How to Choose the Best SSL/TLS Certificate for Your Online Presence

article image1


Buying an Organization-Validated (OV) or Extended Validation (EV) SSL/TLS Certificate will enhance your website’s reputation, give customers the assurance they need to complete secure transactions with confidence, decrease cart abandonment rates, and build long-term customer loyalty.

More and more people are spending money online than ever before, and online accounts are a major customer touchpoint, so as your business grows, you might be considering an e-commerce storefront.  However, some potential customers may be concerned about the security of their credit card data.  As a result, they are likely to abandon their purchases—it’s estimated that over 50% of consumers regularly abandon their shopping carts, and that is lost revenue.

Establishing trust is mission critical.  Consumers need to trust you in order for them to transact business confidently with you.  An SSL/TLS certificate provides the most basic level of trust—the padlock icon in the address bar of your customer’s browser.   Hence, SSL/TLS certificates are a critical building block for secure electronic commerce.  Because of the security that they provide, the Payment Card Industry Data Security Standards (PCI-DSS) also require you to have an SSL/TLS certificate for online checkout (or whenever you’re transmitting cardholder data).  SSL/TLS certificates are sold by Certification Authorities that verify that the owner of the domain has a cryptographic key.

Not all SSL/TLS certificates are the same.  Different kinds of certificates display different information.  Some only show the domain name while others show more information about the company.

The most basic type of SSL/TLS  Certificate is the Domain-Validated (DV) certificate.  While a DV Certificate allows for encryption to take place between the browser and the server, a DV certificate does not contain any identification information other than the domain name.  These SSL/TLS Certificates are considered lower assurance because they don’t verify the identity of the domain owner.  The only check control of the domain (owner information in WHOIS), which can be anonymous.  Because DV certificates do not contain any identification information, you cannot be sure it’s really the merchant you think it is.  Companies using weakly validated certificates risk losing the trust of customers who rely on SSL/TLS certificates to reassure them about the company behind the website. Without such reassurance, customers will go elsewhere to conduct their business.

There are two other types of  SSL/TLS certificates—Organization-Validated (OV) and Extended Validation (EV).  Both types of certificate CAs are required to exercise diligence to ensure that information in the OV/EV certificate is accurate. (OV Certificates are generally less expensive than EV Certificates because there are fewer requirements that  accompany the issuance of them.)  In these types of certificates, attributes such as business name, location, address, incorporation or registration information have been checked by the CA. The same is not true for DV certificates.  OV/EV certificates involve a two-step validation process—first, verification that the applicant owns, or has legal right to use, the domain name, and second, verification that the applicant is an accountable, validly existing entity.  DV certificates skip the second, business-identity-validation step.

Because they involve an extra step, OV/EV Certificates not only create an encrypted connection between a customer’s browser and your server, but also verify that a CA has authenticated your organization’s identity.  With OV/EV, company information is presented in the certificate details.  OV/EV certificates enhance the security of electronic commerce and fight against phishing scams, providing much broader protection than is available with a DV Certificate.

Consumers browsing unfamiliar retail sites can use information in OV/EV Certificates to obtain more assurance about the legitimacy of the site.  If it’s an OV/EV Certificate more details about the merchant will be in the certificate because the CA has validated those items.  For example, because EV Certificates undergo a more rigorous validation process, they subsequently display special browser cues in addition to the padlock and https:// at the beginning of the website’s address. With an EV certificate installed on your website, browsers show the color green and the company name in the address bar.  This special display means that the CA has validated the existence of the business and its right to use the domain name and that the EV SSL Certificate was appropriately obtained.   Because of the additional visual cues that EV certificates provide, users are more comfortable that they are on an authentic website.  The color green in the address bar assures visitors to the web site that they are visiting a safe and secure domain.   EV is also a good choice for any size business.  An EV certificate protects your brand against phishing scams and shows suspecting consumers that you are legitimate and serious about protecting their data.  And, if your website’s identity authentication can be prominently displayed while a competitor’s site cannot, you will have a competitive advantage by appearing to be more trusted.  This competitive advantage translates into fewer cart abandonments, more conversions, improved lifetime customer value, and more revenue.

The snapshot below shows an example of the extended details of the organization in an EV certificate, further enhancing the legitimacy of the business in the eyes of the consumer.  (Also, most CAs provide a trust seal, which may be displayed on websites, thus providing visitors to the website additional indication that the website has been authenticated.)


Finally, just as important as the type of certificate you buy is the CA you choose.  Who should you buy from when you desire trust, security, service, quality and reliability?  Your CA should check your certificate to ensure that it does not have a compromised private key, that it meets minimum key size, and that the certificate has the proper algorithms and other characteristics.  Members of the CA Security Council (CASC) follow best industry practices.  These CAs operate pursuant to security policies and conformance requirements of browsers and operating system vendors. These requirements include the CA/Browser Forum Baseline Requirements and the Forum’s Extended Validation (EV) Guidelines.  Current CASC Members are DigiCert, Symantec, GoDaddy, Entrust,  GlobalSign, Comodo and Trustwave.  These are the leading global Certification Authorities that are committed to the adoption and promotion of best practices to advance trusted SSL/TLS deployment and CA operations as well as the security of the internet in general.

In conclusion, an OV/EV certificate issued by one of the CASC Members above will enhance your website’s reputation, give customers the assurance they need to complete secure transactions with confidence, decrease cart abandonment rates, and build long-term customer loyalty.


benwilsonBen Wilson is Vice President of Industry Relations and Compliance at DigiCert, a globally recognized Certification Authority.  For over 20 years he has advised clients on information security, identity and authentication, privacy, public key infrastructures, and e-signatures.  He is a past chair of both the ABA’s Information Security Committee and the Utah State Bar’s Cyberlaw Section and previously served as rapporteur of the ABA’s Public Key Infrastructure Assessment Guidelines.  Currently he also serves in leadership positions of the CA Security Council, CA/Browser Forum, ABA, Online Trust Alliance, and Identity Ecosystem Steering Group.

Other Point of Sale articles of interest: