Is it compulsory to have https on e-commerce site?

If you don't use HTTPS, but plain HTTP, then:

  • You will get hacked; credit card numbers will be stolen while in transit, and customers will sue you into oblivion.
  • You would be hacked anyway at some point, that's the lot of Web sites. Even if the hacker entered by some other way, post-mortem analysis will show the lack of SSL, and this will look real bad.
  • You will lose customers. Many potential customers won't enter their credit card number, for lack of the reassuring padlock picture; they will instead shop at a competitor's Web site.

So you are not mandated by Law to use HTTPS, but if you do not, your business will fail. Open business competition is quite akin to Darwinian selection: the weak dies.


Edit: @XzKto's comment shows that I have not been completely clear: the SSL bit is needed for the actual transaction, when banking values (e.g. credit card numbers) travel over the Internet. That's the one I am talking about. If the site records payment details (so that you can come back and buy again without reentering the credit card number), then the "buy it now" button must also be SSL-protected (to avoid an attacker "clicking" on it in your name). The rest of the site needs not necessarily be SSL-protected, although site-wide SSL is still often a good idea (it is much simpler than trying to work out which parts of the site must be protected, and which parts can be left out).


I'll go ahead and say it. Yes it is compulsory to use SSL with an e-commerce site.

While nobody is really following you with an axe to decapitate you if you don't use SSL, using SSL for sites like e-commerce is crucial. So it is compulsory in the sense that you'll get into a lot of troubles when your customers' accounts are stolen or when somebody starts to manipulate with your customer's sessions.

Why should you use SSL with an e-commerce website?

  1. Protect your customers' login information.
  2. Protect your customers' sessions from being hijacked (cookies will be sent in plaintext).
  3. Protecting your customers from being taken to a whole different fake website (DNS spoofing).

If you don't have account information and handle credit card information through a payment gateway, then no, it isn't compulsory. It is entirely possible to run an e-commerce site safely without HTTPS if you know what you are doing and jump through a bunch of very special hoops. (No username/password, Process payment offsite through a payment gateway or Paypal, use Order #s for tracking, etc). In this case, all you'd be doing is having people put together a list of items they way and sending that list (or the total) to a secure service to deal with the sensitive bits and they send back a token as a receipt.

That said, why would you want to have the headaches? People are far less likely to trust your site even if you set it up correctly to avoid all the possible pitfalls of not having HTTPS. It's much easier to do with HTTPS and well worth either using a self signed or cheap SSL cert. You can get SSL certs as cheap as $60 for two years (and maybe cheaper). There is really no good reason not to use SSL(HTTPS).

Also note that to handle credit card details, it is generally compulsive to use SSL for the exchange as part of the merchant services agreement. More specifically, if you touch, handle, work with or store payment card information (PCI), then the merchant services agreement will almost certainly require that you follow PCI-DSS. This is a big part of why even storefronts using SSL may often opt to use a payment gateway to handle the credit card data so they don't have to worry about the finer points of PCI-DSS.

Tags:

Http

Tls