Extended Validation EV SSL Certificates – Should Your Website Have One?

securityExtended Validation (EV) SSL certificates are the latest secure certificates that offer the highest level of “outward” security to the end user. Introduced in 2007, these new SSL certificates cause the address bar to turn green in a visitor’s web browser, and also to display the company name. Here are two examples of this in Firefox and Internet Explorer:

Firefox:

EV SSL example in Firefox (click image to enlarge)

EV SSL example in Firefox (click image to enlarge)

Internet Explorer:

EV SSL example in Internet Explorer (click image to enlarge)

EV SSL in Internet Explorer (click image to enlarge)

EV certs have a more thorough application process, as each business is “vetted” prior to being issued an EV certificate. This means that organizations with non domain Join or domain join that have an EV SSL certificate are much more likely to be legitimate entities, as opposed to standard SSL certificates, that may be obtained by anyone without any verification.

Is it worth it to have an EV SSL certificate? I believe the answer is YES!

EV Usage for the Top 100 Retail Websites

I took a detailed look at Internet Retailer’s 2009 Top 100 Retail Websites, as I felt this was a good cross-section of large and medium sized ecommerce merchants. I recorded which sites had an EV cert., what SSL vendor they were using, and I looked for any warnings or errors on their secure pages.

* 20% of the Top 100 retailers are currently using an EV SSL certificate.

* 17% of the Top 100 retailers had an insecure call / warning on either their secure sign-in or secure checkout pages. This resulted in either a browser warning or missing padlock in the browser.

And here is the breakdown of the SSL vendors in use by the Top 100 retailers:

SSL Vendor Breakdown for Top 100 Retailers

SSL Vendor Breakdown for Top 100 Retailers

Interpreting the data

What can we learn from the above statistics? In terms of EV SSL adoption, 20% of the top retailers are now using an EV SSL certificate. Although this may seem like a low number, other studies in 2007 and 2008 found around 2% adoption in 2007, and around 12% adoption in 2008 for major retailers. There is a slow progression towards more retailers using EV.

However, there are a number of reasons why larger retailers may not have an EV cert.:

  • If you’re Amazon, people already trust you
    Large retailers may not feel the need to add an extra layer of security, since they are a well known brand. If the padlock appears and no warnings pop up, people will purchase.
  • IT managers just renew what they have currently
    Many IT departments simply make sure their SSL certificate does not expire. They renew it early, and keep it the same to keep it simple for them. The thought of obtaining a new type of SSL certificate may not cross their mind, or seem too daunting.
  • Too many hoops to jump through
    In larger organizations, there are established procedures for the handling of existing SSL certificates. In order to get an EV certificate, the IT department has to get access to incorporation documents, DUNS numbers, etc… and probably needs to submit a proposal up the chain for approving this change. It may just be too much work for little return in their eyes (which I feel is a mistake).
  • They don’t see the need
    Consumers have not yet fully caught on to how EV certificates work, and not all older browsers support EV in terms of green bars and company names being displayed. These larger retailers may not see a large enough benefit to change their ways (again a mistake in my opinion).

Does the SSL vendor matter?

In looking at the top 100 retailers, Verisign was the most popular SSL vendor. This makes sense as they are seen as the leader, and worked hard with large retailers to establish partnerships. Akamai was the second most popular, which also makes sense as larger retailers often partner with Akamai as their content delivery network provider. Geotrust was next, and has a good reputation for business websites.

Technically speaking, all the major vendors offer the same level of security in terms of the certificate itself. All of the more recent web browsers fully support the major SSL vendors, so they all work the same. Brand name recognition does come into play if the website displays a security seal, as many consumers recognize names such as Verisign or Geotrust. And some seals are more visually appealing and look more professional (The GoDaddy seal is not a professional look in my opinion).

Does it matter? Yes. Industry leaders such as Verisign and Geotrust (which is actually owned by Verisign) have more brand name recognition, and can help with conversion rates for those shoppers on the fence when it comes to trusting a website before completing a purchase (assuming you prominently display the security seal). Additionally, Verisign and Geotrust are fully supported by older web browsers, which may still account for up to 5 to 10 percent of your visitors.

