Hello all,

I am developing a site for one of my clients who would like a "sign up for services" form on their site.... They would like me to include in the form fields for Doctor's name, Tax ID number, address, city, county, state, zip, telephone, fax, and a few other items... The thing is... do I need an SSL cert. for this? I know this is considered private information... but is it really "private" if it all (including tax id) can be pulled off of a directory online?

We use SSL only if transmission of data includes social security numbers, credit card numbers, or other sensitive payment-related data.

KDLA

If you're going to be collecting social, tax ID, banking / cc info or anything sensitive, you really need to have a SSL certificate. It's well worth the $200 or so a year that Thawte charges to know that the data's harder to grab, and to be able to show visitors that you're taking their privacy seriously. I personally close the window if I see a site isn't using SSL and is asking for any of this.

Once you have it, you also should be encrypting any sensitive information that you're storing. Not only does it save you potential headaches - either from violating HIPPA guidelines or from theft on unecrypted data - it's another way to provide comfort to the users. I had to jump through a lot of hoops to meet our industry's (payment processing) guidelines. However, by doing so, I know that the client isn't going to get hit with NACHA/PCI fines for being uncompliant, that any data theft can be easily tracked, and that all the users (between 5 and 10k / week) feel comfortable using the system.

Hope this helps.

You don't NEED it but I'm sure the site's visitors would prefer it.

Of course you could look at using a self signed certificate if your users don't mind a warning message....

Hi,

I would recommend going ahead and gettiing it especially with the amount of identity theft going out nowadays!

Just as important is what you *do* with the info *after* it is submitted. Is it just sitting there on your server unencrypted? Do you email it, or transfer it? Then you'd want to make sure you use a secured method of moving the data about too.

GoDaddy offers certificates pretty cheap.

Well, thanks for all your help, but now my client's issue is... why should he have to get an SSL certificate if the information is listed freely on other directory websites?

That's totally up to your client, I would strongly suggest adding SSL if for no other reason than adding the extra comfort of security for the users/potential customers.

The more privacy and security info you can provide, the better chance people will enter their info.

Is the client just too dang cheap???? What's $50 for a year's worth of security?

One word: liability

I think that what kw2102 is asking is weather or not the information is worth protecting. I'm pretty sure that there is no way to look up tax ID numbers on the net, because if there was, we'd all be in deep doo. I think that the information is worth encrypting, even If it is self signed, or even if you use a custom script to encrypt it.

Anyone would be stupid to enter data such as credit card numbers, tax numbers etc into a form that wasn't using a security certificate. If you are collecting that sort of information you need a certificate or everyone will go to the next web site that does offer that security.