Why SSL in e-commerce is so important
With high-profile hacks and security breaches being a frequent item in the news these days, consumers are much more guarded than ever about disclosing their financial information on a website they’ve never used before. They know the risk of fraud is great if an online store doesn’t seem to have all the necessary security precautions in place to safeguard their data.
They are right to be cautious because without the HTTPS protocol enabled on your site, customer information is highly susceptible to being intercepted by man-in-the-middle phishing attacks. As a result, if there is even the slightest doubt in a customer’s mind that your online store is untrustworthy, chances are they won’t risk making a purchase, losing you a valuable sale. That’s why implementing data encryption in your e-commerce security is a no-brainer, and that’s where SSL comes in.
SSL certificates play a substantial role in giving consumers peace of mind. Seeing that your site has been SSL certified, they can be certain that your brand is one they can trust. In fact, it’s become a standard to the point that it engenders trust from the first moment your site loads. Take a trip to any of your favorite retail sites, from Amazon to eBay, and you’ll find that all legitimate online stores have an SSL certificate.
While SSL is a critical first step when it comes to the security of your online store, there are numerous other steps that must also be taken to keep customer data safe. These steps include requiring that customers can only register with strong passwords with a minimum number of characters and a combination of letters, numbers, and symbols; setting up address verification system (AVS) and card verification value (CVV) to verify the cards of your customers; installing and maintaining a firewall configuration to protect user credit card data; and using up-to-date anti-virus software on your network.
While the first two steps can be easily implemented on a WordPress site by using a good login form plugin and adding a secure shopping cart plugin, for the latter two a security expert should be consulted, particularly if you aren’t well versed in IT security.
Combined with other key security features, installing SSL is the right move for any e-commerce website.
How SSL protects customer information
SSL protects sensitive customer information by scrambling data as it travels from a customer’s browser to your e-commerce site. It does this through the SSL handshake, encrypting customer information until it reaches the source, where it is then decrypted. During this process, the customer’s browser examines the validity of a website’s SSL certificate first.
When its validity is confirmed, a secure connection is established through the browser’s public key and the website’s private key. Both keys generate a session key, which encrypts all transmitted data during a session.
When customers give sensitive information to an e-commerce site that has SSL enabled, it cannot be intercepted by anyone. This protection not only keeps your customers’ banking information and contact details secure, but it also makes sure no one corrupts their information before it gets to you, the business owner.
SSL and PCI compliance
If you plan on taking credit card transactions on your site (which is more likely than not on an e-commerce website), the payment cards industry (PCI) requires that your website has an SSL certificate, as per the rules set out in the PCI Data Security Standards (PCI DSS). An independent body known as the PCI Security Standards Council enforces these rules and requirements. It is made up of payment card companies like Visa and Mastercard.
According to the PCI DSS, enterprises that take credit card transactions must have a trusted SSL certificate from a certified certificated authority in the latest secure version installed on their e-commerce site. It also states that credit card information cannot be taken on a page that does not have HyperText Transfer Protocol Secure (HTTPS) enabled, and that your site is ultimately responsible for the security of your customers’ credit card information.
As we mentioned earlier, without SSL customers’ information is susceptible to man-in-the-middle phishing attacks. This hazard is why encrypting the transmission of cardholder data is a key component of PCI DSS’s 12 essential security standards for PCI compliance.
Since it is such an integral part of PCI compliance, it won’t be a surprise to learn that all major e-commerce platforms and retailers integrate SSL on their sites extensively. Visit any of your favorite retail sites and you’ll notice that they are all SSL-certified.
Let’s take Amazon as an example. When you visit the Amazon website you’ll notice the “https” prefix at the beginning of the web address, as well as the SSL padlock symbol. When you click on the padlock you can see Amazon’s SSL certificate, which features information such as what organization issued it, dates it is valid from, company information, and its public key.
How SSL gives consumers confidence
As we mentioned earlier, SSL informs customers that your site is trustworthy. If they decide to buy something from your site, they will be safe in the knowledge that their sensitive data won’t be subject to misuse from malicious third parties. Having SSL enabled assures you that you won’t lose business to your competitors due to security concerns.
SSL wins customer confidence through several visual indicators. These indicators are:
HTTPS: Every site with SSL will have the “https” prefix at the beginning of the web address.
Lock symbol: Every site with SSL features a padlock symbol somewhere in the address bar. When you click on this symbol, you’ll have access to the website’s SSL certificate.
Green Address bar: Some websites with SSL will have a partial or entirely green address bar and will also feature the name of the enterprise running the site.
Site seal: Some sites may also feature a seal from the authority that granted the SSL certificate.
No warning messages: If a site doesn’t have SSL enabled, most modern web browsers, including Google Chrome, will warn users that said site may not be secure and will not allow them to access it.
One or a combination of all these visible symbols of trust will immediately ease customers’ concerns about e-commerce security threats as soon as they load your website. If they see that you don’t have e-commerce encryption enabled through SSL, it’s likely they’ll bring their business to another online store that does.
The importance of SSL type and e-commerce websites
There are a variety of types of SSL certificates on the market, all of which have the same level of encryption, so you can be safe in the knowledge that your customers’ information is out of danger, no matter which you opt for. One thing that does differentiate SSL certificates is their level of validation.
Validation level refers to how extensive the background checks of the certificate authority (an organization that provides SSL certificates to individuals and businesses) are. There are three levels of domain validation, which are:
Domain validated certificates (DV SSL)
Organization validated certificates (OV SSL)
Extended validated certificates (EV SSL)
With DV SSL, a CA checks that an individual or business has ownership of the domain they are looking to protect. Checks are more extensive with OV, with CAs also vetting of the individual or company itself. EV is the most extensive of the three validation levels, with CAs also looking into the legalities of the company, as well as its physical location and operational existence.
DV tends to be the quickest and cheapest of the three; however, it’s recommended that any site dealing with financial transactions should have at least an OV validation. Although the level of encryption is indeed the same for all three, DV SSL doesn’t confirm who you or your business is. The connection may be secure, but customers could be handing over sensitive information to just anyone. Having an OV SSL will add another layer of legitimacy to your online store, boosting customer confidence as they will be safe in the knowledge that you are who you say you are.
For more information on the different types of SSL, read our article on the subject.