Is it possible to be properly compliant with credit card payments on subsites?

I have been looking into credit card payments in marketpress and it seems that to use services like Stripe you need to have a proper SSL.

This becomes an issue because the only way I have found it possible to get SSL working properly with subsites and mapped domains is by using Cloudflares flexible SSL.

The problem with this is that the data is only encrypted between the user and cloudflare. Between cloudflare and wordpress multisite it is in clear text.

This is fine for usual trafic but when a subsite wants to use a service like Stripe in their Marketpress, will they be in violation of Stripes terms? Stripe specify that you must have a SSL on the page that collects their info that transfers to their system to collect credit card data. I am fairly sure that the cloudflare flexible SSL will not be compliant with this requirement. This could lead to possible legal liabilities if a client loses their credit card processing capabilities or data is compromised.

Is there any way to set up wordpress multisite subdomain installation so that I can provide the subsite a proper SSL?

I have cpanel for my hosting at the moment. I can buy a wildcard SSL for " *.mydomain.com " but the problem then comes when a subsite maps their domain. There is no way for me to add a new SSL inside cpanel just for this subdomain.

Has anyone worked out how to do this?

I think this might be a ticking timebomb as I have seen several people mention they have the same cloudflare flexible ssl setup as me. If any of them offer marketpress to subsites or use stripe for blog payments then they could already be breaking the terms of service for Stripe payments.

    • Mike
      • The Bug Hunter

      Hi @Milan,

      I have already read that and it does not cover domain maping in any detial. I found it strange that an article on using the domain mapping plugin doesn't actually cover how to do it when a customer maps a domain.

      In that article it suggests to use a wildcard ssl. If you refer to my OP you can see I have mentioned this.

      This only covers my domain. When a customer wants to map their domain, how do I issue a certificate for their domain?

      This question is actually posed in the comments of that article but there is no specific instructions there I can use as it just says another ssl has to be issued, not how to actually manage that with the hosting.

      Any ideas on this?

  • Milan
    • WordPress Wizard

    Hello again @mikeymike81,

    Thanks for confirming that you have already read that article :slight_smile:

    I think I will need to communicate about this with our developer of Domain Mapping. I've already pinged him but he is not online so he won't be able to respond me soon. But as soon as I hear from him I will post back here.

    Meantime please stay calm and cooperate with us. I am sure you will surely. :slight_smile:

    Cheers,
    Milan

  • Mike
    • The Bug Hunter

    Hi Milan,

    I talked with hosting company and they have just added integration with lets encypt so I can now do this whereas before I couldn't.

    This is what they say will work:

    1. set main domain up on wildcard ssl
    2. add mapped domains as additional domain names to cpanel
    3. activate lets encrypt for mapped domains

    I'm giving it a go now so will see if it works.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.