In a related post I discussed the process of setting up your own e-commerce site using the WooCommerce plugin for WordPress. This post is an update and discusses options for secure checkout and payment processing for self hosted on-line stores.
Securing WooCommerce with HTTPS/SSL
When hosting your e-commerce site or online store, you will need to choose a provider for payment processing. This article outlines the mechanics of how that works and your choices in choosing a payment processing service. In general if you will be handling user confidential data, you will want to secure your site with HTTPS over SSL. If you have a custom domain (chances are you do if you are doing e-commerce), SSL will have added costs. These include the cost of having a dedicated ip as well as a private ssl certificate. You can buy a dedicated ip from Bluehost for $5.99/month and a certificate from NameCheap for as little as $9/year. While these fees seem nominal, they do add up, especially if you are a small shop with limited sales. There are many resources on how to set up a WordPress site for SSL and here is another.
Enabling SSL without an SSL Certification: You can use Cloudflare Flexible SSL to give users the impression that your site is fully secure without requiring an SSL certificate on your site. Though not recommended, this article lists steps for enabling the Stripes Payment Gateway without the need for certificates. This approach is more of a hack and not true security. If you will be storing or accessing sensitive data on your site, it is highly recommended to use Full SSL that requires an SSL certificate.
Offsite Payment Services
But there is an alternative to SSL. You can use a Hosted Payment Page (HPP) service, for handling of security and payment compliance (PCI-DSS) issues. In this case, a customer purchasing from your website is directed to the HPP at checkout. Because the HPP is hosted on a secure server, the payment processing is secure. PayPal is one well-known example but there many others.
PayPal Standard, an offsite payment service provided by PayPal is included in WooCommerce. Payments are processed on the PayPal page (HPP) and not directly on your site, thus allowing customers to buy on your site and pay safely and securely using a PayPal balance or credit cards. Support for credit card payments without a PayPal account is supported, but payments by credit card is also a signup process to create a PayPal account. This may be a deterrent for prospective buyers wanting guest checkout instead of forced sign up for another account. Though secure, offsite payment processing can be viewed as negative, making the user experience less than seamless; although most HPPs include a feature to redirect the customer back to your website upon completed payment. Furthermore there is usually limited customizations available for the payment processing page. This makes it somewhat obvious that another site (not yours) is performing the payment processing. But this can also be viewed as a positive since PayPal is a known and trusted payment service, which can add to buyer confidence.
WooCommerce PayPal Configuration
With WooCommerce it is straightforward to configure PayPal payments by following these instructions. Prior to going live, you can test your configuration by following these instructions to create a PayPal Sandbox. When creating the test PayPal accounts, you can use a disposable email address service such as YOPMail to generate test email accounts.
Here is a screen shot of my PayPal sandbox.
Here is a screen shot of a test purchase from my site with a button to connect to PayPal.
Here is a screenshot that connects to PayPal for the secure checkout. Notice the use of HTTPS in the url.
Here is a screen shot of the completed payment. Notice the provided link to return the customer back to your site.
Setting up secure checkout is a must for e-commerce. Ideally this is accomplished by using HTTPS with SSL, which can also increase the conversion rate of customers purchasing from your site. The associated costs and extra complexity in setting up SSL may not be worthwhile for small shops. In this case, offsite payment services like PayPal is an option and easily configured in WooCommerce.