April 6, 2009

Security Seals

A wide variety of studies have been conducted over the last few years into consumer trust when making purchases online. These studies generally have found that consumers simply don't trust online checkout systems to be secure. To attempt to remedy this situation, a crop of certification providers have come to the "rescue", offering different types of seals that can be displayed on a web site to vouch for that site's security and trustworthiness.

Companies offering these seals point to research that indicates that using these seals can increase consumer trust and as a result increase conversion. In browsing the web, it appears that the use of these seals is increasing dramatically. But are these seals anything more than a fad like the hit counters of the early nineties? Do they actually mean anything? Is a site with a seal more secure than one without?

Types of Seals

The first thing you need to be aware of is that there is a wide variety of types of seals, which are granted based on different criteria. Some providers may issue multiple seals, one for each set of criteria.

Company Reliability Seals

Means: The company exists and has an address.
Popular providers: Better Business Bureau
A company reliability seal generally confirms only that the business exists at a certain address. Some certificates also require that the business agree to dispute resolution or be incorporated in a certain state, while others only require that the business have valid contact information. These seals convey no security information at all.

Data Encryption Seals

Means: The web site uses SSL encryption.
Popular providers: Thawte, Verisign, GeoTrust, Network Solutions
A Data Encryption Seal is often provided when purchasing an SSL Certificate. These seals are intended to be used to let visitors know that the site uses SSL to encrypt personally sensitive information. However, these certificates do not vouch for the security of the web site, or that the SSL technology is properly implemented, or even being used to protect the transfer of data.

Business Practices Seals

Means: The web site agrees to comply with certain best-practices
Popular providers: TRUSTe
Truste is probably the best known provider of business practice seals. Their seals are intended to certify that the site adheres to certain policies regarding the use and protection of customer data. These seals may require some oversight, however they generally do not guarantee that the certified site or business actually follow the best practices that they agree to.

Vulnerability Scan Seals

Means: The web site is scanned for vulnerabilities regularly
Popular providers: Control Scan, McAfee
These seals indicate that the site in question is scanned daily, weekly or quarterly for vulnerabilities. However, in general these scans only indicate that the certified site meets a minimum standard of security, and other sites on the same server may open the certified site to vulnerabilities. Although this is not a perfect type of certification, it is the best, and often most secure, of all the types. Sites with these seals generally take additional steps to protect the security of the information they store compared to other sites.


None of the certifications mentioned are an indication that a site is perfectly secure. And, as there is no overall governing body or set of standards which applies to the issuance of certificates, many different types of certificates have similar wording (an SSL certificate from GeoTrust typically says "verified secure", which can be confused with a Vulnerability Scan seal from many other providers, for example) and the standards to receive seals vary widely between providers.

Right now, security seals come down to an example of buyer beware. Although some seals do demonstrate that companies adhere to certain practices, or take extra steps to keep their site's secure, they do not guarantee that the site is 100% secure. There are even some sites (for example, Web Entrust and Trusted-Site) that provide seals for free and have minimal, if any, requirements.

From a business standpoint, seals are essential for the online business. Consumer Reports has indicated that up to 75% of online shoppers look for third party seals when visiting e-commerce web sites. Control Scan published statistics on their site indicating clients saw an average 14% increase in conversions when a seal was prominently displayed. Trust Guard takes that a step further, guaranteeing a 15% increase in conversions.

Customers are showing that they are inclined to trust, and prefer purchasing from, web sites which display these seals. However, I believe that these seals won't be as effective as they could be until there is some more standardization - a seal to certify the different certification seal providers perhaps?

Additional Resources

No comments: