Establishing SSL for Membership credit card transactions

Hello - experimenting with the Membership plugin, and have an authorize.net gateway. I know how to purchase an SSL certificate for my site, but don't understand how to implement it for the Membership plugin's particular registration/purchase pages. I understand the communications between the backend and authorize.net AIM are encrypted, but obviously need to encrypt the user-to-server session for PCI compliance. Do you have any guidance on how to do that for the membership plugins particular implementation?

FYI, I am running WPMU 3.31, BP 1.54 and the membership site is a subdomain.

Thanks!

  • Kimberly

    kbrady,

    Welcome to WPMU forums :slight_smile:

    I found a thread that has some great information about this and I'm including a link.

    Looks like the plugin requires and SSL to use the authorize.net gateway, but the majority of the compliance is on your hosting and company policies, as the plugin itself does not store or take any CC info, it's all done through the gateway.

    https://premium.wpmudev.org/forums/topic/pci-dss-compliance-for-marketpress#post-104713

    Please come back and comment here if the link above doesn't provide the clarification you need. Just be sure to check "not-resolved" or we might miss it!

    Best,

    Kimberly

  • aecnu

    Greetings kbrady,

    Thank you for being a WPMU Dev member!

    I know how to purchase an SSL certificate for my site, but don't understand how to implement it for the Membership plugin's particular registration/purchase pages.

    When using the authorize.net gateway, when it is time to make the purchase and actually integrate with authorize.net - it should go right into https:// secure encrypted mode activating the encrypted facilities provided by the SSL certificate.

    FYI, I am running WPMU 3.31, BP 1.54 and the membership site is a subdomain.

    I guess since you do know about buying SSL certificates and running this on a sub domain, that I do not need to inform you that you will need to buy a special sub domain certificate commonly known as a wild card certificate for this to work.

    Thanks again for being a WPMU Dev member!

    Cheers, Joe :slight_smile:

  • kbrady

    Joe - thanks for the response. I think my mentioning the gateway may have confused the issue. My purpose was to clarify that I was NOT using paypal in a way where Paypal offers up a secure page to enter the credit card info and complete the order.

    The authorize.net gateway does not come into play until after the user's credit card information is collected and accessible via the functionality of your membership plugin. The plugin (I think I am saying this right) generates some pages and performs some server-side work that the developer wrote into it.

    What I'd like to know if how to use a 3rd party SSL cert that I will buy and use it to secure the pages that offered to the prospective member whereby they enter their credit card info. That page, in the browser, must be encrypted. Note we have not yet submitted the order to the gateway. Step 1 is to collect the info (securely) from the user. Only after that is done does it go to the gateway and that is already secured on the back end by your developers code,

    Since EVERY user of the Membership plugin who uses a gateway MUST encrypt the Wordpress page(s) that collects the credit card info, it would seem that this question would be common, and comes up frequently from people who license Membership (and Marketpress for that matter).

    Let me give you an example of the problem. ON a test site I have set up, the registration page URL is:
    http://premium.testwebsite.net/registration-page

    The page is not secure; when clicking on the button to register, the page content changes but the url doesn't. At this point the user would enter credit card info. Just because I install a wildcard SSL cert on the server doesn't mean that this particular page is going to "know" to pop up as a HTTPS page. And I certainly don't want ALL pages on the site to use SSL. Only the necessary pages, generated or managed by the Membership plugin. This is what I am trying to figure out how to achieve; otherwise, the Membership plugin usage would violate federal law and the merchant services agreement.

  • kbrady

    Kimberly - I have to disagree with the conclusion being made in the link you referenced at:

    https://premium.wpmudev.org/forums/topic/pci-dss-compliance-for-marketpress#post-104713

    They are bluring the line between back-end security with front-end security. Yes, the connection between the authorize.net AIM web service and your plugin is PCI compliant and encrypted (that's the only way authorize.net will talk to anything on the outside world). But that has no bearing on whether the website is PCI compliant. That still requires a SSL cert on the server, and HTTPS ssl-encrpyted pages being offered to the user. That does not happen simply by installing Marketpress or Membership.

    Now, I am not saying there is any problem with Marketpress or Membership; rather there simply isn't enough documentation provided by WPMUDEV to explain how to correctly, legally implement these plugins are required by all merchant services providers. I realize the SSL cert goes on "my" server, and I have to do something in the Wordpress environment to get it to be used at the right time, but I have not found guidance on that anywhere and can't use either plugin without figuring this out.

