The Green Sheet Online Edition
September 24, 2007 • Issue 07:09:02
Raising the green bar: EV SSL
Editor's Note: Editor's note: AmbironTrustWave recently assumed the name Trustwave to more accurately reflect the evolution of the company and its reputation as a global provider of information security and compliance solutions.
A growing number of merchants, large and small, realize that e-commerce is here to stay and know it is time to join the Internet marketplace before it's too late.
As e-commerce payment technology becomes less expensive and easier to implement, more merchants will want to make their mark, along with some money, on the Web.
If it hasn't happened already, it's likely you'll begin hearing requests from a range of merchants for help with adding an e-commerce channel to their business.
To help you educate merchants, here is a quick primer on e-commerce and one specific technology that makes it possible: Secure Sockets Layer (SSL) certificates.
The distrust hurdle
A major barrier to e-commerce has been consumer's reluctance to send credit card numbers over the Internet.
To relieve consumer anxiety and ensure the security of e-commerce, stakeholders supported the adoption of the SSL protocol, developed by Netscape as the standard to protect e-commerce transactions.
SSL certificates encrypt communications between two points (i.e. a consumer's desktop and a merchant's Web server).
When an SSL certificate is presented, it displays a padlock icon in the corner of the browser window. For example, in Microsoft Corp.'s Internet Explorer browser, the padlock appears in the lower right corner.
Many consumers now recognize that icon and believe it guarantees a site's security and trustworthiness. And indeed, an e-commerce merchant who has an authentic, properly validated SSL certificate should be trusted.
Unfortunately, it's easy for a fraudster to acquire some level of SSL certificate for use on a phony or "spoofed" site to facilitate a phishing scam.
Phishing is the attempt to acquire credit card or other personal information through a fraudulent Web site that represents itself as a legitimate Web site.
When phishing succeeds, communications between consumers and the fraudulent sites are encrypted, but malicious individuals are receiving confidential information from consumers by misrepresenting themselves with SSL certificates.
It's the same as willingly handing over a wallet to a thief in a dark alley, despite being accompanied by a bodyguard.
Levels of validation
Therein lies the problem. An SSL certificate both facilitates encryption and gives its bearer credibility. It verifies for consumers that the e-commerce merchant is indeed who the merchant claims to be.
However, SSL certificates are issued in a number of ways. While each certificate allows the encryption of communications (e.g., transaction data) and provides visual signs such as the padlock icon and changing the prefix of a URL from "http" to "https," the credibility of the certificate holders' identities varies.
SSL certificates fall into four categories of validation (Certificate Authorities or CAs are organizations that issue SSL certificates):
· Self-validated SSL certificates: Parties issue the certificates to themselves.
· Class 2 domain-validated SSL certificates: CAs merely check an applicant's URL against WHOIS database information to verify that they own the domain. The WHOIS database is the domain registry for Web sites.
· Class 3 organizationally-validated SSL certificates: CAs go beyond a WHOIS check to establish the operational existence of an applicant. However, no standard exists, and validation processes can vary from CA to CA.
· Extended Validation (EV) SSL certificates: CAs validate an applicant's domain name registration, operational existence, legal existence and physical existence. In addition, EV SSL certificates go beyond the traditional padlock icon by shading a site visitor's browser bar green, providing greater visibility of a site's security and credibility.
Next generation SSL
Again, each type of the certificate encrypts communications. But the differentiator is the level of validation necessary to verify an organization's identity.
And the validation process for the EV SSL certificate is the only process that is based on an industry standard developed by CAs and Internet browser developers as a part of the CA/Browser forum (see www.cabforum.org for more information).
Because of the strict validation process involved in their issuance, proliferation of EV SSL certificates will help prevent phishing sites, which are the scourge of e-commerce merchants. An EV SSL certificate offers more indicators of an organization's legitimacy.
Thus far, it is impossible for a fraudster to spoof an EV SSL certificate. So, when consumers see sites that shade the address bar green within an Internet Explorer browser, they will know the site can be trusted.
As the use of EV SSL certificates spreads, it's likely consumers will learn to distrust Web sites that do not shade the browser bar green.
EV SSL and you
A great many merchants who previously dismissed e-commerce may now find a number of benefits from supplementing their brick-and-mortar sales through the e-commerce channel.
While e-commerce may not be appropriate for every merchant, for many retailers, its potential is enormous. For instance, merchants need not offer merchandise via the Web. They could sell prepaid cards online and give consumers the option to add money to (or "recharge") those cards.
For the merchant level sales person, the opportunity exists to sell e-commerce services, prepaid services and SSL certificates.
Many CAs, such as Trustwave, allow for the reselling of their SSL certificates. Reselling SSL certificates could add much-needed value to your portfolio of products and services.
By offering SSL certificates in addition to your other e-commerce solutions, you can offer merchants a comprehensive e-commerce package that gives them quick and efficient e-commerce functionality.
Michael Petitti is Chief Marketing Officer of Trustwave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.