What about the errors?

When I found that 17% of the top 100 retailers had some sort of insecure call or security warning on their secure pages, I was quite shocked. I figured these large organizations would eliminate these sorts of problems on their websites. These are the types of errors that can cause buyers to not complete a purchase due to security concerns. People know that the secure padlock/key needs to be present to ensure a safe transaction.

Although a large well known company such as Walmart can survive a few lost sales, smaller merchants cannot afford to drive away sales with security warnings and missing padlocks. Here is where a small business can outperform a large online store: Make sure your secure pages are 100% secure so your customers feel safe shopping on your website.

To EV or not to EV, that is the question…

The skeptic might say:
80% of the top retailers do not use EV certs. EV certs costs more and it’s more difficult to get approved for one. Many consumers still do not understand the difference between a green address bar and the secure padlock.

All of the above is true. However, that does not mean you should skip an EV certificate. And here’s why:

  • Don’t follow the herd
    Just because 80% of the top 100 are not using an EV SSL certificate does not mean it’s the right choice for your business. Their reasons for not having one (laziness, too much red tape, do not understand the technology, etc…) are most likely not the same as yours (e.g. the cost and time to get an EV cert. do not matter to them) , and are not in line with your goals. See this as an opportunity to offer more recognizable security to your customers. It can be a competitive advantage.
  • The green bar is continuing to become more recognized
    As more consumers use Windows 7, IE 8, and Firefox, the green bar becomes more widely adopted. EV features are built into Internet Explorer 8 and Firefox, so more people are being exposed to this new technology. People are starting to notice the green bar and company name, and will equate that with a secure website.
  • EV certificates are harder to obtain
    This is a good thing. A less than reputable site or scam website can easily get a regular SSL certificate. However, they would be hard pressed to pass the background checks for an EV certificate. If your website has an EV certificate, it shows your business to be on the “up and up” and you have something not everyone can purchase. It gives you a competitive advantage over those websites that do not have one.

The bottom line on EV

For a few more dollars and a little more paperwork, your website can offer the most secure certificate available today. If only a few shoppers recognize the added security and it helps them complete a purchase at your store, it will be worth it. And that is the worst case scenario. The more likely scenario is more consumers are aware of (and actively look for) the green bar to signal a truly secure connection, and put more trust in those websites that use EV SSL certificates in their store.

… Our website uses an EV SSL certificate, so I believe in what I’m saying as well.  :)

Do you have an EV certificate? Share your thoughts on why or why not in the comments below.

Photo credit

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

46 Comments

  1. Allen Kelly says:

    Great work conveying the business value of Extended Validation(EV) SSL!

    If your article wasn’t compelling enough (which I think it was), here are some EV SSL case studies from VeriSign with measured ROI – http://bit.ly/EnDBC

    Thanks for spreading the word!

  2. A few people have asked me for the EV breakdown from the Top 100 retailers of 2009. Here are the companies using an EV Certificate from that list:
    Bluefly
    BlueNile
    Buy.com 
    CableOrganizer.com
    CVS
    Delight.com
    eBags
    Expressionery.com
    FragranceNet.com
    Gander Mountain
    iGourmet.com 
    iTunes
    MusicNotes.com
    Novica
    Orvis
    Overstock.com
    Popcuts
    Scentiments
    Zazzle.com

  3. The problem with the EV product as you point out is that it doesn’t deal in any way with the customer’s needs, it is almost entirely a marketing product.

    In order to change it from a bright green blouse with frills to something approximating mil-green body armour, it would be useful to extend the contract reach somewhat. Think about insisting that where an EV cert is used, no downgrade is possible.

    • Very valid points you raise (here and in your blog post). EV is definitely heavier on the marketing side at this point in time. If consumers think the green bar means a webpage is safe and secure, then merchants have to consider using this “technology” to keep from scaring away potential customers.

