key ways to gain online shoppers

Attention, please, those of you who sell merchandise online: Not all of you are honest, competent and credible. Some of you are incredibly greedy. More than a few of you ought to be in jail for the things you do to consumers.
But most of you, I suspect, are worthy of my trust. The trouble is, how do consumers and other businesses tell you from the bad guys on the Web?
They can't really. But one way to help buyers feel more secure about the online merchants they shop is through digital certificates and privacy seals.


How digital certificates work
Let's first talk about digital certificates. They were invented to facilitate trust in Internet transactions. These certificates, among other things, validate for customers shopping online that they are dealing with a specific person or company that has been checked out by the companies authorized to issue the certificates.

An online merchant buys a digital certificate from a certification authority (often abbreviated as CA on the Web and in marketing materials). Before the certificate is issued, the CA

checks out your company, to be sure you are who you say you are and are worthy of the certification. (For more on this process, see one of the Web sites whose addresses are mentioned below.)

Assuming you pass muster, the certificate is uploaded to your site. Typically, a logo is posted on your Web site assuring the world that you have been checked. Again, this is intended to build customer trust.

Next, a customer comes to your site to buy a product. When the transaction begins, the customer's browser contacts a secured address on your Web site. That address will start with "https," rather than "http." Your server sends its digital certificate to the browser, authenticating itself.

That initiates the Secure Socket Layer (SSL). No, that's not a name you will hear at cocktail parties. But it means that the data transmitted by the customer's browser is protected with

encryption. A padlock symbol at the bottom of the customer's browser shows that the session is secure.

What follows is a series of things that take place behind the scenes, all transparent to the customer: The customer's browser generates a session key (a long number), and uses that to encrypt

the customer's credit-card number or other sensitive data. The browser then encrypts the session key, using a public key sent by your server. The browser sends the encrypted credit-card information to your Web

server, along with the encrypted session key. The server uses a private key to decrypt the session key, and then uses the session key to decrypt the credit-card information.

No certificate, no encryption

The encrypted transaction here is made possible by the digital certificate. Without the certificate, the encryption would not take place. Without the encryption, the customer's information would be sent in a manner that could be intercepted by evil-doers in

transit. If you don't have a certificate, the padlock icon on the customer's browser will not close.

The browser probably would generate a message warning the customer that the transmission is not secure.

The customer might decide to do business with someone else.

There are a number of certificate sellers. The biggest is VeriSign (www.verisign.com),which sells certificates under that name and Thawte (www.thawte.com). VeriSign has about 90% of the U.S. market. Other major sellers are Entrust (www.entrust.com), Comodo (www.comodogroup.com) and Baltimore Technologies (www.baltimore.com).

Those five have high

compatibility with browsers. There are other certificate sellers, but at least some are not compatible with older browsers, or those made by the browser publisher Opera.

For instance, some cannot handle Internet Explorer 5.0, which was distributed with Windows 98. Be sure to check compatibility when buying a certificate. About 10% of the people who connect to my Web site are using old browsers — you don't want to lose that business.

Prices can vary widely. VeriSign certificates, with the highest level encryption (128-bit), cost around $900 for one year or $1,600 for two. The much smaller Baltimore

charges around $350 per certificate for one year. You will need certificates for each secure server.

Why privacy seals are important too

People want not only to have their personal data encrypted, but they also want to know what the online merchant is going to do with it. People today are concerned about identity theft and spam, and with good reason.

Some Web pioneers recognized in the mid-1990s that this would be an issue. They formed TRUSTe (www.truste.org), a nonprofit organization that sets standards for privacy. TRUSTe members agree to follow these rules:

Adopt a privacy policy that allays the fears of consumers.

Disclose what information is collected and what is done with it.

Give consumers the option of refusing to supply certain information.

Take steps to secure sensitive information provided by consumers.
Sounds like common sense, huh? Well, it is. But written policies

that reiterate these rules are a good idea. When TRUSTe was formed, Internet commerce was brand new and exploding. It was -- and still is -- important that companies follow the rules and make the online shopping experience a positive one for consumers. Bad apples can wreck everything.

Another registration service is provided by WebTrust (www.webtrust.net). This organization periodically has member firms examined by a certified public accountant. Among the criteria are high standards in online privacy, security and business practices. Fees vary, depending on the time the CPA

spends examining the firm.

Check out the BBB

Both of the above services serve to reassure customers. But I am even more bullish about the Better

Business Bureau Online (www.bbbonline.org), the Internet side of the same venerable watchdog organization that provides BBB plaques for brick-and-mortar

After companies apply to TRUSTe and submit a proper privacy policy, they are permitted to display the TRUSTe seal. This seal tells customers that the company displaying it practices good privacy policies. The fee for

the TRUSTe seal is based on a company's sales. The fee for the smallest companies (those with annual sales of less than $5 million) is around $600. It rises with higher revenue numbers.

businesses' walls. Given its longstanding service and strong reputation with the public, the BBB seal might be the most effective seal of all.

BBBOnline actually has two seals: reliability and privacy. You must join your local BBB to receive the online reliability seal. And you must

have a satisfactory record of resolving problems reported to the BBB.

The privacy seal requires that a privacy notice be adopted and posted. If a company appears to meet threshold standards, it still must be assessed. Fees start at $200 for a company with $1 million or less in revenues.


A privacy seal from any of these organizations can go a long way toward reassuring today's wary customers (many Web sites display more than one seal). A privacy seal combined with a digital certificate is an even better way that online merchants can show they are worthy of consumers' trust.






Posted by Kim Komando