Securing your online retail site

By Jeff Barto, Product Marketing Manager at Thawte, Inc.

“Online consumers have become savvier, more sceptical, and frankly, more scared. They expect businesses to protect them”
-Jeff Barto

As the Internet has become more integral to everyone's daily lives, people have grown numb to the processes designed to validate certain aspects of their backgrounds. A similar phenomenon has occurred with retail websites, where processes for online businesses have changed a great deal in recent years. Often lost in the administration of online web stores is the need to provide sufficient security to protect customers and brands from attack. An adequate level of information security is required to keep pace with the increasingly sensitive information exchanged over the web and the threats that constantly morph to exploit the various vulnerabilities, inherent to transacting business on-line. Strong identity authentication technologies, such as SSL, have been developed and refined over time to combat these security threats facing both online retailers and their customers.

A SSL (Secure Sockets Layer) certificate is an electronic file that uniquely identifies individuals and web sites and enables encrypted communications. SSL certificates serve as a kind of digital passport or credential. Typically the 'signer' of an SSL certificate is a Certificate Authority (CA). One of the key purposes of SSL certificates is to help assure consumers that they are actually doing business with the web site they believe they are accessing. To validate a web site's legitimacy, CAs perform different types of investigations (similar to background checks done on individuals) before issuing a certificate. Specific authentication processes vary from CA to CA - a key reason for choosing a widely known, respected and trusted CA. As proof, 86 percent of online shoppers feel more confident about entering personal information on sites using security indicators, such as a trust mark. With this in mind, some CAs supply a site seal to display along with their SSL certificates. The seal provides businesses with a visual cue to help communicate their trusted status to customers visiting their Web site.

Within the universe of SSL certificates, there are three levels of security available for the on-line retailer to choose from (in increasing order to thoroughness):

Domain authentication: CAs conduct a process to verify that an entity requesting a domain authenticated certificate either owns the domain requested or has the right to use that domain name.

Organization Authentication: CAs begin by verifying the organisation's existence through a government-issued business credential, normally by searching government and private databases. If necessary they may request such items as articles of incorporation, business licenses and fictitious names statements. Before issuing an SSL certificate, CAs verify a company's identity and confirm it as a legal entity, confirm that it has the right to use the domain name included in the certificate, and verify that the individual who requested the SSL certificate on behalf of the company was authorised to do so.

Extended Validation (EV) Authentication: EV has the highest level of authentication available with a SSL certificate. EV authentication adds structure and controls to the organisation authentication process. It begins with an in-depth validation of an entity's authenticity starting with a signed acknowledgement of agreement from the corporate contact. A company registration document may also be required if the CA is unable to confirm the organisation's details through a government database. A legal opinion letter may also be requested to confirm other details about the organisation as well as the corporate contact requesting the certificate. The process represents little burden for legitimate organisations but is a substantial obstacle for a fraudster.

Identity authentication technologies, like SSL, can help website visitors feel more comfortable about completing on-line transactions - especially for on-line retailers and any site that carries out high-value transactions over the Internet. If an organisation wants to assure its site visitors that they are sharing information with the genuine site for that organisation, choosing an SSL certificate is a low cost way of achieving this objective. Online consumers have become savvier, more sceptical, and frankly, more scared. They expect businesses to protect them. SSL products and services from reputable CAs, like Thawte, can go a long way in allaying their concerns while protecting on-line brands and reputations.