What is Ecommerce Security?
I would split the topic into two categories (which overlap quite a lot):
- Customer Security – you want your customer to feel safe when they’re shopping on your website
- Store Security – You want to protect your business from theft and vandalism, and the bad PR that can happen as a result of these kinds of things happening to you
Both of these affect your revenue, your profits, and your overall financial success as an Ecommerce store.
How can I make my customers feel secure?
The first thing that most people think of is “SSL Certificates”, because they make the customer feel safe. Your customers have been taught and educated to look out for the padlock symbol that appears in the web browser when they’re buying online.
SSL is basically a way of encrypting and verifying data. Encrypted information can be sent between the customer’s web browser and your Ecommerce store and your SSL certificate verifies that the data hasn’t been viewed by anyone else or tampered with. Sometimes it verifies who the website owner is as well.
Are there different kinds of SSL certificates?
Yes, there are even SSL certificates that aren’t ever seen by a web browser, such as Code Signing certificates. It verifies that the software you download to use on your computer, was written by the original author and that it hasn’t been tampered with. But today, we’re going to concentrate on SSL certificates for websites.
Website SSL certificates are mostly the same these days. But there’s still a low end of the market and a top end of the market. The top end of the market is something called an EV SSL certificate, which stands for “Extended Validation”.
EV SSL certificates turn your web browsers address bar green and show who owns the certificate, plus where they’re from. So if you went to a bank website such as HSBC, the web browser’s address bar would turn green and next to the address, it will show “HSBC [UK}” on hsbc.co.uk. These SSL certificates can be quite expensive and can take weeks to verify. There’s a whole process that goes behind it, such as:
- Making sure that you are a real legitimate company
- Looking up your company details on local government registers
- Checking trade body registers
- Contacting someone else within the company, to verify that you’re allowed to have this SSL certificate
- Even phoning the main switchboard number on your website and asking to be put through to you, just to make sure that you do work for the company
It’s a very rigorous process and expensive because of this. I guess the exclusivity of it, alienated a lot of security experts, who tend to be more Open Source focused and prefer free/community-related projects. Smaller businesses as well, might not be able to afford these certificates. But you do see them used by most banks and many Ecommerce stores still. I think that the main problem they had, was the internet’s top websites never adopting them. So if you look at Google, Facebook or Amazon, when you go to their websites, you didn’t get the browser turning green. They didn’t adopt this as a security principle when all the major SSL certificate providers wanted them to. Unfortunately, because of this lack of adoption, many major browsers no longer turn the browser address bar green, to show that the website has been through Extended Validation. So there’s less of an appeal for these certificates, as they don’t get highlighted any more than a normal SSL certificate in the latest versions of Chrome, Firefox and Safari.
But I’d still say that these EVs have value. There are people using outdated browsers, which turn the address bar green and it could even be an SEO benefit that hasn’t been discussed much. Can you think of any greater trust factor that Google could use, than a website that has been verified by email, phone, paperwork and government records?!
What other types of SSL certificates are there?
There’s a huge range, going from free certificates (which are a relatively new thing) up to certificates that could cost thousands of dollars. But there’s only a small number of companies that are allowed to commercially issue these certificates.
Each certificate provider has a number of their own sub-brands, each with a different price point. Companies used to buy “Verisign” SSL certificates for thousands of dollars a year because users recognized and trusted the badge/trustmark on websites. Verisign has since been sold many times – it’s hardly recognizable anymore. They sold their SSL business to a very large security company called Symantec, back in 2010 for $1.28 billion. Their core business became managing all of the world’s .com and .net domain names. Symantec then moved the SSL business into their Norton antivirus brand, because they realized that more people knew the Norton name than they did Symantec. So again, it was about brand recognition for these badges that you can put on your website. Further down the line in 2017, quite recently, Symantec sold their SSL business onto another SSL company, called DigiCert. The new owner retained the right to use the Norton brand on their badges, so you still see those “Secured by Norton” badges on a lot of Ecommerce websites.
All of these major SSL certificates are essentially the same, no matter how much you pay for them. Which is quite surprising, when you know that a free SSL certificate is very much the same as the one which you’re paying thousands of dollars for.
Some premium SSL certificates offer huge warranties of up to $2 million, but these aren’t really worth anything to you. They’re essentially just a guarantee that SSL (as a technology) is safe. It doesn’t protect your business against fraud or give your customers a product/purchase warranty. It’s just a warranty over the fact that SSL works, as a proven technology concept – it’s basically the certificate providers only liability insurance. So when you’re shopping for an SSL certificate, don’t worry about the warranty. It’s not really going to benefit you or the customer in any way.
