What IS SSL Authentication, Why Every Shopping Site Should Have One (Or Two, or Three…)
For online retailers whose brands may not be as far reaching as the nationals, creating immediate trust is often the difference between clicking on a product or the back button. And while trust building should occur throughout the site, it's most critical when the user approaches the actual purchase. To avoid shopping cart abandonment, using an SSL based URL address can bring more confidence to a skittish buyer…and some protection for the retailer against frivolous credit card chargeback claims. So, exactly what is SSL?
What is SSL's main advantage to a retailer? The confidence that it instills in consumers who are deailing with just about any type of financial transactions.
SSL stands for secure sockets layer (more on what that is later) and was invented by Netscape, one of the early browser companies, to provide more security for website visitors. It works on the principle of encryption, a way to "scramble" (turning the actual text, numbers and other information into what appears to be a jumble of symbols, numbers and letters) the actual traffic between a users browser and a server. Once a user accesses an SSL-secured page, the traffic back and forth is encrypted so that even if it is intercepted, it will be essentially useless to the data thief. What is SSL's strength is that it works at a very high level in encrypting what is known as the "packet scheme", essentially the structure of how information is digitally transmitted, so all of the information in a session is protected. SSL is used to protect the critical information behind virtually every type of internet transactions including:
- Credit card numbers
- Social Security numbers
- Bank Account Numbers (for eChecks and direct withdrawals)
- PIN numbers
- Account information (such as name, address, phone number, challenge questions, etc. which is required to be secure when associated with credit card or other information
The process is made possible by providing what is known as a "key" to the user from the server. In this way, only the user's computer and the server have the means to decode or reinterpret the data correctly. There are levels of encryption, which essentially provide more data scrambling, but also take more time (and computing power) to decode, thus slowing the page downloads to the browser. As an online shopping site owner, one of the first steps in bringing SSL to your website is to actually apply for what is known as an SSL certificate. What is SSL's source for certificates? Usually a certification authority whose job it is to authenticate certificate holders and also to protect the encryption keys setup by them to encode and decode the information that is passed between user and merchant. There are a variety of types and levels of these as well, with accompanying costs that can range from $30 to $1,500 per year or more. Some of the issues that go into the pricing of these SSL certificates include:
- How much validation they do of the online merchant (basically the domain owner)
- Whether you can add SSL functionality to additional servers without extra fees
- If they offer a site "trust" symbol (for either/both the merchant and any third party shopping carts) and if that seal provides an active reference to the merchant's account or not
- Offering of Wildcard or multi domain SSL's which allow the SSL to be applied to subdomains, different top level domains and domain prefix alternatives (i.e. WWW versus no WWW)
- Encryption Key Size, which refers the level of encoding with 256bit being the highest current offering
- Customer Support Levels (i.e. live email or chat, or call-in)
- Warranty against a financial loss suffered from an attack
With SSL, What Is The "Trust Factor" For Your Customers?
Customers are doing more online and also are becoming more aware of the need for online security. A recent survey of nearly 5,000 adults in 22 countries revealed that nearly 92% had made an online bank transaction and 80% had made an online purchase within the last month. The same survey revealed an increase in consumer awareness of issues like viruses, email scams (phishing) and Spyware. Largely because of these higher online transaction levels, consumers are becoming more aware of security notations that SSL brings including the familiar "lock" at the beginning of the secure the url in their browser, trust symbols, like Commodo, displayed on a page and the familiar addition of "s" to the beginning of a website address or URL as in HTTPS. Web buyers are also increasingly becoming more aware of SSL specifically, in part due to the efforts of SSL vendors to publicize their benefits.
Advantages And Disadvantages Of SSL
What is SSL's bottom line value to a merchant? It depends on your perspective, but here are the pro's and cons of applying SSL to a site:
- Proof of identity of your server to potential customers because of the third party vetting or validation that is performed
- Privacy of information transfer between your users and your own secured portion of your website
- Uniformity of user experience by having the user stay on either your domain or subdomain for the entire transaction through use of multidomain or wildcard type of SSL's (see above)
- Protection against potential financial loss and liability for the site owner either through the warranty offered by the SSL certificate authority (provider) and/or by showing that reasonable steps were made to protect the site (see PCI DSS for what bank card providers are requiring online merchants to do for site security)
- Potential increases in conversions for those customers who recognize the trust symbols offered by the SSL provider
- Protection of critical partner data for affiliates, suppliers and others who may interact with your site outside of customers
- Easier setup of and higher success rates with some types of customer tracking since SSL's allow a domain name to be consistent (i.e. use of Google Analytics and other website monitoring can be simpler with SSL)
- Cost, particularly for higher levels of protection and services
- Complexity to administer for those who are attaching SSL to their own servers
- The fact that while SSL can make attacks much more difficult to carry out, there still can be security compromises
What IS SSL From A Do It Yourself Perspective?
A key issue is whether you wish to host your own SSL server. For those who maintain their own data servers, the SSL installation process can be quite complex. There are certainly cost and control advantages to doing this, but there are quite a number of steps that have to be performed including:
1. Installation and validation of encryption software on the server
2. SSL Certificate generation (must be signed by trusted certificate provider or will generate warnings)
3. SSL Certificate import
4. Enabling SSL support on the server
5. Change ports to monitor SSL connection
6. Configure SSL host(s)
The site will also have to be monitored and maintained, including the renewal of your certificate. All of this can be eliminated by using a hosted shopping cart, like UltraCart, that provides SSL services.