Guest makepool Posted April 13, 2010 Share Posted April 13, 2010 Hello, I'm just starting out with ecommerce and plan to build a site that uses CubeCart with SagePay as the gateway. I wondered what the legal requirements for the UK were because there seems to be different information on different sites. If I create an online shop where the user never leaves the site like they would with PayPal for example, do I legally have to have dedicated hosting and what are the legal requirements of doing things this way? Quote Link to comment Share on other sites More sharing options...
vokf Posted April 13, 2010 Share Posted April 13, 2010 Hello, I'm just starting out with ecommerce and plan to build a site that uses CubeCart with SagePay as the gateway. I wondered what the legal requirements for the UK were because there seems to be different information on different sites. If I create an online shop where the user never leaves the site like they would with PayPal for example, do I legally have to have dedicated hosting and what are the legal requirements of doing things this way? I think you're talking about PCI compliance. If you do not store Credit Card information on the site (server/database), with this aspect handled by SagePay, then you will be fine. Disclaimer: I'm not familiar with SagePay. If you DO store credit card information on your site, and this information is used - you will be in serious trouble with the credit card company. Essentially, your store will close and you will probably be sued for their losses. For this reason, its sensible to pass the risk on. You should also consider the Data Protection Act, as you will have personal details on the CubeCart database. A weak password or successful attack would expose these details, and so you (and all store owners) should exercise good practices; -Strong Passwords -Changing Passwords regularly -Restricting access to admin to only known IP addresses As with most of this kind of thing, you need to able to answer the question "what did you do to limit the damage?", and if you can only shrug your shoulders - its not good enough. If the Credit Card information is held on the database (ie for offline processing), then you will need to demonstrate PCI compliance - essentially a fair bit of work and difficult on a shared server. The fact you are looking into this is a good thing. Its also worth considering that CubeCart has been security audited, but any 3rd party mods will not. Take care if you need to code or subcontract out any work. This puts is above most of the competitors, but once new code is added or existing code modified, the new authors need to take care with security. Jason Quote Link to comment Share on other sites More sharing options...
Guest makepool Posted April 17, 2010 Share Posted April 17, 2010 Thanks for the very swift response. Yes, I think it was the whole PCI issue that was confusing me. The only thing I'm wondering now is if I still have to cover my site with SSL? I've seen a few other CubeCart sites and they don't seem to be doing this but since CubeCart does send various details to SagePay such as customers names and addresses wouldn't SSL still be a good idea? Quote Link to comment Share on other sites More sharing options...
vokf Posted April 18, 2010 Share Posted April 18, 2010 It will depend on your site. SSL is "nice", and if I see it when entering personal details (address/telephone etc), then I'm a little happier. In the grand scheme of things, its low cost and will inspire confidence- so I'd recommend it. All the best with the store! Jason Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.