      I think over time the standard will evolve, there will be more concrete requirements browser wise, and it will be a safer way to conduct business online.

      • Nick says:

        I can see EV SSL certificates really start to take off when browsers start to display warning messages when a non-EV SSL certificate is used. On the flip side, this could be a source of aggravation for the IT department. One possible aggravation is a situation in which non-EV certs are used on company websites meant for just employee access and employees start calling them up about the scary browser warning messages they are getting.

  4. Theodore says:

    What you wholy fail to mention is that ‘EV’ certificates shouldn’t be necessary. They are only necessary because of a breakdown in the process: i.e. almost anyone can get an SSL certificate for any domain name they want, they just have to offer the issuer enough money.

    Oh, also, it’s not ‘just a few more dollars.’ You can get a perfectly valid (and secure) SSL certificate for ~$100, but you’ll pay more than $1000, not counting internal costs, for an EV certificate. You can’t tell me it costs $900 to contact the BBB and state license agency, since they’re already doing the nslookup/whois (I hope) to verify the documents they require.

    • I agree that EV was born of a failure of regular SSL vendors from performing due diligence when issuing certificates. Regular SSL certs can be purchased with no background checks performed. A simple email approval is all that is needed. Any scammer can obtain a regular SSL cert. without proving they are who they say they are.

      EV certificates are more expensive (some are in the $500-$700 range), and the cost is probably driven by marketing and how much businesses are willing to pay.

      For EV certs, the checks are quite involved. Once ordered, a check is performed between the domain WHOIS, the information attached to the certificate, and if the business has a DUNS number, this is compared. Any discrepancy between these records will require faxed documentation from a third party (lawyer, accountant), follow up phone calls, etc… A phone call is also conducted in all purchases (at least for the major vendors).

      If you searched for “Ugg boots” in December, it was estimated that 20-30% of the top Google links were to fake sites that were collecting credit card information and false charges. These sites all had standard SSL certificates, looked legitimate, and the padlock appeared. EV is a way for a company to show they are verified to be a legitimate business.

      Sure, scammers can still game the system and get past all the checks, but it’s much more difficult.

      Combine the more rigorous checks with marketing that has more consumers believing the green bar and listed company name to be a sign of true security, and this drives the price up for these certificates. Is it worth it? In my opinion, yes, for any business that wants to portray the most secure website they can to potential buyers.

  5. Rob, thanks for the great post. Was very informative.

  6. Rob,

    Excellent article and easy to understand explanation. How do I go about getting permission to post part of the article in my upcoming news letter? Giving proper credit to you the author and link to the site would not be a problem.

  7. Fred says:

    Great article here, and a valuable reference. Prior to reading this, I really thought those “green bars” were a glitzy favicon of some sort, and still do, to a point. Seems like sellers of these things simply have another model for generating revenue. To this end, I’ll look for other, less expensive, marketing tools. Thanks for this hard research.

    • Thanks for the feedback Fred. The green bar is gaining in terms of being a recognized security feature. The costs are higher for these certs., but part of that is the more stringent background checks performed, and the cost to integrate these new features into web browsers.

      I believe over the next few years EV SSL will become the standard for secure shopping, but time will tell. :)

  8. eas tag says:

    I anticipate over time the accepted will evolve, there will be added accurate requirements browser wise, and it will be a safer way to conduct business online.

  9. arief says:

    Ideally every site has this certificate, but I dont think this is a mandatory one, it will only work for reputable site

  10. ANRI says:

    hi Rob,

    I am everything BUT a top 100 online retailer, but reading your article was still interresting. I use thawte and I was thinking for quite some time to change the certificate.

    major concern is still my customers reaction.
    I guess most are in the 40+ age group and I doubt that they know what the new green bar is all about.

    so for small businesses changing their certificate may still be some kind of a risk.
    the percentage of people that would open their mail programm to ask in case they are in doubt is unfortunately negligible.

    so my conclusion is … I’ll stick with the status quo and whait for the EV SSL Certificates to spread.

    regards, andrea

    • Andrea, thanks for the feedback. It’s true not everyone recognizes the green bar, but it is gaining in popularity and is being seen as a standard of web security for online shopping.

