Given the important role of security in determining whether consumers feel confident enough to complete a transaction on a website, it is surprising that so many retailers pay little attention to the encryption service they use. The danger is that they may be losing customers, if the protection they are providing isn’t visible enough. Raj Sukkersudha, managing director of Q3 Internet Services, sets out some important considerations for retailers when choosing an SSL certificate and provider.
More than three-quarters (88 per cent) of online consumers will abandon their online shopping baskets before completing a transaction, according to a 2010 report from market analyst Forrester, with a lack of confidence about security being one of the reasons.
These concerns don’t just apply to making payments either. Many consumers are equally nervous about giving their personal information on a web site. This is something a lot of retailers overlook when considering an online security solution, especially if they have handed over the responsibility for payment processing to a third-party specialist like WorldPay.
Yet as soon as a retail website asks someone to register, or to enter their details for a delivery, it is expecting them to give out sensitive personal data – their name, address, phone number, email address, and maybe their date of birth or mother’s maiden name. All of which could be exploited to ill effect if it falls into the wrong hands.
As concern about identity theft rises, in line with reports of phishing and elaborate scams (such as site cloning, where one web site intercepts another and diverts users without them realising it), consumers are now more cautious than ever about who they deal with and how readily they share their personal data. Increasingly they are taking much more notice of what happens on the screen when asked to enter sensitive details.
Even where retailers have invested in encryption, in the form of an SSL certificate (which scrambles a consumer’s data during transit until it arrives at the correct web server), many retailers have not kept up with the latest technology developments. By blindly renewing their certificates, they risk being out of sync with the latest web browsers. If these do not recognise that a site has the latest encryption in place, they won’t display the appropriate symbol (a padlock, thumbs up sign, etc). It may even trigger a warning alert to the user, suggesting that the site may not be a trusted one. Even if this is not the case, the fact that a warning has popped up will be enough to deter some users from continuing their activity on the website.
With this in mind, retailers should bear in mind the following considerations when reviewing their web site security, and when choosing an SSL certificate and provider:
1.Not all SSL certificates are the same and the price is not always the best indication of what’s included. Some suppliers may offer a very basic product with higher pricing, misleading a retailer into thinking it is getting superior security. Similarly, beware of buying excessive warranties (to guard against consumer identity theft) as high-value cover doesn’t mean you are any more protected.
2.It is worth looking at ‘extended validation’ however. This means a certification authority has vetted a web site and its owner to a much deeper level, something which is reflected in the visibility of the certificate on the relevant web pages. In Microsoft’s Internet Explorer browser the address bar will turn green for example – highlighting to the user that any content entered will be highly secure.
3.Blindly renewing the same certificate poses more of a risk to web site owners than they realise. If the solution has not kept up with the latest browser releases, the certificate may not be recognised by the web browser or highlighted in the way consumers need it to be.
4.Don’t buy more certificates than you need to. If your business has multiple sites or sub-sites, it may be possible to encompass them all under a single SSL certificate rather than pay separately for six or seven different ones.
5.Don’t display the SSL certificate on every web page. This dilutes its impact. The encryption solution will stand out much more to the customer if it only appears on pages where they are being asked to give sensitive information. If the address bar changes colour or a padlock suddenly appears, there is a comfort factor for the user who can see that something has changed and that they are now in a secure environment.
6.The brand of the certificate is less important than opting for extended validation. After that the choice comes down to encryption level, price and service levels in the form of speed of certification and supplier support.
7.Encryption levels vary (from 40-256 bits to 128-256 bits which is the highest level available), but bear in mind that other factors will affect the level of encryption actually achieved – such as the hardware, software and browser version used by each given customer – so it may not be worth paying for a higher level of encryption if you have no control over these factors.
8.The speed of turnaround of certification will vary too with some SSLs issued within minutes. With Extended Validation the difference can be as much as three weeks, with some certification houses taking just 7-8 days and others taking a month or more, some of this is down to whether the company meets certain criteria, and how much additional vetting may be needed.
9.While it’s tempting to think sourcing an SSL certificate directly from a certification authority would be quicker and cheaper, this isn’t typically the case. More often the timescales are determined by the company’s individual circumstances, while pricing can be as much as 30 to 40 per cent cheaper if you buy through a reseller due to the discounts that channel partners will have negotiated.
10.Consider the level of service you want. A reseller is more likely to be able to offer a fuller, value-added service too, with personal, phone-based advice and support.
The most important thing is for retailers to be more aware of the role played by an SSL certificate and the broad range of activities it ought to cover – ie beyond financial transactions. After that, it’s a case of getting the right advice to ensure that the chosen certificate does what it needs to.
If your customers are aborting form-filling or transactions half way through, ask yourself whether it could be a perceived lack of security that’s influenced them. If it is, rectifying the situation will be easy with the right advice.
