One of the ways Cart66 provides the strongest security of any WordPress ecommerce solution is by providing you with your own hosted payment page. Your hosted payment page will look exactly like the rest of your WordPress site and works with over 100 different payment gateways. In this article we’ll talk about what a hosted payment page is, why it is the most secure, and how it makes PCI compliance as easy as possible. We will also compare Cart66 with other WordPress e-commerce plugins and explain why Cart66 is the most secure and why it matters when you are considering how to process payments for your online store.
What Is A Hosted Payment Page?
A hosted payment page enables you to fully outsource the entire process of collecting credit card payments. All aspects of collecting, transmitting, and processing your customers credit card payments take place on a secure and fully PCI compliant server. The most popular example of a hosted payment page is PayPal. When you use PayPal to accept payments, your customer is transferred to the PayPal website where they enter all of their payment details. After a successful payment the customer might be transferred back to your website. Since the entire payment process is handled by PayPal, you don’t have to worry about any of the security concerns surrounding credit card payments. You may find other payment gateways that offer similar hosted payment pages, but they all have a variety of problems, especially regarding customization and branding.
Why A Hosted Payment Page Is The Most Secure
Over the past few years people have been trying to solve the problem of keeping credit card payments secure on e-commerce websites. WordPress runs more e-commerce websites than any other platform and these sites are often hosted on very low cost shared servers – not PCI compliant web hosting environments. To keep credit card data safe, a bunch of different attempts have been made for collecting credit card data and transmitting it to the payment gateway without the credit card data touching the insecure shared servers hosting the WordPress site.
If you work with WordPress long enough you will see that WordPress sites get hacked all the time. This happens for a wide variety of reasons and it almost never because the core WordPress code has vulnerabilities. Some of the top reasons WordPress sites get hacked are:
- Not installing WordPress updates
- Using default usernames
- Weak passwords
- Insecure / old software running on the server hosting your website
- WordPress plugins or themes with security vulnerabilities
- Not blocking malicious traffic with plugins like iThemes Security Plugin or services like Sucuri
When using any form of security other than a hosted payment page, if your WordPress site gets hacked, your customers credit card data can be exposed.
To avoid passing credit card data through inexpensive shared web hosting servers, some people suggested just posting the credit card data straight from the customer’s browser directly to the payment gateway – without passing through your web server at all. To do this, the action attribute of the form tag for the payment would submit the data directly to the payment gateway.
What’s Wrong With iFrames?
A Hosted Payment Page Is The Most Secure
The most secure way to collect and transmit credit card information is to let someone else handle the entire process for you. That way, even if your website gets hacked, your customers payments remain secure.
How Cart66 Makes Your Hosted Payment Page Awesome
Traditionally there are a few problems with hosted payment pages.
- They look nothing like your website and might confuse your customers
- You lose all your design and branding
- The domain name changes and looks nothing like your domain name
- Customization is very limited and cumbersome
- Only works with one payment gateway
Pick from over 100 gateways
Cart66 solves all of these problems. First, Cart66 supports over 100 different payment gateways and your hosted payment page will work with any gateway you choose.
Customize your domain name
Second, you get to pick your own custom subdomain for your hosted payment page. Yes, the domain name will change because in order to get an SSL certificate we (Cart66) have to verify that we are the authentic owners of the domain name. We can’t get an SSL certificate for your domain name because we don’t own your domain name. But you can pick your own subdomain. So your hosted payment page can be located at https://<your-company-name>.cart66.com. So when your customer hits your secure hosted payment page, they will still see your company name in the URL.
Looks EXACTLY like the rest of your WordPress site
Third, with a single click, Cart66 will skin your hosted payment page with your WordPress theme. So your hosted payment page will look exactly like the rest of your WordPress site because it uses the exact same theme. All your navigation still works, linking back to your WordPress site. It is just like another page on your site. Keep all of your design and branding in place.
What Are Self Assessment Questionnaires?
When you apply for your payment gateway account you will probably have to complete a form called a self assessment questionnaire. Which questionnaire you have to complete depends on how you are processing credit card payments. There are two different questionnaires you might be given based on which of the above approaches you take for processing credit card payments.
The SAQ (self assessment questionnaire) you really want to be able to use is named SAQ A. After you get through the instructions and so forth, it comes down to about 1 page with 13 questions to answer. The overall purpose of these questions is to verify that you have a secure, PCI compliant service handling all aspects of your credit card payment process. This includes storing, processing, collecting, and transmitting credit card data.
You only qualify for the SAQ A if you can confirm the following quote taken from the “Before You Begin” section of the SAQ A for e-commerce channels.
All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s).
That means your website can’t be responsible for generating ANY of the code that effects the security of the payment processing. For example, if you host your own payment form, then your website is responsible for collecting and transmitting the credit card information. Even if the credit card data isn’t hitting your server, your server is still involved in the process because it generates the code that is responsible for collecting and sending the credit card data.
You really want to avoid the SAQ A-EP because it is almost 50 pages long with over 130 requirements. In addition to log monitoring, firewalls, and vulnerability scanning another requirement is that you have to disable all insecure network connections. This includes FTP. If you can FTP into your server, you can’t pass the SAQ A-EP. Another requirement is to keep your server’s software up to date. Almost all web hosts run outdated versions of PHP. I work with support tickets and see PHP 5.2 still running on a lot of servers. PHP 5.2 reached its end of life over 5 years ago. That means it’s been over 5 years since any security patches have been released and that version of PHP is no longer supported at all. Unless you spend a great deal of money on your web hosting environment you will not be able to comply with all of the requirements in SAQ A-EP.
Bottom line: The only guaranteed way to qualify for the SAQ A is to use a hosted payment page.
We’ve covered a ton of information here. So let’s wrap it up with the main points:
- A hosted payment page handles all aspects of credit card payment processing for you
- WordPress sites get hacked all the time and you don’t want to put your customers credit card data at risk if your site gets hacked
- A hosted payment page is the most secure way to process payments
- You only have to answer the 13 questions in SAQ A (not the 130 questions in the SAQ A-EP) when using a hosted payment page
- Cart66 solves all of the traditional problems with hosted payments pages by skinning your secure hosted payment page with your WordPress theme so your one secure hosted payment page looks EXACTLY like the rest of your WordPress site.