Buying a nice badge and knowing that the certificate is supported by 99.999% of browsers – those are the main things. If you’re choosing a premium SSL certificate rather than a free one, you want that badge to be as recognizable as possible. I would say that Norton is probably the most recognizable brand out there at the moment for this.
Can you get a free SSL certificate?
Yes, there are two main providers of free SSL certificates. Those are Let’s Encrypt, which is a very recent thing, and Cloudflare – a big security and DNS provider. When you get a free SSL certificate with a web hosting company, they’ll usually give you a Let’s Encrypt certificate, because they’re free.
There aren’t many other free providers, as it’s really hard to start an SSL certificate authority. Every web browser has to recognize you and trust/verify your signed certificates. You can’t just start up a certificate authority one day and hope that it works. Plus its not just new browsers that have to recognize you, old browsers do as well. So even the old versions of Internet Explorer that haven’t got auto-updates turned on. These all need to recognize your certificates as being valid. So whilst free SSL certificates have existed in the past, they have rarely been fully adopted by the browsers, so were only used for hobby or webdev projects.
Let’s Encrypt and Cloudflare are different. They’ve created what is called an “Intermediate Certificate” off of old “Root Certificates” that your browser already knows about. So whilst Let’s Encrypt and Cloudflare are new, the certificates that they create are based on old well-known certificates. So there’s not much difference between a Let’s Encrypt certificate and the premium ones. Also, Let’s Encrypt is founded by companies including Mozilla (creators of the Firefox browser) and Cisco. So they’ve got a lot of power, to put pressure on the browser vendors to continue support for their SSL certificates.
Why would anyone pay for an SSL certificate?
Let’s Encrypt can be a risky choice for your Ecommerce website. Their certificates expire every 90 days, so it requires you to have some clever software to automatically renew it before that 90-day window comes up. If you don’t renew it in time, your customers will see a huge security warning in their web browser, rather than your website.
So you have to make sure that the certificate does get renewed, and it’s quite a complicated process. Let’s Encrypt does have downtime sometimes as well, which causes renewal requests to fail. If you don’t keep trying, the certificate won’t get renewed.
A paid/premium SSL certificate can be registered for up to five years, but it’s recommended that you don’t buy them for more than two years (to make decryption harder and get the latest security protocols). It means that you don’t have to worry about the certificate expiring for years, which is quite a big plus for companies that rely on ecommerce for their revenue. Cloudflare SSL certificates are less likely to expire, because the whole process is managed by them internally. They create and automatically renew the certificates for you. I would say that Cloudflare SSL certificates are slightly less risky than Let’s Encrypt for that reason.
Cloudflare isn’t perfect either though. They often have anywhere between 50-100 other websites on the same SSL Certificate as you, to reduce maintenance and costs. You can actually view a list of all the websites that are secured on the same certificate as your site, by clicking on the padlock in your browser and clicking “View Certificate”. Unfortunately, sometimes you see porn websites or very undesirable websites listed besides yours in the certificate. Whilst search engines might not look at this as a trust factor now, potentially they could in the future, and you might be connected to a website that’s less than desirable. Cloudflare does offer something called a “Dedicated SSL” option for just $5 a month, where you get your own certificate. If you’re using Cloudflare, it’s definitely worth the cost.
Ultimately, you’re paying for the brand and trust of premium SSL providers. There are still consumers out there that fear buying from websites outside of the usual, Amazon and eBay. They want to see something that gives them a feeling of trust. These SSL security badges do give that – some are proven to increase conversion rates and reduce cart abandonment issues on your website. But some SSL trustmarks are worth a lot more than others. Very few people actually know who companies such as Comodo and DigiCert are. But a lot of people have heard of Norton security software. Some people have heard of GeoTrust and Thawte – it’s no coincidence that after Norton, GeoTrust and Thawte are the next most expensive certificates. So as I said before, ignore the warranty offered – it’s practically worthless, just think how recognized the SSL certificate brand would be to your customers. Even a 1% increase in conversion rate from having the trustmark, would more than pay for it. Even consider an EV (Extended Validation) certificate – there are plenty of people using outdated browsers that still show a green address bar.
There are many heated debates in the security community about these big bad profiteering certificate authorities. But as a business, your only concerns should really be:
- Does it make my customer feel safer?
- Does it make me more money?
I would say that getting a premium SSL certificate, even an EV SSL certificate, is definitely worth the money.
Are there any SEO benefits to having an SSL certificate on your website?
Yes, Google has used HTTPS (SSL certificates) as a small ranking factor since 2014. They have very publicly announced this as well, as they want to encourage all websites to use SSL. So if your entire website (not just the cart and checkout) is on HTTPS, they do account for that when ranking websites. It’s not going to take you from Page 5 to ranking Top 3 of Google though, just because you’re on HTTPS. It’s not a significant ranking factor but definitely an advantage.
