SSL / HTTPS for Paypal


(LJ) #1

Does anyone have a definitive answer as to whether a simple paypal button requires https? my feeling is that as the transaction and personal data is on Paypal servers, SSL should not be necessary. However, there are conflicting views out there! I jave raised a similar question last year but not answers - maybe someone is clearer now.


(Will Woodgate) #2

Currently (September 2017) I don’t think you do. Because after the button is pressed, the customer is taken through to the PayPal website to enter their data and complete the transaction.

SSL would be required if you are collecting data before the customer goes through to PayPal. And you would also need to be something termed ‘PCI compliant’ too.

For a simple button or ‘PayPal.me’ link, you do not appear to require SSL. Ultimately that may change in future, if PayPal updates their policy for ‘buy now’ buttons or web browser software determines a site matches the criteria for needing a security certificate.


(Dylan Banks) #3

Just an add on to what Will said: https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/encryptedwebpayments/


(Greg Schneck) #4

However, you might like to konw that:

  • Chrome will note your site soon as not being SSL and even though checkout is secure customers may not understand that and avoid purchase.
  • There are two levels of SSL. Most free and low end ones are “shared.” This would be fine for your Paypal checkout. If you ever have your own cart and private info is taken on your site you need a “private” SSL account.

For details just search web for “shared vs private ssl”


(LJ) #5

I think this gets to the heart of the issue. As suspected, a Paypal button doesn’t need SSL, but perception of the buyer is clearly very important. Seeing as Google is clear in it’s intention to rank secure sites higher it may be best to run with it. Another expense for the client but that’s the way it is.


(Doug Bennett) #6

Next month, with the new release of Chrome users will get a not secure warning if you collect any input on the page. That includes a email address, name etc. Many hosting companies are offering free certificates from let’s encrypt (https://letsencrypt.org).

You can also use a free CloudFlare account to add ssl(HTTPS).


(Dylan Banks) #7

I’d say start putting SSL on every site you do as a standard. It ain’t much more of a task anyway.