Increasingly, shoppers are hopping online to make their purchases, and this trend is only moving north. According to eMarketer, ecommerce sales touched 1.5 trillion dollars in 2015, nearly 6.7% of the total retail sales worldwide. What this means is buyers sharing their personal details and credit card information to ecommerce websites to make purchases.
Obviously, huge amounts of money means ecommerce websites are prime targets for hackers who steal financial and other sensitive information.
To avoid this webmasters use SSL (Secure Socket Layer) or TSL (Transport Security Layer) protocol to authenticate identity and encrypt data that passes through the website. Consumers of the digital age are not naïve, they can easily recognize whether a connection to a server is secure or not.
To verify, inspect the address bar in the internet browser, secure websites will have “https:” in their web address and a small padlock to signify a Secure Socket Layer connection. Strong security measure will give consumers confidence and build trust in the product and brand.
SSL and SSL certificate explained
People wish to have total control over the data, but this hardly happens. Buyers can protect their system with anti-malware and anti-virus software; the e-retail websites can secure their servers, but what about the pathway / tunnel that connect both systems – the vulnerable point. Who’ll man the area where both buyer and seller have no control? We have SSL to perform this function. It has grown in popularity because it offers security to the most vulnerable point of data transfer.
Developed by Netscape, Secure Socket Layer or SSL, as it’s widely known as, creates a safe pathway / information tunnel between the browser and ecommerce site using a process called Handshake. The handshake process allows the user to send out confidential data without fear of being hacked.
Here is an easy break down of the complex SSL Handshake process:
- The handshake process begins when the customer’s internet browser tries to connect to the e-retailer’s server.
- When the browser makes the initial inquire the web server sends its SSL certificate and its public key
- The browser then examines the validity and the source of the SSL certificate to determine the trustworthiness of the server certificate.
- Customers will see a warning message if the server SSL certificate fails the ‘trust’ test. Users can ignore the warning, but we request the user to take the alert seriously.
- If the browser finds it can trust the certificate, decision to establish a connection will be made and a message to that effect will be sent to the server. While sending the message the browser will encrypt it using the server public key and it can be deciphered only by a private key held by the server.
- Next, an encrypted session key is made and sent by the server. The browser receives it and decrypts it using its private key.
- Now, a secure pathway is established and the handshake is complete. The confidential data the buyer sends via the connection is then encrypted and decrypted using the session key.
- Once the session expires, the key becomes redundant. To connect again, both browser and server must establish ‘Handshake’ once more.
These days the majority of the ecommerce websites use SSL certificates. Some use it for a limited purpose – to encrypt data, and some use it to build their identity and trust among its users – by displaying details to present themselves as a legitimate organization. Based on the validation level, 3 types of SSL certificates have emerged:
(1) Domain Validation
In Domain Validation, the certifying authority verifies if the applicant holds administrative rights over the website. A simple validation process is followed – a DNS or e-mail is sent to the admin email address. A certificate is created when the owner performs the intended task of configuring DNS or confirming the email received. This procedure normally takes no more than a few minutes or a few hours.
(2) Organizational Validation
In Organizational Validation, the verification process is taken one step further. Along with domain ownership, additional documentation on the identity of the organization is also examined. The OV certificate will display ‘https:’ and company information. In general, it takes few hours to a few days to procure an Organization Validated certificate.
(3) Extended Validation
Extended Validated SSL certificate are given to those who can prove their exclusive right over the domain, the physical location of the entity, and legal existence of the organization. It’s a lengthy process, so EV SSL process may take days or even weeks to obtain the certificate. An EV certificate can be identified by the presence of company name in the address bar.
How to choose SSL certificate vendor
There are loads of places you purchase SSL certificates on the internet, some for fantastically low prices. You can buy them from managed hosting providers like www.EuroVPS.com, or you can buy them from stand alone vendors. But you have to ensure that they are credible. Checking this is really not that different than checking the reputability of any other online eCommerce website. Do a bit of research and always read reviews.
Unlike most brick and mortar stores, an ecommerce website is open for business around the clock. The web server can develop a technical snag at any time. So, choose a vendor who offers 24/7 customer support.
Be wary of offers where SSL is to be had as part of a multitude of other services or products, either free of cost or for a little extra money. Such providers may not be well qualified to offer high standards of security that you need. Always prefer vendors specializing in server security and SSL certificates.
An SSL certificate provides a visible indicator that you take security seriously, and that customer privacy is of top priority for the organization.