Merchant Account Blog

Shortly after the new year, Microsoft plans to move forward with a plan to flag certain ecommerce and banking sites as “safe” in an upcoming update to its Internet Explorer 7 browser. It will do this by looking for a special kind of SSL certificate called an “extended validation certificate”. For an ecommerce site to qualify as safe their SSL issuer will need to do an extensive check on the ecommerce applicant as well as an audit by a company called WebTrust.

What these companies will be verifying are:

• Physical existence

  The certificate issuer must verify that the business’ legally registered address matches the address provided to the certificate issuer. If they do not match the issuer must visit the physical location provided by the business to verify that it exists. In these cases photographs of the business’ location must be provided.

• Legal existence and identity

  The certificate issuer must verify that the business is legally registered. DBA‘s (Doing Business As) that differ from the business’ legal name will also need to be individually verified.

• Individual’s authorization

  The person applying for the certificate must be verified as being a legal representative of the applying business with the authority to apply for the certificate. This requires contacting the business as well as receiving a written verification.

• Domain name

  The domain name that the certificate is being applied for must be verified as being owned by the business. This means verifying the whois information as well as possible having the site owner make specified changes to the website to verify they do in fact control the domain.

• Telephone number

  The telephone number provided in the application for the certificate must be verified. This can mean calling the number or checking publicly available phone directories. Cell phone numbers will typically not be allowed.

Although at a glance this sounds like it will offer a strong assurance for potentially new online shoppers, there are issues with this process. Business registered for less then three years may require further validation including verification that they have a valid business bank account. Because many of these checks require government filings certain business entities (sole proprietorships, general partnerships, unincorporated associations) will not be able to get these certificates. Also, due to the amount of work that must be performed by the certificate issuer to validate the business, the cost for these certificates will be substantially higher with costs possibly reaching as high as $500 or more.

Because only a limited subset of all businesses will be eligible to receive these certificates. Additionally, only Internet Explorer 7 will support these certificates. This means the extra validation done will not offer any additional credibility in all other web browsers and thus provide virtually no additional benefit to merchants.

Additionally, Microsoft is implementing this on an unfinished specification. This means if the specification changes, and it likely will as most of the participants in creating these specifications do not like the current draft, then these certificates may not be valid in the future or may not be compatible with all browsers. Imagine paying for an expensive SSL certificate that results in some browsers saying your site is verified while others saying it is unsafe.

Technorati Tags: SSL, ecommerce, Verisign, Comodo

This entry was posted on Tuesday, December 26th, 2023 at 12:01 am and is filed under Ecommerce. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.