Support => Email FAQ | Windows Hosting FAQ | Linux Hosting FAQ | Windows Dedicated Server FAQ | Linux Dedicated Server FAQ

I am using SSL for my web site's order form - doesn't that mean the form is secure?

Having a SSL form that accepts credit card numbers, then emails those card numbers somewhere is not very secure. With SSL, the card numbers are encrypted between the customer's browser and the web site's server with 128 bit SSL encryption. However, emails are not usually encrypted - without encryption, it is easy to eavesdrop on email. Also, once the email gets onto a PC, anything can happen (spyware, keystroke loggers, etc.).

If forms to email is required (for example, because the order is later manually entered into a different computer system), it is possible to encrypt email. We recommend GNUPG, but it is not easy to configure. You will likely need somebody to help you using it on the web server and each client PC that recieves the encrypted email.

Instead of encrypting email, a good shopping cart system uses email only for order notifications. To review order details, see credit card numbers, etc., the merchant logs into a SSL secured administration system. For merchants that ship physical goods, the full credit card numbers must be stored in a database (at least temporarily) - US postal regulations require merchants to ship goods before charging credit cars. However, the credit card numbers can be stored encrypted and there should be no way for a customer to see the full card number (even with a successful login or on sales receipts). Current VISA regulations suggest that only the last 4 digits of the card number be show in most circumstances.


If your question isn't answered here, ask our support team directly,
or call 678-268-4065 and choose option 2 for support.