Merchant Account Services

Merchant Account Blog


Microsoft Squeezing the Small Ecommerce Shop?

Shortly after the new year, Microsoft plans to move forward with a plan to flag certain ecommerce and banking sites as “safe” in an upcoming update to its Internet Explorer 7 browser. It will do this by looking for a special kind of SSL certificate called an “extended validation certificate”. For an ecommerce site to qualify as safe their SSL issuer will need to do an extensive check on the ecommerce applicant as well as an audit by a company called WebTrust.

What these companies will be verifying are:

  • Physical existence

    The certificate issuer must verify that the business’ legally registered address matches the address provided to the certificate issuer. If they do not match the issuer must visit the physical location provided by the business to verify that it exists. In these cases photographs of the business’ location must be provided.

  • Legal existence and identity

    The certificate issuer must verify that the business is legally registered. DBA‘s (Doing Business As) that differ from the business’ legal name will also need to be individually verified.

  • Individual’s authorization

    The person applying for the certificate must be verified as being a legal representative of the applying business with the authority to apply for the certificate. This requires contacting the business as well as receiving a written verification.

  • Domain name

    The domain name that the certificate is being applied for must be verified as being owned by the business. This means verifying the whois information as well as possible having the site owner make specified changes to the website to verify they do in fact control the domain.

  • Telephone number

    The telephone number provided in the application for the certificate must be verified. This can mean calling the number or checking publicly available phone directories. Cell phone numbers will typically not be allowed.

Although at a glance this sounds like it will offer a strong assurance for potentially new online shoppers, there are issues with this process. Business registered for less then three years may require further validation including verification that they have a valid business bank account. Because many of these checks require government filings certain business entities (sole proprietorships, general partnerships, unincorporated associations) will not be able to get these certificates. Also, due to the amount of work that must be performed by the certificate issuer to validate the business, the cost for these certificates will be substantially higher with costs possibly reaching as high as $500 or more.

Because only a limited subset of all businesses will be eligible to receive these certificates. Additionally, only Internet Explorer 7 will support these certificates. This means the extra validation done will not offer any additional credibility in all other web browsers and thus provide virtually no additional benefit to merchants.

Additionally, Microsoft is implementing this on an unfinished specification. This means if the specification changes, and it likely will as most of the participants in creating these specifications do not like the current draft, then these certificates may not be valid in the future or may not be compatible with all browsers. Imagine paying for an expensive SSL certificate that results in some browsers saying your site is verified while others saying it is unsafe.

Technorati Tags: , , ,

2 Responses to “Microsoft Squeezing the Small Ecommerce Shop?”

  1. Dan Kubb

    While I think many of the checks being done for extended validation should’ve been done all along for regular certificates, I think the pricing puts it out of reach of most small businesses. Verisign, Thawte and Geotrust extended SSL certificates are all at least double the price of regular certificates (incidentally the latter two are owned by Verisign which probably accounts for the super high pricing). Also there’s no such thing as wildcard SSL certificates, so ISPs can’t provide business1.isp.com business2.isp.com and so on.

    The only way I can see small businesses affording extended validation is if they use a third party shopping cart that offers it on thier own domain.

  2. » High Assurance SSL Certificates Make Their Debut - Merchant Account Services Blog

    [...] As previously mention in our blog new high assurance SSL certificates have made their debut. If you visit Entrust’s home page in Internet Explorer 7 you will see the address bar turn green. [...]

Leave a Reply

Leave Your Comments and Reviews about