When it comes to protecting customers online, small businesses can’t act small. Customers expect them to use the same safety measures employed by larger businesses.
That’s why Terence Johnson didn’t wait for a customer at Scribendi, the Canadian editorial services company where he’s vice president of technology, to fall victim to a “phishing” expedition before upgrading his website security.
Last year, Johnson upgraded to a newer security protocol called extended validation secure socket layer, or EV SSL, an improvement to existing SSL that requires certification requests to go through a more rigorous identity check and authentication process before being approved.
EV SSL is one of a handful of measures security experts and industry analysts suggest companies of all sizes take to combat phishers, identity thieves, and others out to steal valuable personal information from unwitting Internet users.
Acting before you need to is one way to keep the bad guys at bay, according to a December 2007 report on e-commerce fraud from The Aberdeen Group, a Boston technology researcher. According to Carol Baroudi, the Aberdeen Group analyst who wrote the report, all types of businesses that sell something or conduct financial transactions online can also prevent fraud if they:
- Authenticate new customers while they’re creating an account
- Add layers of user authentication, geo-location and device authentication
- Establish and enforce security policies
- Use anti-fraud directories
- Continuously educate themselves and customers on new types of security threats and protections
Consortium created EV SSL to combat fraud
A consortium of more than two dozen Web browser and security technology companies formed the CA/Browser Forum to develop and introduce EV SSL in February 2007. Since then, approximately 4,000 websites have been certified to use the protocol, says Tim Callan, vice president of SSL product marketing at Verisign, a consortium member. Seventy-five percent of those websites are VeriSign customers, and of that number, 80 percent are small businesses, Callan says.
The thinking behind EV SSL: increasing the hoops parties need to jump through to be certified will weed out undesirables who create fake websites, and at the same time, make consumers feel safer when they visit legitimate online establishments, Callan says. To that end, when someone using Microsoft Internet Explorer 7.0 visits an EV SSL-certified Web site it turns the browser’s URL address bar green, much the way a green traffic light signals it’s OK to proceed. Upcoming releases of Firefox and Opera Web browsers are expected to work with EV SSL, according to industry reports. Appleisn’t part of the consortium and EV SSL doesn’t work with its Safari browser.
EV SSL isn’t cheap. VeriSign charges $995 per server per year, with volume discounts, and a second version with even stronger server cryptography costs $1,499 a year per server.
It’s not cheap, but it is worth it, says Johnson, the technology guru at Scribendi, in Chathan, Ontario, which has provided editing services to authors and other clients for 10 years and has a staff of 100. Customers appreciate businesses that go out of their way to provide them with security, Johnson says. And it pays off. In the four months after Scribendi started using EV SSL, the number of orders from Internet Explorer users who visited the website increased 27 percent from the four months immediately prior. “That’s an indication that people are learning to recognize” what it means, Johnson says.
As New York City apartment dwellers know to use more than one lock on their doors, Websites should use more than one security system, business owners, security experts and others say. In addition to EV SSL, Scribendi uses security tools from the company’s Internet service provider, encrypts transmissions of manuscripts and other documents that editors are working on and authenticates payments in real time, Johnson says. “When it comes to security, being a small business doesn’t count,” he says. “You have to use the best tools you can.”
SIDEBAR: Resources to Learn about EV SSL
Here are some resources small businesses can use to learn more about EV SSL and other measures for stopping e-commerce fraud:
EV SSL FAQ -- Everything you wanted to know about EV SSL, from the CA/B Forum, the volunteer consortium of 27 security companies and 4 Web browser makers that created the security protocol.
A primer on e-commerce security issues -- published by Ecommerce-Digest.Com, an online publication that covers the Internet security industry.
E-commerce white papers -- A collection of research papers and other documents explaining online fraud and security measures used to combat it, from ZDNet, the technology trade publisher.
The Anti-Phishing Working Group -- A five-year-old industry association with 3,000 member companies that documents phishing activity and shares best practices for stopping it.