In case you accept online credit card payments through any merchant account, the networks and the credit card associations will require you to utilize SSL whenever credit card information, like card number, CVV code, expiration date, cardholder's name, etc. (like when credit card information is entered by the customer on any payment page or shopping cart order form) is transmitted. For enabling PCI compliance of your website, it is one of the most important parts (PCI is a fixed set of rules which needs to be followed, for accepting credit card payments).
PCI compliance is not only required by your payment processing company and MasterCard, Visa, American Express, Discover Network, JCB Diners Club International and other cards, but before providing their credit card information, customers also seek security, offered by your shopping cart or order form. If the customers find out that your site is not safe, then you can quickly lose your sales.
However, if your customers are entering their credit card information on the website of a payment processing company, like PayPal, Amazon Payments or Google Checkout and if they are not entering any direct information on your website, then there’s no need for an SSL certificate as you are not storing or transmitting customer’s credit card information.
Here's how an SSL works:
A summary of what happens whenever a connection between site utilizing SSL and a browser is established is as follows:
- A visitor’s browser asks the website’s server for providing its SSL certificate for establishing a secure connection.
- The server provides it to the browser.
- The browser recognizes the Certificate Authority (CA) who issues the SSL certificate and contacts it to know if the certificate is valid.
- CA checks it and confirms its validity in case it’s not revoked.
- Following confirmation from CA, the browser then requests the server for the page content.
This process that takes place between the secure site and visitor’s browser is called ‘handshake’ or an Online Certificate Status Protocol (OCSP) response.