Obviously you need to make sure that your SSL certificate is well recognised (by Google Chrome at least) and doesn’t expire. An SSL warning/error message will have the opposite effect – you might even get removed from Google until it’s fixed. Fair enough, because who wants to click on a search result and land on a scary security warning?!
Google doesn’t care whether you’re paying for Norton or using a free Let’s Encrypt SSL certificate at the moment. That’s not saying that it won’t be used as a trust factor in the future though.
Google also wants to see more sites adopting SSL, because it protects their oligopoly over valuable user data. It’s hard for governments and employers to snoop on you when using SSL, but also harder for your ISP. Many of the Internet Service Providers used to sell search and traffic data to advertising platforms, to give insights into what people want. SSL removes most of that data, so the only people that can see your browser history are you and Google. Google records what you search for, what you click and even what you buy, as most websites have Google Analytics installed.
What if you’re using a SaaS ecommerce platform and can’t choose your SSL certificate?
Yeah, it’s a good point. There are certainly upsides to using SaaS like Shopify because obviously they renew the certificates for you, which is a big responsibility. Sometimes outsourcing this task to your platform or web host is a good thing. It’s one less thing for you to worry about – accidentally deleting or snoozing a calendar reminder. Losing your SSL certificate could cost your website days or weeks of revenue. Most SaaS providers use Let’s Encrypt because it’s free. Most will allow you to upload a custom SSL certificate as well though, especially on the more enterprise-level plans. That would allow you to still use something like Norton or Thawte on your website.
There are also other trust marks that you could buy, if you can’t use an SSL certificate from someone such as Norton.
McAfee, another huge security/antivirus brand, offer something called McAfee Secure. It’s a trustmark and security scanning service, that certifies that your customers will be safe from malware, viruses and phishing attacks on your website. If your website is totally clean, they give you a seal of approval and it can have the same level of conversion rate improvement as Norton. There was an Econsultancy eye-tracking consumer survey back in 2011, which showed that McAfee actually had the most recognized trustmark of any of them. The McAfee trustmark had a 79% user recognition, even more than the former SSL megabrand, Verisign. I think that it costs about $500 a year, depending on your website’s size and traffic. There are also quite often discounts available on some of the startup websites. Plus the added bonus is that they give you a clean link from their Merchant Directory to your website.
If you accept PayPal, they also have a “Verified by PayPal” badge, that can increase conversion rates as well. Especially with people that prefer to use PayPal as a payment method, as you get some people that won’t enter their credit card details outside of the major websites. They prefer to use PayPal as a middleman. But there are downsides to PayPal of course, with higher transaction fees and sometimes higher chargeback rates.
In the US, the BBB (Better Business Bureau) offers a trustmark, that proves that you’re a legally compliant and trusted business. It’s recognized and trusted by about 37% of Americans – not huge, but it might be worth having a look at that and seeing if you can become BBB verified.
There’s a new European equivalent as well if you’re based in the EU. Trust Ecommerce Europe is free if you’re a member of a recognized trade association in Europe (there’s a list of the supported associations on their website). Unfortunately, the UK is already not allowed into this program.
If you’re based in the UK and can’t get into the European program, take a look at Trustmark.org.uk. It’s not very recognized in the UK, but maybe that will happen further down the line.
In Summary
Shop around when buying an SSL certificate. Don’t just buy it from the people that rank top in Google or from your web host. There are a lot of better offers out there. Some of the resellers of these certificates can offer you up to 50% discounts versus the certificate authorities themselves. One of the companies that offer a good discount is called theSSLstore.com. They’ve got some of the cheapest prices around, but again, remember to shop around because there might be some better offers out there as well.
When you do get your SSL certificate, if you get one from a recognized brand, make sure that you display the trustmark badge – at least on your basket and checkout pages. You don’t have to put it on every single page on your website, but definitely have it alongside the core information on your website and also on the very final payment page.
Consider getting a McAfee Secure badge and putting it in the same place next to your SSL badge as well.
If you’re in the US, join the BBB and get their verified badge. If you’re in the EU, go to Trust Ecommerce Europe and the Brits can go to trustmark.org.uk.
If you’re worried about your SSL certificate expiring or not being renewed properly, there’s an app called Little Warden to help put your mind at rest. It costs a few dollars a month and will monitor your SSL certificate – alerting you days/weeks before you need to renew it.
Please Note: The content above is a semi-automated transcription of the podcast episode. We recommend listening (and subscribing) to the podcast, in case any of the content above is unclear.