Trust seal

A Trust seal is a seal granted by an entity to website or businesses for display. Often times the purpose is demonstrate to customers that this business is concerned with security and their business identity. The requirements for the displaying merchant vary, but typically involve a dedication to good security practices or the use of secure methods for transactions or most importantly verified existence of the company. Trust seals can come in a variety of forms, including data security seals, business verified seals and privacy seals and are available from a variety of companies, for a small fee. A Trust seal can be either active or passive. Most seals are validated when they are created and remain so for a specific duration of time, post expiry of which the business/process has to be re-validated.

Contents

Purpose

Trust seals provide assurance that an e-commerce website's identity has been verified by a third-party and that the website has been scanned for vulnerabilities. This results in a higher number of customers and more sales per customer, due to increased customer assurance.[1]

Kinds of Trust Seals

Privacy Seal

A privacy seal outfits a company with an accurate privacy statement suited to its business practices. It also helps the company identify potential privacy threats that would otherwise go unnoticed. An example of this service is the TRUSTe Certified Privacy seal.

Business Identity Seal

A business identity seal, also known as, Verified Existence Seal is one which verifies the legal, physical and actual existence of the business by verifying multiple parameters such as statutory details, contact details, management details, etc. Verified existence Trust seals add weight to the profiles of the deployers and boost confidence of prospective clients. A major benefit of a Verified Trust seal is it represents due diligence certificate for the business. An example is the BBB Online Seal

Security Seals

Security Trust Seals are the most popular type of trust seal verification. There are two different types; Server Verification and Site Verification. Server Verification services perform daily scans on the hosting server. These scans check to make sure patches have been applied or that the server is otherwise not vulnerable to attacks. Website Verification services ensure that customers are protected under normal circumstances by testing for common vulnerabilities such as XSS and SQL Injection. There are many examples of this service.

Criticisms

Third party verification from a reliable source and a strategically placed trust seal may assure customers about the safety and security.[2] Some trust seals, such as McAfee Hacker Safe, however, have been criticized as not doing enough to protect the security of visitors to a site[3] such as because they intentionally mark as 'Hacker Safe' websites known to McAfee to have an XSS vulnerability .[4] This is possible because most seals are a simple image that a hacker can simply copy and post onto their own site. Such lapses highlight the importance of anti-XSS protection security measures. Trust seals can give a false sense of security as they are awarded at a certain point of time, unless the website is scanned on a daily basis and the scan date is displayed. When a site is not scanned daily, a change in technology and loopholes are not updated along with the trusted seal, so it does't represent flaws in the updated technology. The iconographical value is too high to mislead customers unaware about these changes.[5]. The FTC has fined fraudulent seal companies that provide no real security benefit.[6]

References

  1. ^ Serge Bronstein (2008-03-16). "Merchant Fraud". ScanVerify.com. https://scanverify.com/information/merchantfraud.php. Retrieved 2011-06-19. 
  2. ^ Hu, Xiaorui; Lin, Zhangxi; Zhang, Han (2001-12-21) (PDF). Myth or Reality: Effect of Trust-Promoting Seals in Electronic Markets. http://zlin.ba.ttu.edu/papers/published/WITS01-trust.pdf. Retrieved 2008-06-16. 
  3. ^ Dan Goodin (2008-04-29). "McAfee 'Hacker Safe' cert sheds more cred". The Register. http://www.theregister.co.uk/2008/04/29/mcafee_hacker_safe_sites_vulnerable/. Retrieved 2008-06-13. 
  4. ^ Ryan Naraine and Dancho Danchev (2008-05-01). "More bad news for McAfee, HackerSafe certification". ZD Net. http://blogs.zdnet.com/security/?p=1068. Retrieved 2009-07-26. 
  5. ^ "On trust in the Internet: Belief cues from domain suffixs and seals" by Atticus Y. Evil, Eric F. Shaver, and Michael S. Wogalter, Department of Psychology , North Carolina State University
  6. ^ Evan Schuman (2010-03-05). "FTC: Web Site Security Seals Are Lies". CBS News. http://www.cbsnews.com/stories/2010/03/05/opinion/main6270104.shtml. Retrieved 2001-12-31.