New EV SSL increases transactions through improved site visitor confidence

In 2006, Gartner reported that Web security fears resulted in an estimated $2 billion in lost online commerce. This suggests that while there has been an overall increase in online shopping, banking, securities trading and tax filing, online businesses are less effective than they should be in instilling trust and are leaving money on the table as a result.

Since early 2007, organizations have been able to definitively verify their identity to consumers using one of the greatest developments in Internet security in over ten years: Extended Validation SSL Certificates.

Over the last year, these certificates have demonstrated an ability to accelerate online commerce by increasing visitor confidence in legitimate sites and, thereby, increasing numbers of transactions.

The erosion of SSL’s identity promise

While many online shoppers are aware that the small padlock at the bottom of their browser means that their online communications are encrypted, SSL Certificates were originally intended to validate the identity of a site and protect online shoppers from scams. The industry understood as early as 1995 that while it is difficult to mimic the identity of a physical business, it is quite easy to mimic one online.

More than a decade later, the low visibility of the lock icon and the low level of understanding of what it means have allowed phishing scams to proliferate. Many certification authorities (CAs) have implemented less than foolproof practices. Sites have been known to use self-signed certificates with no identity authentication.

By 2005, widespread phishing attacks were using low-authentication, "soft-target" SSL certificates to perpetuate an illusion of legitimacy.

Introducing identity visitors can trust

SSL Certificates needed a higher level of site owner verification and a browser interface that made it easier for even the least Web-savvy user to recognize "safe" sites.

The CA/Browser Forum, a voluntary industry standards body, created and published an authentication process for a new Extended Validation (EV) certificate. The Forum's over 20 leading Web browser manufacturers, SSL providers and WebTrust auditors required participating CAs to undergo independent audits to confirm compliance.

Certification authorities must establish that the requesting organization is a legally established business, government entity, or nonprofit on record with the local government. It must establish this organization's ownership or right to use the Web domain in question, and it must establish that the requesting individual is employed by the organization and has the authority to obtain SSL Certificates on its behalf. Each authentication step depends on independent, outside information obtained from reliable third-party sources.

Internet Browsers: Green means go

The first browser to support EV SSL was Microsoft Internet Explorer 7 (IE 7), which features several interface conventions to enhance identification of site ownership. When an IE 7 browser accesses a page with an EV certificate, the background of the address bar turns green. The choice of colour also employs effective interface conventions. In the desktop interface world, green signifies “safe to proceed,” just as red signifies danger.

IE 7 also provides an additional Security Status Bar displaying the verified organization's name in the field to the right of the address bar. This organization name and the green address bar present a significant new obstacle to phishers seeking to take over accounts.

Additionally, the recently released Mozilla Firefox 3 Web browser features advanced security protections that can help Mozilla’s 175 million users from unwittingly giving sensitive information to e-criminals.

When Internet users visit a site protected by an EV SSL certificate, the "Site Identity" button attached to the location bar changes colour to indicate the level of identity information provided, offering immediate reassurance that they’ve reached a site whose authenticity has or has not been verified.

Today, if an organization's customers learn to seek its name and a green address bar before providing confidential information, a would-be phisher will not be able to present the interface needed to scam these site visitors. Even if the phisher sets up a real business to purchase EV certificates for the phishing site, the browser interface would not contain the organizational name of the counterfeited site.

Research Shows That EV SSL Certificates Are Effective

A January 2007 study from venerable usability firm Tec-Ed found that 93% of online shoppers preferred to conduct transactions on a site with a green address bar. 97% of online shoppers surveyed were prepared to share their credit card information with an EV-enabled site. Only 63% of shoppers were willing to transact with a site missing the green bar. 14% of shoppers felt that companies implementing the green bar on their sites care more about their customers.

Additionally, a growing number of online businesses that have directly measured and quantified a transaction uplift as a result of having implemented EV SSL Certificates.

Online debt consolidation site DebtHelp.com determined that its online application completion rate went up by 11% among users who were able to see green address bars through IE 7. This translated into a transaction uplift rate that made DebtHelp.com's return on investment for EV SSL Certificates an impressive 16,200%.

Overstock.com, one of North America's largest online retailers, saw its online shopping cart abandonment rate decrease by 8.6% among IE 7 users.

Strong Market Adoption

Since the release of EV SSL Certificates in early 2007, the technology has exploded across browsers and Web sites worldwide and has arguably established itself as the fastest proliferating technology of the Internet Age.

By November 2007, EV SSL had been implemented by over 1,500 businesses across every major online business category, including:

• Online retail (eBay, PayPal, Overstock.com, Dixons, fnac)
• Banking (HSBC, ING, Deutsche Postbank, 5 th 3 rd Bank, UBS)
• Travel (Travelocity, Opodo, British Airways)
• Financial services (Vanguard, Charles Schwab, E*TRADE)
• Health care (Blue Cross, Blue Shield)
• and others (Western Union, Hotmail, Carnegie Hall, Pizza Hut)

The progress of EV SSL adoption can be attributed as much to its compatibility standard to many client desktops as well as the online business advantages of implementing them. Over 35% of client systems have Internet Explorer 7 installed today, meaning that over a third of an online retailer's potential customer base can enjoy the premium experience of EV SSL. An upcoming effort by Microsoft to upgrade users to IE 7 in 2008 will extend the protection of EV to an even broader audience.

When one considers the findings of an August 2007 Carnegie Mellon report suggesting that shoppers will pay an average of 4% more when making online purchases from sites they trust to protect them, the future of EV SSL Certificates looks very bright and has online businesses seeing "green," literally.