What exactly is involved with using Authorize.net?

[xyph]

Is this what you want?

 

http://stackoverflow.com/questions/6130436/is-posted-information-from-non-ssl-to-an-ssl-secure

 

So, it's secure, but the form page isn't SSL, and this might scare the buyer.

[jcbones]

Is this what you want?

 

http://stackoverflow.com/questions/6130436/is-posted-information-from-non-ssl-to-an-ssl-secure

 

So, it's secure, but the form page isn't SSL, and this might scare the buyer.

 

If you loop closely at the picture, they are telling you that your form must be HTTPS.

[xyph]

The idea is to avoid purchasing SSL

[smoseley]

The only way you can get around this without SSL is to send the user off-site to complete payment, e.g. Authorize.net's SIM product, Google Checkout, Paypal, etc.

 

 

[Mahngiel]

The idea is to avoid purchasing SSL

 

Zane, sounds like your client is going to need to weigh the costs / benefits of using either a 3rd party checkout system and paying their fees or purchasing an SSL.  Which will cost more? 

 

[Zane]

The client is teeter-tottering on the credit card transaction fee percentage.  Paypal and Google Checkout have a 2.9% + $0.30 fee, while their Merchant is (somehow?) hooking them up with a 1.58% fee.  I went ahead and set up a sandbox account and used the SIM integration method just to check it out.  There are still a few variables I need to figure out, but it seems I may be able to get away with no getting an SSL.  The form action posts to a https address hosted on Authorize.net, which is exactly what I need.

 

Now I just need to make sure I meet the requirements.

[xyph]

Watch out, having the form on a non-secure page opens yourself up to MitM.

 

If an attacker were to manage to compromise the stream between your webpage and the server's, it's possible to modify the HTML before passing it through, changing your form's action.

 

Though, this form of attack isn't exactly easy unless your client's on weak WiFi when he/she does it.