Google Shopping SSL Requirements


When you want to publish products on Google Shopping it is important to understand the requirements when it comes to the checkout & security. The basic rule is that if you are collecting personal information than a SSL certificate is required.

Lets delve into the first topic which is when you need to have a SSL Certificate:

Login Pages

If you have a page where a customer needs to login to gain access to there account than this page and anything associated to the account pages need to be loaded under https

Checkout

A SSL certificate is also required when the checkout collects any of the following personal details

  • Credit Card Details
  • Bank Details
  • Full Name
  • Email Address
  • Phone Number
  • Identification Numbers (Tax, Social, Drivers Licence, etc…)
  • Mothers Maiden Name
  • Birth Date
  • Checking Account Numbers
  • Wire Transfer Number

Type of Certificate

When you buy a SSL Certificate the most common question is, which one should I buy? A basic domain validation certificate that can be ether shared or a dedicated IP is the appropriated answer. I suggest as you are a merchant is to use a EV certificate.

An Extended Validation Certificate (EV) is a public key certificate requiring verification of the requesting entity’s identity by a certificate authority (CA). EV certificates are mainly presented by web servers to web browsers for use with SSL/TLS connections.

A list of trusted certificate companies with modern browsers

  • Comodo
  • Symantec
  • GoDaddy
  • GlobalSign
  • DigiCert
  • StartCom
  • Entrust
  • Verizon
  • Trustwave
  • Secom
  • Unizeto
  • QuoVadis
  • Deutsche Telekom
  • Network Solutions
  • SwissSign

Certificate Vadility

When you have your SSL Certifiate you need to make sure it is correctly installed. You can use two different sites to check all requirements.

  • Server name indication – dedicated IP
  • Valid certificate

Can be checked on digicert.com

  • 2048 Bit Key
  • TLS V1.2
  • Grade B or better
  • Complete chains
  • No TLS or any related vulnerabilities
  • Matching exact website URL’s
  • Certificate Transparency

These validations can be check on ssllabs.com

Ensure

Before we submit your data feed, or request for a re approval, is to ensure the following thing are checked

  • Make sure your checkout buttons all point to https instead of http, for all internal and external links
  • Validated that the certificate is fresh (not near expiration date)
  • Google can crawl the website by checking with there user agents
  • Avoid mixed content, having images, css, js, fonts or any other resources loaded under http, will void any secure connection. You will need to make sure that all resources are loaded under https. Simply replace the http:// with ether https:// or //
  • Test your checkout and any other secure pages in two modern browsers (Chrome, Safari, Firefox or Edge)
  • Check that your landing pages respond a 200 code and not a 404 or any other server errors