    Thanks,
    Kelly

  • theaj42

    Howdy!

    I'd like to have more guidance on this topic from wpmudev staff, too. With the monitization focus of many of the plugins wpmudev has made, I think this is an important process to have well-documented.

    Here's my attempt at implementing SSL:
    I installed a third-party SSL certificate on my server, and it's working fine, but I'm getting the "this page includes other resources which are not secure" error. According to what I've seen (especially at http://ithemes.com/codex/page/Fix_Non-SSL_Elements_on_SSL_Page), that's happening because things I've uploaded via WordPress -- especially images, and maybe plugins -- are being served up with an absolute URL beginning with "http://..."

    The suggested fix for this issue is to serve the entire site as a secure (encrypted; https://...) site, and I'm not opposed to that. Unfortunately, when I went to change the address of my site, it's grayed out and can't be changed.

    That kind of leaves me stuck. :disappointed:

  • theaj42

    Howdy!

    I've made some headway on my SSL issue, and want to outline what I've done in case it helps anyone else in the future.

    Keep in mind that I'm running a WordPress network site. The plugins I mention below should work fine for a traditional WP install, but the process for changing your base URL is a little easier.

    I installed the WordPress HTTPS Test plugin (http://wordpress.org/extend/plugins/wordpress-https-test/). This adds a button to every page that lets you test for non-https elements on the page. This will help you track down links with absolute URLs, javascripts, etc., that contribute to the mixed format error I mentioned above.

    Next, I installed WordPress HTTPS (SSL) (http://wordpress.org/extend/plugins/wordpress-https/). As I understand it, this plugin enables you to force SSL on a page-by-page basis, and also helps with URL rewriting on the server side to alleviate the mixed-content errors. I'm not convinced the plugin *actually secures* anything, but it definitely helps with the error message. It'd be great if someone with the applicable technical expertise could weigh in on this.

    Finally, I changed my base URL to https://... via these instructions at the WP Codex: http://codex.wordpress.org/Login_Trouble#Check_Your_URL_Options. That worked well to change the siteurl setting, but I couldn't find a place in the OPTIONS table for "home;" maybe that's not part of a WP network.

    Please keep in mind: This "solution" of mine is totally hacked together, and I'm not at all sure if it's legal, correct, or anything else. I'd still love to get some definitive directions from someone "in the know."

    Hope that helps!

    -aj

  • kbrady

    theaj42 - thanks for posting this info. I too am trying to get a MU site with Membership to work securely, but I think I want to stick with only encrypting the couple pages needed for shopping cart/checkout...I'd be concerned of the load/performance which might really bog down on the server with alot of encryption going on.

    I hate to say it, but I'm starting to think that Wordpress is the wrong platform for eCommerce unless you offload the necessary secure pages to a third party processor like Paypal, or use Fleapay.com with a gateway. However, Fleapay doesn't do recurring sales or digital downloads.

    At this point I have to believe that there must be tens of thousands of Wordpress-based websites selling something that are happily using plugins like Marketpress or Membership, plus a gateway, and are violating PCI and their merchant agreements en masse...

    I am very close to abandoning Wordpress for 1 of the 2 major (but very different) eCommerce sites I am developing; maybe even both.

    Anyway, I am still doing a little research and will post back anything I can find out. Thanks again for posting the detail of your testing!

    Kelly

  • theaj42

    Hi Kelly,

    I should have mentioned that with my "solution," only the pages that have forms on them ("/wp-signup.php" and "/pro-sites/") are being processed as SSL. I ensured that by making a custom menu to replace the template global nav and including absolute links to those pages. That page and directory get served up encrypted, and the rest of the site go via plain text.

    Also, something to consider is that the server load that SSl generates may not be a Problem (notice the capitol "P" :slight_smile: ). Think of it this way: If encrypting every page on your website takes ypur server to 70 or 80 percent load during periods of high traffic, so what? It shouldn't affect response time at all until one of your servers main resources (processor, memory, disk I/O, bandwidth) are completely saturated. Sure, it's not great for the hardware, but if you're buying hosting, that's not your problem.

    For what it's worth, I think WP could be a great platform for e-commerce. It's open source (which from my standpoint means it's been vetted by lots of really smart people with many colors of hats), It's got really good content management and is more-or-less infinitely expandable. I think the problem we're running into here is a lack of in-depth technical support for this integration.