      It’s not for every store, especially if your customers are mostly repeat customers and already know your company. But it can help for buyers on the fence about trusting your online store with their credit card.

  11. Excellent article, sent it over to my guy who has setup our SSL Certificates on our travel and shopping cart sites. We used and EV SSL Certificate on a auto parts site. Cost more to setup but people like the added security.

  12. Hello,

    I have a couple of questions:

    1) you said only 20% of the top 100 retailers use EV SSL… why so few?

    2) do you know of any cheaper security certificates available to people with multiple sites?

    Thanks,

    Morera :)

    • Since it’s a newer product offering, many large merchants haven’t fully evaluated the product. Reasons range from already being trusted (like Amazon), to IT policies requiring a specific cert. type, to IT managers set in their ways. I believe this number continues to climb in the next year as EV becomes more of a standard for online security.

      There are many vendors out there that offer lower cost wildcard certificates. We don’t work with these vendors, so I don’t have a specific recommendation.

  13. These certificates seem to be just another ploy for the people that like to pray on consumers fear. They are not necessary and are just another way to throw your hard earned money away.

    • For some online stores this may be true. If your average customer already implicitly trusts your company, it may not be necessary. However, if some or many of your potential customers are not familiar with your brand, and are not sure they can trust you, offering the highest security and a visible indication your site is secure is important.

      It just takes a few sales per year that were convinced by the EV green bar to complete a sale for the product to more than pay for itself.

  14. webdesign says:

    Investing money on these certificates seem to be a low profitable action . They are not much necessary . How much sequrity can t provide ??

    • EV SSL certificates validate the business entity that will be using the cert. This means that websites that have EV SSL certificates are almost always run by a legitimate business. It removes doubt as to whether or not the company running the site is a scam.

      Since more is involved in vetting the business, the certs. cost goes up as well.

      They are not for every website, but any ecommerce business that wants to convey security and trust should consider them.

  15. cypressguy says:

    Until Verisign starts major ad buys drumming up awareness of EV certs to the public, I highly doubt most of my customers have a clue.

    A few years ago I bought a Thawte cert, and had to fax documents to them, etc. and that cost under $300. And for another $700 for an EV from the big V, what more will they do?

    How much respect am I supposed to have for V if they own RapidSSL? That’s like saying BMW will sell me their version of a Ugo.

  16. Thanks for the feedback Cypressguy. EV certs are gaining in both popularity and customer awareness. Since Windows Vista/7 and the major browsers natively support the green bar, more people are seeing and recognizing when the address bar turns green. This “event” is becoming synonymous with a website being safe and secure.

    EV approval is actually much more involved than a simple fax. The vendors *actually* verify your business credentials. Here is a list of what Geotrust does to approve an EV certificate:

    http://www.geotrust.com/support/true-businessid/ev-validation-requirements/

    It is true VeriSign (now owned by Symantec) owns a number of brands including GeoTrust, Thawte, and RapidSSL. But that does not mean all the certificates are the exact same. That’s like saying just because Toyota owns Lexus, that Lexus cars are inferior.

    EV certificates are not for every business. However, if you are concerned with offering the highest level of security combined with browser options not available in standard certificates, EV is a great choice.

  17. I like the EV SSL Certificates. The green address bar is a quick and easy way to tell if it’s a real business.

  18. David Olmst says:

    Hi Rob,

    I am currently using Verisign as one of my payment gateways for a few of my sites. My savvy customers have told me that they like the green bar because it does make them feel more secure. A lot of average customers do not understand the meaning of the green bar. If it starts being more widely used, I think more people will appreciate it.

    David from Landforms of the World

  19. Hi Rob,

    Appreciate this post, but not sure I agree with your point that displaying the CA’s seal on the page helps conversion rates. Of course I don’t have any hard data to back this up, but I would think the average consumer who has a clue is simply wanting to verify that the padlock is showing. Now, having a certificate mismatch issue (like 17 of those top 100 you mention, apparently)…..now that would decrease conversions I’m sure.

