August 30th, 2006 by Jamie Estep
Payment Gateways and SSL Certificates (API vs. Simple)
I have been very busy lately, which has resulted in a reduced quantity / quality of posts. The site just got switched to a new server and everything should run much more smoothly now.
I often run into website owners that are confused about the SSL requirements a website must have to process payments. Specifically, why would a SSL certificate be required if a website is using a payment gateway.
The answer to this is simple. Payment gateways are independent of SSL certificates and do nothing themselves to make a website secure. However, some Payment Gateways do not use an API (Application Program Interface) method to integrate with a website. A SSL certificate is normally not required if a website is not using an API method and not processing a customer’s credit card on their own site. Instead, the website’s visitor is redirected to a secure checkout page on the domain of the payment gateway. I think this redirection is where the main confusion is created.
Types of payment gateway integration:
Basic Integration – A website visitor browses and adds products to a shopping cart on a website. When they go to pay for their selected merchandise, they are redirected to a secure web page that is hosted with the payment gateway.
API Integration – This is a more advanced and better integration. The website is connected securely to the payment gateway. The visitors shops on the website, and makes payment on the same website. This is a completely seamless integration, and the website must have the ability to provide a secure connection between the user, in addition to a secure connection between the website and the payment gateway.
Which method is better:
There are benefits to both integration methods, but I think that the API integration method is much better that the simple method. API integration keeps a visitor on the same website that they are shopping with, it allows for easier visitor and order tracking, and is generally a much better practice for usability concerns. If you look at any major ecommerce website out there, you will find that they use the API version of whichever payment gateway they are using.
The simple method is easier to implement, and doesn’t require a SSL certificate. The drawbacks are mainly the loss of control of website visitors when they go to make a purchase, difficulty in tracking user behavior on a website since they leave it before a conversion is completed, lack of control over the payment abilities of a website, and poor website usability.
Many websites start out using a simple method of integration, but will later want the added capabilities of the API version.
I recommend using the authorize.net payment gateway using the AIM API integration method for any business.