    Speaking of "lack of technical support," Joe did you really try to close this ticket without addressing it? This is a major issue that has potentially far-reaching legal and financial implications for anyone who sells anything using your plugins. I think it's completely inappropriate to laugh this off and call the issue closed, presumably based on my hacked-together solution I offered this afternoon. I strongly feel that it's in wpmudev.org's best interest to address SSL integration with its sales plugins so that we can develop our websites with the confidence that our tools are adequate to the task. I'm going to assume that this is an anomaly in what has otherwise been excellent customer service.

    I'm going to get off my soapbox now. Kelly, if you're interested/willing, I'd like to bend your ear about this SSL integration issue some more. I'm at "aj AT beestbuilt -->.<-- org." You're also more than welcome to take a look at my implementation of SSL from this afternoon: http://www.beestbuilt.com --> "Get a free site."

    All the best!

    -aj

  • theaj42

    Howdy!

    I woke up a little early this morning (couldn't sleep) and figured "What better thing to do at 5 a.m. than figure out how to test my site's SSL implementation for real?"

    So.

    After a little Google-fu, I ended up at the Qualys SSL Labs page (https://www.ssllabs.com/ssldb/index.html). I tried a couple other SSL testers before finding Qualys's, but all they gave me were check marks and semi-mysterious icons. In a word, they weren't geared toward someone looking for an in-depth analysis. The Qualys site on the other hand sent little shivers of both glee and terror down my spine.

    Glee
    The Qualys analyzer provides a wealth of information about exactly what my certificate offers and how it performs. For instance, I have an RSA key with 2048 bits. This, I understand, unlike my vendor's sell page which was filled with marketing garbage (that's what you get with low-bid, but I digress...). I also learned that my certificate supports SSL 3 (and maybe SSL 2) and TLS 1, but not TLS 1.1 or TLS 1.2. I can also see a list of cipher strengths that my certificate supports which is enlightening.

    Terror
    So that list of cipher strengths? Yeah. It includes six ciphers with key lengths under 60 bits. Hell, my password to this website lives at 105 bits, and it's hardly my strongest one. Maybe I'm a little anal, but that makes me uneasy. The Qualys analyzer also informed me that my SSL is vulnerable to two attacks, both of which I can only assume have been included in hackerland scripts since they're included in an analyzer, too. Apparently, my cert chain is in the incorrect order; I assume that's a straight-forward thing to fix, but you never know. The real kick in the shorts, though, comes at the end of the report. The other analyzers I found just gave me a nice row of happy icons and told me that all was well in Wonderland. The Qualys analyzer though, was the party-pooper with these two lines:

    PCI compliant No
    FIPS-ready No

    I can only assume that's because I bought a bargain-basement cert (paying an entire $9 for it). I guess that's a small price to pay for a basic education in SSL certificates, and waaaay better than losing someone's CC info.

    Back to the shopping cart
    While I technically meet the requirements of doing business on the Interwebz (yes, I haz SSL; we is moar protectanated!), I'm not real comfortable exposing people's data (ala "Burn Before Reading" - http://www.youtube.com/watch?v=563QNm_A7WI ) to known threats when I can do something about it. So I'm back to SSL shopping. Do any of you have suggestions for decent (PCI/FIPS compliant, for starters) SSL cert vendors that will leave at least a couple scraggly old dollars in my wallet?

    Thanks!

    -aj

  • aecnu

    Greetings theaj42,

    Thank you for being a WPMU Dev member!

    I have posted on here a few times of our SSL Certificate resource

    Making WordPress/Market Press more secure for PCI compliance using merchant accounts has long been a Pandora's box due to members do not want to fork over the big bucks purchasing a server certificate or wildcard certificate and then go through the hassle of confirming each and every domain that accesses the cert.

    As a matter of fact one member came right out and admitted that they cannot possibly certify every domain on their MultiSite install, there users will not comply or pass muster.

    So there is the paradox.

    Now if a single person wants to incorporate SSL throughout there whole MultiSite install this is certainly possible, but when it comes time to verifying end users for SSL certificates to be included in the wlld card certificate the whole show will fall apart.

    Cheers, Joe :slight_smile:

  • kbrady

    Joe - that fact that many users choose to expose their customers to potential credit card fraud, violate Federal PCI laws, and breach their merchant agreements does nothing to let WPMU off the hook in offering "secureable" eCommerce software. WMPU has some responsibility to paying customers to provide at least some initial guidance for implementing its eCommerce components in the only legal way possible. The presumption should be that customers need and want to follow Federal law, their merchant agreements and protect their shoppers, not the opposite.