    Mike P.

    • Thanks for commenting Mike. My take on displaying the seal is:

      At worst, it does not help with conversion. But if a few savvy consumers see it, click on it to learn more about the merchant, and end up finalizing their purchase… then you win.

      I agree though, having the padlock secure, and no security warnings, are the most important factors.

  20. John says:

    The Extended Validation (EV) SSL standard raises the bar on verification of SSL certificates and triggers the display of the green address bar.

  21. Great work conveying the business value of Extended Validation! If it starts being more widely used, I think more people will appreciate it.

  22. AJ says:

    1. This is the only intelligent analysis of the subject I’ve found on the web, thank you.

    2. I found it difficult to locate neutral studies of sales lift with different SSL setups, but found this study to be the most compelling (note- found on Verisign’s site): http://www.verisign.com/ssl/ssl-information-center/ssl-case-studies/virtual-sheet-music/
    It shows a 31% lift adding the Verisign SSL and a further 13% with EV. That would pay off for my company in weeks, not months. Do the math for your own site and if it pays off in 6 months it’s a no-brainer to go for it unless you’re totally starved for cash.

    3. If you are in IT and believe that all such branding/marketing is fluffy and a waste of money, go back to your room in the cellar and someone will hopefully keep sliding food under the door for you periodically. :) Meanwhile those of us who understand how to use marketing will be on vacation someplace grand. (I’m an ex-engineer so I get to make that comment :)

    AJ

    • AJ says:

      Oh and #4:

      I respect the “take a leadership position” recommendation. EV’s showing up on enough sites that even if a consumer has no clue it’s “monkey see, monkey like” when it shows up on every bank website where they’re most cognizant of security. It can’t be long for it to be a differentiator. For example none of my competitors is doing it. I’m going to be the first, which means I’ll take their market share for a while with a $195 spend. Really a no-brainer.

  23. in the myx says:

    Hello rob,
    Appreciate this post, but not sure I agree with your point that displaying the CA’s seal on the page helps conversion rates. Of course I don’t have any hard data to back this up, but I would think the average consumer who has a clue is simply wanting to verify that the padlock is showing. Now, having a certificate mismatch issue (like 17 of those top 100 you mention, apparently)…..now that would decrease conversions I’m sure.

  24. I agree the Extended Validation (EV) SSL certificates are the latest secure certificates.I appreciate the EV certs have a more thorough application process, as each business is “vetted” prior to being issued an EV certificate.

  25. nir says:

    i agree the Extended Validation (EV) SSL certificates are the latest secure certificates.I appreciate the EV certs have a more thorough application process, as each business is “vetted” prior to being issued an EV certificate.

  26. Also, this article is from early 2010. Rob, do you have inclination to do the experiment again in 2011? I would love to see how the numbers are changing?

  27. web design says:

    Excellent article. I think going forward it’s best to have everyone an EV cert because DV certs just don’t say anything about the website to the consumers.

  28. On my cold calling book website, my EV SSL expired because I had the wrong renewal date on my calendar and couldn’t get the attorney letter in time, so in the interim I installed a standard SSL. And guess what? My conversion rate went up. I think 3 years ago they were a big deal, but now that EV is available for $79 from GoDaddy with a *much* simpler verification process – all you need is a phone bill in your business name – consumers aren’t placing much value on them anymore. And why my conversion rate actually went *up* is a mystery although I’ve found some good theories online, such as consumers wondering why the name in the green bar doesn’t match the site URL – not a problem if your URL *is* your business name, such as Amazon, but an issue for the rest of us.

  29. Abel Wike says:

    Really great! As per opinion EV SSL is worth of your money. While online users shoe the green address bar in the browser, users know that web page is secure and reliable to complete online transaction.

    Fortune 500 companies are use EV SSL certificate. Here at some business case studies that explain How EV SSL helps their business and increase revenue of investment. – http://bit.ly/1hsaqCZ

Leave a Reply to ANRI