If you want to process payments directly on your website, you’ll be handling some sensitive data, such as customer and payment information. In order to protect this data while requests are sent between visitor’s browsers, your site’s servers, and payment processors, the information will need to be encrypted so that it can’t be read by anyone who has intercepted the data. That’s where SSL certificates (Secure Sockets Layer certificates) come into play.
So you’ve probably heard of an SSL certificate, but may not be sure why you need it, how to pick one, or what it does for your site. I’ll go over what an SSL certificate does and some different options so you can determine what’s the best fit for your site.
What is an SSL certificate?
SSL is a protocol that directs communicating devices (such as visitor’s browsers and your website server) to encrypt their exchange in order to prevent eavesdropping or tampering. The protocol uses a third party, called a Certificate Authority (CA), to establish valid identity for one end (or both ends) of a transaction. Basically, the Certification Authority verifies that a site is owned by the entity that claims to own it, and for some certificates, will dig deeper to verify details about the ownership entity (such as name and location). Once the CA has verified that the site ownership details are valid, the SSL certificate is generated, signed, and validated, and it instructs the browsers and servers that are communicating to use SSL protocol for their exchange.
Browsers will display this information to your site’s visitors to let them know that the site has a valid certificate and that data will be encrypted when exchanged by displaying “https://” in the address bar. The HTTPS indicates that the site owns an SSL certificate and will follow SSL protocol when sending information. Essentially, the browser has asked a Certificate Authority if the site can be trusted/has a valid certificate. Many customers have been trained to look for this information and will recognize the security logo in the address bar:
Types of SSL Certificates
So now that we know what an SSL is for, we should talk about what kind of SSL certificate you’ll need. All SSL certificates in use must be 2048-bit according to new guidelines, so you’ll want to confirm that this is the case for your SSL certificate when purchasing. Certificates are also tied to your domain name, so they may need to be reissued if you change DNS hosting or other services, and you should consider reissue costs. While all certificates will use the same protocol and therefore are inherently secure, there are 3 major types of SSL certificates that you can choose from for your site, and each will have a wide range of costs associated with obtaining them.
The simplest SSL Certificates (and least expensive) are Domain Validation (DV) certificates. For these certificates, the CA simply checks the right of the site owner to use a specific domain name. No identity information is vetted and no information is displayed to users other than encryption information. For an eCommerce site, while this certificate will work, I wouldn’t recommend using it, as customers will notice that company information isn’t displayed and it may reduce trust and lower conversions. Sometimes these certificates also use 128-bit encryption, possibly increasing your security risk. Customer data is still protected, but the marginal cost associated with getting a better certificate to increase trust and therefore conversions is probably well worth the investment.
One step up from a DV Certificate is an Organization Validation (OV) SSL Certificate. To obtain this type of certificate, the CA still checks the right of the site owner to use a specific domain name, but it also conducts some vetting of the organization and researches ownership and company details. Additional company information is displayed to customers when clicking on the Secure Site Seal, providing more information related to who is behind the site. This usually results in enhanced trust in the site from the customer.
An Extended Validation (EV) SSL Certificate involves the highest level of vetting by the Certificate Authority, and usually takes a couple of days to obtain. The CA checks the right of the site owner to use the specific domain name still, but it conducts a thorough vetting of the organization for maximum security. The guidelines for obtaining an EV certificate are strict, and specify several steps that must be completed before issuing the certificate. Some of the steps include verifying the legal, physical, and operational existence of the entity; verifying that official records match the entity’s identity; and verifying that the entity has exclusive rights to use the specified domain name. Extended Validation certificates will also change the way the browser displays your SSL to customers, and will show the owner’s name in the address bar, greatly increasing the trust customers place in the site:
Usually, EV SSL certificates lead to the highest conversion rate, as customers expect maximum security and don’t opt out of the purchase process. Global Sign has some information on types of SSL certificates if you want to read more.
Where to Get an SSL Certificate
Many times, your domain name registrar may provide SSL certificates if you need them, and they’re usually reselling other services. For example, NameCheap resells SSL certificates from several major providers. You’ll want to pay attention to browser compatibility, as the browser has to recognize the SSL certificate in order for a customer to see that your site’s secure. Quality SSL certificates will probably cost at least $100 per year, and will be compatible will virtually all browsers.
My favorite place to buy SSL certificates is DigiCert for a few reasons. First, they offer excellent support if you have questions about how to get a certificate, or, more importantly, if there are any issues with your certificate that need to be fixed. They’ll also offer free reissues for life in case you change DNS services. They also offer extensive browser compatibility and high warrantees for issues resulting from improper certificate issues, which protects you if customers suffer damages. DigiCert will probably be slightly more expensive than other CAs, but I think it’s worth it to pay a slightly higher price for the benefits you’ll get.
Aside from DigiCert, here are some specific SSLs from NameCheap I’d look into:
- Comodo PremiumSSL Certificate, EV SSL certificate, or EV SSL SGC certificate
- GeoTrust TrueBusinessID certificate or TrueBusiness ID with EV Certificate
- Thawte SSL Web Server certificate
Looking for more information? Here are some sites you can check out:
- SSL Certificates HOWTO
- What is Transport Layer Security?
- GlobalSign has articles on “What is an SSL?“, “What is an SSL Certificate?“, and others.
- SSL Shopper provides some great information on SSL and Certificates.
- Here are a couple articles on how security improves conversion from Practical eCommerce and The eCommerce Expert.