Https and Magento Checkouts mis-configuration

We are pretty strict on security here at Mebsites Magento Development and webhosting. While we are a little over the top in some cases there are minimum standards we should all be sticking to for eCommerce websites. The industry standard when gathering client information, Sensitive client information, payment gateways and checkouts is PCI compliance. PCI compliance is a set of standards for web services providers to adhere to at a minimum to keep users data safe.

If you are hosting a gateway yourself often you will need to be compliant just to host the gateway. However I have noticed many instances where this is not the case. This means the website is exposing the users to potential hackers and exposing themselves legally. Not to mention the fallout from bad press if it makes the media or social media rounds, such as with recent Ashley Madison security breach.

Most common misconfigurations with Magento checkout

Incorrectly installed SSL Certificate or no SSL Certificate

By far this is the most common mistake I see.
Some of the most common errors are:

SSL is Installed correctly but https is not activated in System->Configuration->web. This means you do have the SSL installed but you have none of the benefits. Therefore, user traffic can be sniffed and payment gateways may fail.

SSL is issued under the wrong domain name. I have seen this as bad as a domain not even associated with the website or the more common use of a single domain SSL Certificate and it being issued for www.yourdomain.com when the website runs on a preferred yourdomain.com yes the www. part does count for something. To fix these issues the SSL Security Certificate should be re-issued rather than the domain changed.

Checkout is loading insecure items. To get the little green padlock in your browser url address bar you need to have all parts of the website loading under https (encryption). Having items loading unsecure breaks the security of the whole webpage. Sometimes the whole site can be too complex to be worth fixing the whole site to work under https. However the checkout is the one exception. One thing I have noticed is many of the free onepage checkout extensions don’t load under https without breaks. To fix this really requires a halfway experienced web developer as it requires going through the code framework and making sure everything is loading under https.

Correct Broken Note: Updates can often re-break your https so alway check, don’t assume.

Self issued SSL certificate or budget certificate.
Often the problem here is not all users browsers will accept the certificate as being trusted. Therefore users are flashed a very scary looking message that a glance looks like they are about to load some virus ridden cesspool of internet computer killing death. If you have this and your cart abandonment is through the roof 99% of the time this is the issue. A correctly configured EV SSL certificate is the best type of accepted certificate and self signed being the least accepted. Pay the 20 or 50 dollars and get at least a 90%+ accepted certificate.

Checkout gateway is not configured to the domain and/or certificate.
Not all but some gateway providers require the right domain be listed in there system. This can include whether it is running under https or not, www. or not. Make sure it is working by doing a transaction.

The shipping module or api won’t run under https.
Make sure you check all your shipping calculations are working, especially if it is using ajax or using an SOAP API system.

I hope that gives you all something to check and improve on. If you need help just give us a call or email at mebsites.com