views:

44

answers:

4

Our geeky back-end developer is trying to tell us that we really don't need to have the whole logged-in section of our shopping site be "https" with the browser "lock".

He just wants to put the credit card fields in an https frame (which customers will not be able to see is secured).

As far as we can tell, this is sheer UX lunacy that would be the kiss of death for an e-commerce site today. Consumers absolutely expect that "lock" icon or they think the site is some kind of scam.

But our developer doesn't think it would be so unusual and says it will make his integration easier.

So can anyone refer us to a single major shopping Web site that does not use https and the lock for the entire logged-in account section?

+3  A: 

HTTPS is an absolute requirement for eCommerce transactions. Make sure you use HTTPS while collecting shipping and card details and make this obvious to the user.

However, you need not have HTTPS all though out your site. HTTPS is not needed while browsing your product catalog or adding an item to cart.

Ashwin Prabhu
A: 

Your developer is just plain wrong.

By putting your CC form in a frame you'd be able to access the DOM of the https page from the unsecured server because it is a child of the parent document.

Rimian
I guess not, unless the CC form is loaded from the same domain/source. Otherwise access the DOM in the iframe will be a violation of the 'same origin policy' - browsers will not allow this.
Ashwin Prabhu
A: 

Keep in mind that your developer is looking at this from a coding perspective not a UX perspective. In short, thank the developer for the awesome input but go with what your users expect to see and and use HTTPS.

Atanasio Segovia
A: 

No matter what you decide... I always look at it from a pay-now or pay-later cost scenario:

Will letting the developer "save" me a few dollars now, or making choices based on what is easier for him now, cost me more in the future than any amount of up-front savings?

If you are right (and I believe you are) that people are EXPECTING to see that little lock so they can feel their transaction is secure, then your cart abandonment should be high enough that you will lose far more money than you would ever save doing things the "easier for me to develop" way....

It does not really matter what is happening behind the curtain... as long as things operate the way people expect they will be appeased, kept calm, and click the "pay" button.

Users are so paranoid about scams, phishing, and whatever else that ANY deviation from expected visual and security indicators will cost you and cost you and cost you....

Sometimes the most expensive things cost us the least....

exoboy