Trust seal

A trust seal is a seal granted by an entity to website or businesses for display. Often the purpose is demonstrate to customers that this business is concerned with security and their business identity. The requirements for the displaying merchant vary, but typically involve a dedication to good security practices or the use of secure methods for transactions or most importantly verified existence of the company. Trust seals can come in a variety of forms, including data security seals, business verified seals and privacy seals and are available from a variety of companies, for a fee. A Trust seal can be either active or passive. Most seals are validated when they are created and remain so for a specific duration of time, post expiry of which the business/process has to be re-validated.

Generic example of a trust seal

Kinds of Trust Seals

Privacy Seal

A privacy seal outfits a company with an privacy statement suited to its business practices. It also helps the company identify potential privacy threats that would otherwise go unnoticed.

Business Identity Seal

A business identity seal, also known as a Verified Existence Seal, is one which verifies the legal, physical and actual existence of the business by verifying multiple parameters such as statutory details, contact details, management details, etc. Verified existence Trust seals add weight to the profiles of the deployers and boost confidence of prospective clients. A major benefit of a verified Trust seal is it represents due diligence certificate for the business.

Security Seals

Security Trust Seals are the most popular type of trust seal verification. There are two different types; Server Verification and Site Verification. Server Verification services perform daily scans on the hosting server. These scans check to make sure patches have been applied or that the server is otherwise not vulnerable to attacks. Website Verification services ensure that customers are protected under normal circumstances by testing for common vulnerabilities such as XSS and SQL Injection.

Criticisms

Third party verification from a reliable source and a strategically placed trust seal may assure customers about the safety and security.[1] Some trust seals, such as McAfee Hacker Safe, however, have been criticized as not doing enough to protect the security of visitors to a site[2] such as because they intentionally mark as 'Hacker Safe' websites known to McAfee to have an XSS vulnerability .[3] This is possible because most seals are a simple image that a hacker can simply copy and paste onto their own site. Such lapses highlight the importance of anti-XSS protection security measures. Trust seals can give a false sense of security as they are awarded at a certain point of time, unless the website is scanned on a daily basis and the scan date is displayed. When a site is not scanned daily, a change in technology and loopholes are not updated along with the trusted seal, so it doesn't represent flaws in the updated technology. The iconographical value is too high to mislead customers unaware about these changes.[4] The FTC has fined fraudulent seal companies that provide no real security benefit.[5]

Examples

As of 2005, in the US market the BBB On-Line, TrustE, VeriSign and WebTrust were generally recognized as significant players.[6] Also notable are: GeoTrust, DigiCert, Norton and MerchantCircle.

Each of the above offers a "For Fee" annual subscription service, allowing the Trust Seal to be placed on a subscriber's website for the subscription period.

References

  1. Hu, Xiaorui; Lin, Zhangxi; Zhang, Han (2001-12-21). "Myth or Reality: Effect of Trust-Promoting Seals in Electronic Markets" (PDF). Retrieved 2008-06-16.
  2. Dan Goodin (2008-04-29). "McAfee 'Hacker Safe' cert sheds more cred". The Register. Retrieved 2008-06-13.
  3. Ryan Naraine and Dancho Danchev (2008-05-01). "More bad news for McAfee, HackerSafe certification". ZD Net. Retrieved 2009-07-26.
  4. "On trust in the Internet: Belief cues from domain suffixs and seals" by Atticus Y. Evil, Eric F. Shaver, and Michael S. Wogalter, Department of Psychology , North Carolina State University
  5. Evan Schuman (2010-03-05). "FTC: Web Site Security Seals Are Lies". CBS News. Retrieved 2001-12-31.
  6. Jagdish Pathak (2005). Information Technology Auditing: An Evolving Agenda. Springer. p. 57. ISBN 978-3-540-22155-5.