In 2020 and beyond, the simple answer is: yes. Yes, you need an SSL/TLS certificate.

In theory, you can get away without a certificate because your customers’ financial details are entered on Windcave’s hosted page which has SSL/TLS encryption. Once they’ve finished the transaction, Windcave passes them back to your website.

In practice, however, web pages without a certificate will now be marked as not secure for visitors using modern web browsers. For example, Firefox shows a lock crossed out when you visit a page with HTTP and not HTTPS.

It is therefore a really good idea to use an SSL/TLS certificate — it makes customers feel more comfortable about submitting their name and address data, even before they get to Windcave to enter their credit card data. If you’re just trying to get everything going and don’t want to worry about such things right now, then it’s OK to leave it to later, but it’s no longer acceptable on a live website.