2

I am not very technical, and I don't know if this is the right place to post this question. Sorry in advance.

Anyways, hiring someone to do the e-commerce site can be futile, so I tried to do it myself.

I have been picking up some books and learned Drupal, and also configured a small e-commerce site. The payments will happen through a payment gateway which is supposed to be secure, although credit card details would be passed through my website (using https)

I have been using the Drupal documentation and trying to follow their basic security guidelines - http://drupal.org/security/secure-configuration.

Now I am looking at VPS hosting, and I am wondering, so I install Drupal on their host and follow Drupal.org guidelines. How do I really know my application is secure?

I am taking peoples credit card information (I am not storing it), and I have this sinking feeling that maybe I am not doing enough ... is there a chance those details could be intercepted through some vulnerability on the server side? I don't know exactly what, maybe some loop hole that I don't know about, am I being paranoid?

The sinking feeling is because I don't know the inner-workings of the operating systems, networking, etc. and it seems like it would take a lifetime to understand. I tried learning a bit of Linux, and then stopped, it is too much and I want to work on my business, not in it.

So I am facing the dilemma of what else should I do, what is reasonable. Its in my nature to be very detail-oriented and understand everything, having a hard time with this.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Dave
  • 23
  • 2

3 Answers3

6

Sorry, but you're going about this the wrong way for your level of technical ability. I highly recommend a turn-key solution like a yahoo or ebay store. If that's too amatuerish then do the following:

  • Drop Drupal. Drupal is a monster, its not good for beginner or for a small site. If you want to roll your own CMS then go with Wordpress or a hosted Wordpress. Build your site.
  • Drupal and Wordpress are CMS's they are not shopping carts.
  • Manage inventory and take cc payments via your own or hosted shopping card like zencart. You'll need a cc processor and payment gateway/merchant account access. A hosted service will take care of this for you.

You can look into resellers like Bluehost or Dreamhost. You really don't need to run your own server. Best to let the experts manage the servers/updates/security and for you to focus on the application end of things.

Anyways, hiring someone to do the e-commerce site can be futile, so I tried to do it myself.

I disagree. You can probably find a freelance who can punch this out at a good price point.

DrZaiusApeLord
  • 1,174
  • 2
  • 9
  • 18
  • 2
    +1 for a turnkey solution. Otherwise you should **Seek Professional Help** in the form of a local tech company. Trying to build an eCommerce solution yourself when you are "not very technical" is a recipe for disaster. – voretaq7 Jan 18 '12 at 20:24
0

Dave, I set up a similar small eCommerce site for my mother in law some time ago. If you are using a payment gateway such as PayPal you are only sending the credit card request to the gateway site - they do all of the processing (including the collection of the card number) and the money simply appears in your account.

Since you never access to the card data - directly on your server or otherwise - you do not need to worry about PCI or the headaches that come along with it.

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
  • Thank you. Is there a way to embed the request form within the payment page, rather than redirecting to another site like PayPal. I would like the user to stay on the site. Maybe an iframe? But curious if there is some server code that could generate form code that Posts credit card information securely to the payment gateway? Guess I have some research to do on that possiblity .. – Dave Jan 18 '12 at 22:10
  • If you start doing that you get into the realm of PCI compliance.. That is something I promise you don't want to do (it is what I do for my full time job). There are services from Paypal and those like it which can skin their site to look and feel like it is part of yours, even direct back to your page on completion of the process. – Tim Brigham Jan 18 '12 at 22:13
0

make sure you keep your vps system upto date with its security updates and patches, this includes any software you have installed on the system to make the ecommerce solution work e.g. drupal this will reduce the changes of a bug / flaw in the system exposing any sensitive data you may have (e.g. client login details, order info etc)

Another more extreme (but worth it for peace of mind) method is to hire a company to-do a penetration test / web application test on your site to ensure there are no glaring problems / holes in the security of it.

with regards to details being intercepted on the server side of the system, this would come down to a fault / problem at your hosts end and would hopefully be something the never let happen, if the security of the host and there policies and procedures on who has access to systems is good enough you can sleep easy knowing that once the client has entered details on your site and processed it, the info went straight to your gateway and no-one but the gateway saw it.

hope this helps.

Kristiaan
  • 442
  • 1
  • 9
  • 22