Securing your on-line retail site

As the Internet has become more integral to everyone's daily lives, people have grown numb to the processes designed to validate certain aspects of their backgrounds. A similar phenomenon has occurred with retail Web sites, where processes for on-line businesses have changed a great deal in recent years. Often lost in the administration of on-line Web stores is the need to provide sufficient security to protect customers and brands from attack. An adequate level of information security is required to keep pace with the increasingly sensitive information exchanged over the Web and the threats that constantly morph to exploit the various vulnerabilities inherent to transacting business on-line. Strong identity authentication technologies, such as SSL, have been developed and refined over time to combat these security threats facing both on-line retailers and their customers.

A SSL (Secure Sockets Layer) Certificate is an electronic file that uniquely identifies individuals and Web sites and enables encrypted communications. SSL Certificates serve as a kind of digital passport or credential. Typically the "signer" of an SSL Certificate is a Certificate Authority (CA). One of the key purposes of SSL Certificates is to help assure consumers that they are actually doing business with the Web site they believe they are accessing. To validate a Web site's legitimacy, CAs perform different types of investigations (similar to background checks done on individuals) before issuing a certificate. Specific authentication processes vary from CA to CA - a key reason for choosing a widely-known, respected and trusted CA. As proof, 86% [1] of on-line shoppers feel more confident about entering personal information on sites using security indicators, such as a trust mark. With this in mind, some CAs supply a site seal to display along with their SSL certificates. The seal provides businesses with a visual cue to help communicate their trusted status to customers visiting their Web site.

Within the universe of SSL certificates, there are three levels of security available for the on-line retailer to choose from (in increasing order to thoroughness):

• Domain Authentication - CAs conduct a process to verify that an entity requesting a domain authenticated certificate either owns the domain requested or has the right to use that domain name.
• Organization Authentication - CAs begin by verifying the organisation's existence through a government-issued business credential, normally by searching government and private databases. If necessary they may request such items as articles of incorporation, business licenses, and fictitious names statements. Before issuing an SSL Certificate, CAs verify a company's identity and confirm it as a legal entity, confirm that it has the right to use the domain name included in the certificate, and verify that the individual who requested the SSL Certificate on behalf of the company was authorised to do so.
• Extended Validation (EV) Authentication - EV has the highest level of authentication available with a SSL Certificate. EV authentication adds structure and controls to the organisation authentication process. It begins with an in-depth validation of an entity's authenticity starting with a signed acknowledgement of agreement from the corporate contact. A company registration document may also be required if the CA is unable to confirm the organisation's details through a government database. A legal opinion letter may also be requested to confirm other details about the organisation as well as the corporate contact requesting the certificate. The process represents little burden for legitimate organisations but is a substantial obstacle for a fraudster.

CAs themselves must satisfy more rigorous criteria in order to be eligible to issue EV SSL Certificates. They must pass regular third-party WebTrust audits to confirm that they meet the requirements set out in the standards of the CA/Browser Forum, a consortium of CAs and browser suppliers. This eliminates the possibility of a feeble background check setting an impostor loose with EV.

Extended Validation certificates work with high-security browsers to turn the address bar green, providing web site visitors with a highly visible security marker showing that it is safe to proceed.

Research Shows That EV SSL Certificates Are Effective

A January 2007 study from venerable usability firm Tec-Ed found that 93% of on-line shoppers preferred to conduct transactions on a site with a green address bar. 97% of on-line shoppers surveyed were prepared to share their credit card information with an EV-enabled site. Only 63% of shoppers were willing to transact with a site missing the green bar. 14% of shoppers felt that companies implementing the green bar on their sites care more about their customers.

Additionally, a growing number of on-line businesses that have directly measured and quantified a transaction uplift as a result of having implemented EV SSL Certificates.

Online debt consolidation site DebtHelp.com determined that its on-line application completion rate went up by 11% among users who were able to see green address bars through IE 7. This translated into a transaction uplift rate that made DebtHelp.com's return on investment for EV SSL Certificates an impressive 16,200%.

Overstock.com, one of North America's largest online retailers, saw its on-line shopping cart abandonment rate decrease by 8.6% among IE 7 users.

Conclusion

On-line consumers have become savvier, more skeptical, and frankly, more scared. They expect businesses to protect them. SSL products and services from reputable CAs can go a long way in allaying their concerns while protecting on-line brands and reputations - especially for on-line retailers and any site that carries out high-value transactions over the Internet.

For maximum trust, choose an SSL certificate with EV functionality that is issued by a reputable CA. The presence of a visible trust seal is also beneficial in establishing trust with customers. When customers see the green address bar combined with a trust seal, they will have many reasons to have confidence in a retailer's site and initiate their transactions.

Reference:

[1] Synovate/GMI, 2008