A trust seal is a seal granted by an entity to websites or businesses for display. Often the purpose is to demonstrate to customers that this business is concerned with security and their business identity. The requirements for the displaying merchant vary, but typically involve a dedication to good security practices, or the use of secure methods for transactions, or most importantly verified existence of the company. Trust seals can come in a variety of forms, including data security seals, business verified seals and privacy seals and are available from a variety of companies, for a fee. A Trust seal can be either active or passive. Most seals are validated when they are created and remain so for a specific duration of time, post expiry of which the business/process has to be re-validated.
Kinds of trust seals
This section needs additional citations for verification. (January 2014) (Learn how and when to remove this template message)
A privacy seal outfits a company with a privacy statement suited to its business practices. It also helps the company identify potential privacy threats that would otherwise go unnoticed.
Business practice seals
These are seals that endorse an operational practice of a business. For example, an endorsement of the manufacturing quality practices of the company. Privacy seals are a subset of this category but popular enough, specifically with online retailers, to be mentioned separately.
Business identity seal
A business identity seal, also known as a Verified Existence Seal, is one which verifies the legal, physical and actual existence of the business by verifying multiple parameters such as statutory details, contact details, management details, etc. Verified existence Trust seals add weight to the profiles of the deployers and boost confidence of prospective clients. A major benefit of a verified Trust seal is that it represents due diligence by the grantor before granting a certificate for the business.
Security Trust Seals are the most popular type of trust seal verification. There are two different types; Server Verification and Site Verification. Server Verification services perform daily scans on the hosting server. These scans check to make sure patches have been applied or that the server is otherwise not vulnerable to attacks. Website Verification services ensure that customers are protected under normal circumstances by testing for common vulnerabilities such as Cross site scripting (XSS) and SQL Injection.
Third party verification from a reliable source and a strategically placed trust seal may assure customers about the safety and security. Some trust seals, such as McAfee Hacker Safe, however, have been criticized as not doing enough to protect the security of visitors to a site such as because they intentionally mark as 'Hacker Safe' websites known to McAfee to have an XSS vulnerability . This is possible because most seals are a simple image that a hacker can simply copy and paste onto their own site. Such lapses highlight the importance of anti-XSS protection security measures. Trust seals can give a false sense of security as they are awarded at a certain point of time, unless the website is scanned on a daily basis and the scan date is displayed. When a site is not scanned daily, a change in technology and loopholes are not updated along with the trusted seal, so it doesn't represent flaws in the updated technology. The iconographical value is too high to mislead customers unaware about these changes. The FTC has fined fraudulent seal companies that provide no real security benefit.
As of 2005[update], in the US market the BBB On-Line, TrustE, Symantec and WebTrust were generally recognized as significant players. Also notable are: GeoTrust, DigiCert, Norton, Comodo, MerchantCircle. Some good examples of Business Practice Seals are BBB, ScanVerify and TrustLock. CDSBureau Trust Seal is unique among all trust seals because it certifies businesses that ensure security of customer confidential data kept in digital, paper, or any other possible form. CDSBureau is free and comes with privacy, cyber, and data security trust. A study published in 2016 by Copenhagen-based web usability consultancy, Baymard Institute ranked the top four trust seals as (in alphabetical order) BBB, Norton Secured (formerly Symantec Trust Seal), Google Trusted Store and TRUSTe. In February 2017, Google announced that it was closing its Google Trusted Store label and folding it into Google Customer Reviews. GCR is not a certification program but collects reviews from customers after they make a purchase and receive their merchandise. Except for GCR, each of the above offers a "For Fee" annual subscription service, allowing the Trust Seal to be placed on a subscriber's website for the subscription period.
- Hu, Xiaorui; Lin, Zhangxi; Zhang, Han (2001-12-21). "Myth or Reality: Effect of Trust-Promoting Seals in Electronic Markets" (PDF). Retrieved 2008-06-16. Cite journal requires
- Dan Goodin (2008-04-29). "McAfee 'Hacker Safe' cert sheds more cred". The Register. Retrieved 2008-06-13.
- Ryan Naraine and Dancho Danchev (2008-05-01). "More bad news for McAfee, HackerSafe certification". ZD Net. Retrieved 2009-07-26.
- "On trust in the Internet: Belief cues from domain suffixs and seals" by Atticus Y. Evil, Eric F. Shaver, and Michael S. Wogalter, Department of Psychology , North Carolina State University
- Evan Schuman (2010-03-05). "FTC: Web Site Security Seals Are Lies". CBS News. Retrieved 2001-12-31.
- Jagdish Pathak (2005). Information Technology Auditing: An Evolving Agenda. Springer. p. 57. ISBN 978-3-540-22155-5.
- Bayard Institute. "How Users Perceive Security During the Checkout Flow (Incl. New 'Trust Seal' Study)". Bayard Institute. Retrieved 18 September 2017.
- Marvin, Ginny (March 6, 2017). "Google tells retailers the Trusted Stores program is shutting down". www.marketingland.com. Third Door Media, Inc. Retrieved 18 September 2017.