Taking eWAY payments on a non-SSL website

June 8, 2012

I explain here how to take online payments via eWAY without purchasing a secure socket layer (SSL) certificate. I also provide PHP code that will allow secure creation of items for sale and will create a purchase form for each such item.

Fooling eWAY into thinking that your site has SSL

Wait a minute! Doesn’t eWAY already allow payments to be taken without any need of an SSL certificate?

Well yes, kind of. That’s their Shared Payments solution. You simply send your customers to the eWAY payment form, feeding into the form the details of items to be purchased. But there’s a BIG problem with that. When a customer clicks the Process Transaction or the Cancel button on the eWAY payment form, a message pops up warning them that they are going to be taken to a non-secure page—and asking them whether they wish to proceed.

Who would trust their credit card number to such a system? Anyone with any sense would leave the payment form and not return.

These customer-squashing warnings arise because pressing either of those buttons takes customers back to your website—which eWAY realises doesn’t have SSL. It shouldn’t throw a fit about that, but it does.

That's right: eWAY is over-reacting. Remember, all credit card information is entered on a form hosted on the eWAY website, and eWAY doesn't send any of that information back to your site. Although an eavesdropper could obtain names and addresses of customers (as those must be sent from your webpage to eWAY), he or she couldn't get at the credit-card numbers (as those are handled entirely by eWAY). Not having SSL makes customer contact information vulnerable, but credit card numbers are safe.

I believe that if your company isn't too large, this is a vulnerability you can live with. And if it's too much of a worry, don't ask for customer addresses—eWAY doesn't require them. The only alternative, if you must use eWAY, is to purchase an SSL certificate (you're also going to need to buy a static IP address).

So, how do you get rid of those warning messages without going down that SSL route? It’s an interesting problem: You need to give eWAY the URL of a page to return to on your non-https website… while convincing eWAY somehow that the page uses the https protocol.

Think about it for a moment…

Okay, here’s the trick: You use the https form of a URL shortener for the return page. Specifically, if your return page is http://mycompany.com/gateway/response.php, get a shortener for that URL from Bit.Ly. It will be something like http://bit.ly/IEQ2sw. Supply eWAY the https form of that URL (e.g. https://bit.ly/IEQ2sw) as your return URL—and the warning messages will disappear. Do likewise for the cancel page (the page the user returns to if he or she presses Cancel rather than Process Transaction).

The image problem

If you want to get the eWAY Shared Payments form working with a site that doesn’t use SSL, you’re also going to run up against a problem with images. That form allows you to supply URLs of your logo and page banner, but those images must be hosted on an SSL-protected site. If they’re not, customers will see warnings like “This page contains both secure and non-secure items”. Problem is, your site doesn’t have SSL—so where to put those images?

This is easily solved. Just upload your images to the free SSL image hosting service at www.sslpic.com.

Show me the widget!

Let's compare eWAY's hosted payment form with that of PayPal, its biggest competitor.

PayPal allows anyone with a bit of technical savvy to easily get credit card payments working on a non-SSL website. You register for PayPal and set up suitable payment buttons. Add PayPal widget code into your website and you’re done. When a customer clicks on one of those buttons, he or she is taken to a payment form on the PayPal site. It doesn’t matter whether or not your site has SSL: PayPal handles all that. Difficulty level: Smart Teenager.

Now, how does eWAY measure up? Yes, eWAY provides a hosted payment form (the Shared Payments solution) and some useful code for download, but that’s all. No widgets. Shoddy documentation. Clever teenagers and web designers lacking coding experience need not apply. Difficulty Level: Web Developer.

This is a nuisance! If a business signs up for eWAY, it will very soon discover that it has to hire a web developer before it can start taking credit-card payments.

To alleviate this problem somewhat, I have developed a rudimentary PHP frontend for the eWAY Shared Payments solution. It contains a webpage into which the details of items for purchase may be entered. Try it out using the password “opensesame”. You’ll see that the page provides the URL of a form by which created items may then be purchased. (For example, here’s one I created earlier.) Once a user adds their non-secure information into that form, they may proceed to the secure eWAY payment form. (Note that you won’t be able to make a purchase on eWay using my example form, as I do not have an eWAY account.)

I cobbled together this very simple frontend using jQuery, some code provided by eWAY, and cryptographic code by Jeff Mott. It uses SHA-256 hashing and a bit of simple obfuscation to prevent unauthorised creation of items for purchase—and it will work on a non-SSL website.

To set this up, download the frontend files and modify the config.php file to suit your site (see for instance the config.php I used in my example). If you need help setting it up, please contact me.