It should be obvious that no matter how large or small your storefront might be, if it operates in an insecure environment, you have a problem. The legal liability aspects differ from country to country, but without a doubt, the bulk of the responsibility lies with you, the site designer, to develop a safe and secure application. For example, any transaction of personal information-especially credit card information-should be performed over a secure connection. Similarly, try to make use of real-time credit card processing rather than storing information (which would then necessitate encryption of that information) on your own system.
Let's take a moment from the development of your shopping system to talk about security. In this environment, you should know all the ins and outs of SSL, or Secure Sockets Layer, before you even think about creating a working storefront.
When using SSL, you specify that you want to connect to a server using SSL by replacing http with https in the protocol component of a URL. What happens from that point on is essentially a lot of great mathematics, or encryption.
Encryption is the process of converting a plain text message into a new, encrypted message, or ciphertext. This activity usually involves a key; if both sender and recipient have different, complementary keys (as in SSL-based transactions), the process is called asymmetric or public key cryptography. The SSL protocol uses public key cryptography in an initial handshake phase to securely exchange symmetric keys that can then be used to encrypt the communication.
SSL uses digital certificates to authenticate both parties participating in the communication-in this case the browser and the server. Such certificates are signed by a trusted third party authority, which certifies that the information is correct. Examples of such third party authorities are Thawte (http://www.thawte.com/) and Verisign (http://www.verisign.com/).
Enabling SSL on the server side does entail some modifications to your server setup that are not covered in this book. For instance, to enable SSL support in Apache, you must compile the mod_ssl Apache module in addition to installing the OpenSSL libraries. You can find more information about these items at http://www.modssl.org/ and http://www.openssl.org/, respectively.
To enable SSL on other Web servers, consult your server documentation. But remember, enabling SSL is only one piece of the puzzle-you need that SSL certificate!
As this chapter deals with the fundamental aspects of building an online shopping system, the "How do I get paid?" portion is obviously important. Several commerce methods exist with which users can pay for the purchases in their shopping cart, and the "right" method for you will depend on how your business is structured. For example, merchant credit card accounts through banking institutions often require you to have a business license, a reseller's permit, and other documentation proving you're a legitimate business. If you're simply a person who has a few items to sell, you may not want to go through all of that paperwork. In that case, you do still have options, such as using a third-party method like PayPal for completing monetary transactions.
But for the most part, a legitimate business performing online commerce-based transactions will be doing so with merchant credit card accounts. If you have obtained a merchant account through your bank, you can use real-time payment services such as Verisign's PayFlo Pro. PHP has a built-in set of functions that, when used with the PayFlo libraries from Verisign, allows you to create a simple script to handle credit card transactions. You can learn more about PayFlo Pro at the Verisign Web site, at http://www.verisign.com/products/payflow/pro/index.html. The PHP manual section for PayFlo functions is at http://www.php.net/manual/en/ref.pfpro.php.