I've read that certain websites use security seals to convey trust and protection to their users. I'm a little...
skeptical -- are these seals uniform or governed across the industry? Who makes them? Are they worthwhile website security checks or should they be taken with a grain of salt?
Some e-commerce websites display a bewildering array of logos on their pages, including Visa, MasterCard and PayPal logos for payment; UPS and FedEx logos for shipping; HTML- and CSS-validated logos for conformance with W3C standards; and various security-, safety- and privacy-related seals to show that the company takes the security of their users' data seriously. Recognized brands -- such as Amazon -- don't tend to use these seals, as Amazon is perceived as a trusted name already; however for lesser-known companies, these seals can lend credibility to first-time visitors who know nothing about the site.
The purpose of security seals is to provide third-party assurances to visitors that the company's privacy and data protection procedures are robust. However, a survey by the Baymard Institute in 2013 found 49% of respondents chose the "Don't know or no preference" option when it came to stating which seal gave them the best sense of trust when paying online. This doesn't necessarily mean users don't prefer to see some sort of seal on a site before using it, but it shows there is still a high level of consumer apathy towards information security. For example, retailers suffering major data breaches like TJX Companies Inc. and Hannaford Bros. Co. have not experienced any significant customer defections. This may be partly due to the zero-liability program introduced by the major card brands, as shoppers know they'll be covered for any cash losses.
The meaning of security seals is by no means uniform across the industry, as each vendor offers different assurances and has different vetting criteria or requirements for displaying its seal. Also, there is no governing body overseeing these seals, and privacy seals are the only type that offer any form of resolution service if a site's user feels the handling of their data has contravened the privacy and security commitments implied by the presence of a seal. Additionally, some security seals only mean that the site has purchased a Web server certificate to encrypt sensitive data sent to and from the site; there is no guarantee, however, that it has been correctly installed and configured, and it does nothing to assure the safety of user data once it has been sent to the site and entered into the site's database.
Most sites are validated when they apply for a seal. The seal then remains valid for a specific duration of time, even if the site's standards drop below the required threshold. Other vendors' seals such as "Norton Secured" and "McAfee Secure" signify that the site is being monitored and scanned at various intervals for common security vulnerabilities. Privacy seals from organizations like TRUSTe and ESRB Privacy cover the collection and use of visitors' data, and often involve a more extensive certification process that reviews the site's privacy procedures.
As with compliance with regulatory standards, security seals may not make a site more secure, rather they demonstrate some level of security. There is a big difference in taking information security seriously and merely completing a box-checking exercise in order to display a seal that the sales manager has said the site needs in order to boost sales. Perceived security is of some importance to many consumers, but many will also just go to the site offering the best deal. This makes the cost of a detailed inspection of security and data handling processes in order to display a seal that users may or may not appreciate an expensive exercise.
Trust seals can help build a website's credibility, but they can also give users a false sense of security; seals certainly don't certify the ethical business practices of the site's owners or the quality of service. If site owners could be held liable for providing false information to seal vendors -- or if their sites are actually taken offline if they fall below the required standards -- then users would know that sites displaying a security seal really do take security seriously.
Ask the Expert!
Perplexed about application security? Send Michael Cobb your questions today! (All questions are anonymous.)
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Android for Work's sandboxing tools, which split work and personal profiles, can be bypassed with a proof-of-concept attack. Expert Michael Cobb ...continue reading
Yahoo claimed a vulnerability in its email service enabled attackers to use forged cookies to gain access to user accounts. Expert Michael Cobb ...continue reading
A researcher discovered 76 iOS apps containing sensitive user data that were vulnerable to man-in-the-middle attacks. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.