Securing SMB Online Transactions

As more consumers and business grow savvy about the safety of the private information asked for by companies they do business with, these customers are pushing their SMB vendors to improve the way they collect and store sensitive details during online transactions. Most fundamental in their demand for protection strategies is the assurance that when they're entering information into their browsers the information is encrypted during transmission so that no snooping parties can capture those details as they make their way through an Internet connection to the vendor's Web servers.

"I always say put yourself in your customer's shoes as they come to your site. What are you asking them to do? Are you asking them to buy something? Are you asking them to disclose any personal information?" says Jeff Huckaby, CEO of rackAID, an IT management firm. "At the very minimum today, their expectation is that these are secure transactions."

[Is your small business being asked by customers to provide enterprise-class security? See Stepping Up SMB Security.]

The process of encrypting to create a so-called secured session depends on one very important item that many SMBs overlook or skimp on to their detriment: a digital certificate. They're often referred to as SSL certificates--named for the technical protocol that governs how information is hidden from anybody but the consumer and the party they're transmitting information to.

Without getting too mired in the under-the-hood details, the high and low of these certificates is that they're used to prove to the user that the server they're connected to through their browser really belongs to your business. Since some third party has got to referee the process of proving that identity, a whole business model has cropped up where vendors called certificate authorities (CA) or issuers have stepped in to act as that arbiter or trust.

These CAs offer a ton of different certificates at wildly different prices, so it can be pretty confusing for uninitiated SMBs to sift through the options. While the underlying technology is just about the same for all of these certificates, Huckaby says, the CA vendors who offer them are not all created equal and the different types of certificates available make it necessary for all businesses to shop around carefully for the right fit for their business needs.

"The hardcore security guys may have qualms with me saying this, but the security you're getting is more or less the same at every CA brand in terms of the technical encryption of data going between your web visitor and you," he says. "The difference is in how they verify who you are."

For example, some brands may issue $10 certificates that only require an email to confirm the holder's identity, while others charge more than ten times as much for what are called extended validation (EV) certificates that require lots of documentation like copies of business licenses or articles of incorporation before they hand over a certificate to be installed on the business site. One of the biggest benefits of such an expensive and extensive process is that it gives users added assurance you really are who you claim to be through the visual cue of a green bar in the browser that's activated when it is on a site secured using an EV certificate.

Consumers have been trained at this point to not only look for visual cues like the green bar, but also for special badges on sites marketing their use of certificates from well known CA brands. According to Huckaby, sometimes the decision of which brand to go with may come down to marketing rather than technology.

"Especially when you're in a small business, if customers don't know who you are, the person visiting the site could have some questions about whether you're a legitimate company or not and by showing a seal for a well-known company like Symantec or VeriSign, you can help assuage that fear," he says. "There's marketing evidence that shows when you put these badges next to checkout carts or order forms, you see increases in the numbers of clients you get to spend money."

How To Choose Your CA
But cost or marketing appeal shouldn't be the only deciding factor of what kind of certificate to buy or who to buy it from. Technical support and customer service should also be top of mind, CA experts warn. Support can play a huge part in the resiliency of your online business when things go wrong. Because when certificates don't work, the site can't take orders. And when the site can't take orders, cash flow is cut off.

"Many times we will see independent reviews [of other CAs] from customers where they chose to go the route of the lowest cost provider and then when crunch time came, they were left hanging," says Flavio Martins, vice president of support and validation for DigiCert, a CA that specializes in servicing SMBs. "Websites were down in middle of the night, they try to contact their SSL provider and come to find out hey don't offer 24-hour support. So the business is dead in the water until someone is able to get a hold of someone during business hours."

Martins says that when SMBs choose a certificate issuer, they should test that issuer at odd hours to make sure customer service would be available to them had a problem occurred outside of normal business hours.

Having looked into all the factors that go into the process of encrypting a site and buying a certificate to support that, some SMB leaders may wonder whether they can just outsource it all and be done with it.

The answer is yes, but Huckaby warns SMBs to be careful not to make assumptions about what kind of security an IT service provider will or will not install on a site. For example, don't just assume that your hosting provider is going to automatically take care of securing sessions and installing certificates on your behalf, he says. If you're not sure whether the site you have already institutes secured sessions, check for the most basic tell-tale sign in the address bar.

"If you already have site and you're not sure, go to any place where you ask for information on your site and simply see if it says 'https' [instead of just 'http'] on the address," he says.

Other visual cues, of course, include that green bar for EV certificates. If an outsourced provider has secured your sessions but used cheaper certificates or unrecognizable brands, it may be worth the investment to ask them to buy more expensive ones on your behalf or take care of it yourself, Huckaby says.

It may also be smart to think twice about outsourcing certificate buying, Martins says. One of the problems with kicking the duty to a solution provider is that as an SMB changes IT vendors or as employees at these vendors shift, they may not maintain the kind of institutional memory necessary to do a good job managing these long-term products.

"SSL is a market where you're dealing with certificates that are valid for multiple years," Martins says."So frequently, we run into situations where an organization has changed a solution provider and they need to renew certificates and they can't contact previous providers to get a hold of all that information and that can become a headache and a waste of time."

Should you choose to outsource, he suggests at very least ensuring that someone internal to the business is registered with the certificate issuer.

"Even if you're working with an integrator that normally handles your IT, make sure that your contact details as a business person are included in all of your orders so you always stay up to date and be notified of anything that's happening [from the issuer]," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.