    Now, let me shift gears here and report something I have learned and tested that I feel is helpful information I am providing to the WPMU company with regard to this issue.

    Cart66 is a plugin that has solved the very problem we are talking about. I think it is a good product, and can also do membership type subscriptions. However, its security model for the membership content is far less sophisticated than WPMU's membership plugin. But the way they solve the SSL issue is elegant and completely solves this issue....with a single mouse click.

    With Cart66, like any other eCommerce solution, you first buy the appropriate SSL cert and properly install it on your server. Then, in the plugin options there is a simple checkbox for "use SSL". If you click this checkbox, then Cart66 completely handles offering the https version of the shopping cart/checkout pages where the PCI-protected information is being transmitted. Below are two example sites running cart66 and doing the SSL this way. I have corresponded with the developer in Australia and confirmed this is how he has done it, as well as opened a pre-sales ticket with Cart66 support and gotten a confirmation from them that is all that is required. You can go through the checkout process on these sites and see (without having to enter your personal info) that the page where you enter your personal info comes up as https.

    http://www.ceceliasmarketplace.com/
    http://schildestate.com.au

    I assume that the Cart66 license is under GNU 2.0, so WPMU could legally and ethically examine the code to see how they achieve such an easy and complete solution to a requirement that EVERY user of Membership and Marketpress (who uses a processing gateway) is required by law to follow. Then WPMU could either use some of the code and credit Cart66 appropriately or write their own version of the solution. Then, I believe Membership and Marketpress may be the best solutions for their respective purposes.

    Until then, the "value" of my WPMU subscription is impaired by the limited documentation and lack of ability to easily figure out how to properly secure sites that use your two eCommerce plugins, and I am not likely to renew my subscription with WPMU. I am only willing to use and deploy eCommerce plugins that I can properly secure and maintain legal and contractual processing requirements.

    For now, I am going to be using Cart66 instead of Marketpress for a site that sells digital downloads and uses the authorize.net gateway. I am going to use Membership for a buddypress site that is happy to only offer Paypal Standard (Paypal provides the https pages and the URL for the checkout will begin with https://www.paypal.com...etc).

    I hope you and WPMU consider my comments as helpful feedback from a customer and will at least consider what I have said for future product updates. Overall I like WPMU and have good experiences, I'm just disappointed with the potential for these two plugins not being fully realized at this time.

    Kelly

  • theaj42

    Howdy!

    I have one more update to make from my research into this, and then I think this equine carcass shall most likely be sufficiently whipped. This is mostly for the benefit of folks who come across this thread in the future.

    I've spent most of the day checking into what I actually need for PCI compliance on my project. As far as I can tell, using Pro Sites checkout served via SSL to hook up to the Stripe API via the Stripe .js will do the trick. As long as the form is served via SSL on my site, that oughtta do the trick. I think.

    OK, as you were. Over and out.

    -aj

  • Kimberly

    Kelly,

    Your insight is very much appreciated. I'm very new to all of this and find this entire thread very enlightening.

    I'd like to say THANK YOU! to all of you who took the time to contribute to this thread, you are the embodiment of the call to action that WPMU uses to plan it's growth. I hope you don't see fit to abandon us on these terms.

    I do agree that there is a lack of pro-activity to provide guidance, or even explanation, to the topics you are addressing here in relationship to the current plugins. Being a community is important and we are here to meet user needs. If the users leave without letting us MEET those needs that arise then the whole system will fall apart. :slight_smile: You guys are the glue!

    Best,
    Kimberly

  • 16wells

    I know this thread is ancient -- that's why I'm posting. I'm picking this up a year later, doing an implementation of a site with WPMUDEV Membership and authorize.net as the cart.

    There is NO documentation of the process to do post-installation of the wildcard SSL certificate -- I've installed the cert on my server and I'm getting it done -- but there's NOTHING documenting this that I can find.

    I would hope that there would be a help doc attached to marketpress and membership manuals to walk through this.

  • PC

    Hello @16wells

    Thanks for posting on the forums.

    It indeed is a pretty old thread however thanks for posting and letting us know that the part of documentation is required.

    We are currently rewriting the documentation and a few plugins have recently been updated. I have sent a note to our staff @Patrick dealing with the documentation part and will look forward to cover that soon.

    In the meantime, I will really appreciate if you could post any questions you have on the support forums so that we can help you answer them :slight_smile:

    Cheers, PC

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.