifies the
origin of the information, ensures that
it is authentic, and that it has not
been altered.
MIT distributes PGP Freeware without
cost for personal, noncommercial use.
This distribution is done in cooperation
with Philip Zimmermann, the original
author of PGP, Network Associates, Inc.,
and with RSA Data Security, Inc., which
licenses patents and software for one
of the public-key encryption technologies
on which PGP relies.
Q: How would I use PGP?
A: PGP will serve you well
if the number of products you sell
is small, and if you do not wish
to use, or need, all the additional
features of the higher-end storefront
programs. Customers’ orders
will come to you via encrypted e-mail.
You still should get a Secure Certificate
in order to assure your customers
of your authenticity, and you will
need to process credit cards “manually” (as
regular “brick & mortar” businesses
do). In addition to the PGP FormMail
Script (which sends your secure transactions
via e-mail from a form on your website,
you will also need a copy of PGP
on your local machine.
Q: Where can I get it?
A: To obtain a commercial
version of PGP, go to Network
Associates’ PGP site http://www.pgp.com
Please note that for use on our system you must generate an RSA-Legacy
1024-bit keypair, not a DH/DSS keypair.
Q: How do I process credit cards?
A: You need a “merchant
credit card account” through
a bank. A Merchant Credit Card Account
is a commercial bank account established
to enable a merchant to accept credit
cards from customers. In the case
of online stores, the merchant credit
card account must also work with
a “transaction processing company” such
as CyberCash, probably the
best-known of the online processors.
The key players typically involved in “accepting” a
credit card are: the merchant, the merchant
bank, the credit card company, and the
payment processing company which has
the task of actually “processing” the
credit card transaction data. The bank’s “Merchant
Accounts” department is the place
to go.
Also, some of the transaction
processors can help you obtain
such an account.
Which processor to use results from the
consideration of 2 factors—you
need a processor that will work with
both your merchant credit card account
and your chosen “storefront” software.
Most storefront software will be able
to use several different transaction
processing companies, so it’s a
matter of matching up with a bank that
uses one of the same.
Note that if you intend to collect and process your credit card orders
manually, as non-ecommerce businesses do, the transaction processor is not
needed—the regular Merchant Credit Card Account alone will suffice.
top
|
