EV and SSL Certificate Trends For The Top 100 Retailers

I thought it would be interesting to see how the Top 100 Internet Retailers (as defined by Internet Retailer) are using SSL certificates, and how many (and which companies) are using EV SSL Certificates (i.e. the “green” address bar). The results are presented below, along with a few surprises (at least to me) on how lax some companies are when it comes to projecting a safe and secure online store.

Last year’s results

Last year I took a look at how the Hot 100 companies of 2009 were using EV SSL certificates. The Hot 100 were not the biggest retailers in 2009, but the leaders in trends and marketing.

The data showed 20% were using an EV SSL certificate. I also found 17% of these stores had some sort of security issue (insecure image calls, SSL warnings, etc…). Verisign was the most popular SSL vendor, with Akamai and Geotrust coming in 2nd and 3rd respectively.

How the big boys and girls fared

This year, I thought looking at the Top 100 Retailers (The big kahunas of ecommerce) would be an interesting study. For each retailer, I went to their site, and tested their sign-in and secure checkout processes. I looked at what type of SSL certificate they had, the vendor, and the expiration date. I also made note of any security errors or problems I encountered.

For any retailer that encompassed a large group of websites (e.g. YOOX Group), I chose one of their more popular brands/ websites as the test subject.

The full list is shown at the end of this post.

The results – Overview

Here is the SSL certificate vendor breakdown for the top 100 sites:

SSL vendors for top 100 retailers

As you can see, Akamai is the most popular, followed closely by Verisign. Akamai and Verisign account for 62% of the SSL vendors. Coming in third was Geotrust and UserTrust, each with 7%.

Akamai being the most popular makes sense. Although they are not a public SSL vendor, it seems that large companies that put their websites on Akamai’s Content Delivery Network (CDN) can opt for Akamai to provide and provision an SSL certificate directly. Verisign capturing 27% of the market makes sense as well, since their brand is synonymous with security (although they are now owned by Symantec…possible brand confusion in the future?).

How about EV?

Only 14% of the Top 100 Retailers are using an EV SSL certificate. Of the 14, 9 are Verisign, and the other 5 are Comodo. Last year’s number was 20%, but remember, I looked at the Hot 100 last year. The Hot 100 had many smaller, more nimble companies, so I would expect EV rates to be a bit higher.

Why only 14%? Is EV worth it?

A few things to note:

  • Akamai does not provide an EV SSL option (as far as I know)
    So, 37% of the top 100 are automatically excluded from using EV if they opt to have Akamai manage their SSL security.
  • Big Companies are already trusted (or so they think)
    I don’t think Amazon and Walmart worry about whether people trust their websites to be safe and secure. They probably do not see a need for changing their procedures and vendor with regards to SSL. (my take: laziness and the “status quo” are probably some of the driving forces when it comes to using EV. Money is definitely not one of them, as a couple hundred dollars a year is not even considered money by any of the top 100 retailers.)
  • Large e-tailers don’t think their customers will notice or care
    If the IT decision makers know about EV certificates, and still choose to not use them, it’s possible they think their target market would not know or care if they used an EV certificate. It seems a bit short-sighted in my opinion. I definitely notice when a store uses an EV certificate, and I buy from many companies on this list.

If you look at the companies that do use EV (Apple, Newegg, Buy.com, Symantec, etc…) many are technology oriented (and probably know their client’s are more tech savvy). Others are leaders in their niche groups.

The bad data

7% of the top 100 retailers had some sort of insecure content on a secure page that caused my browser not to show a padlock (or worse, a popup about the page being insecure). I was shocked the percentage was this high, as we’re talking about the biggest (and some would say the best) ecommerce stores on the net. You would think this type of error would be weeded out.

3% did not offer a secure sign-in page at all. If I wanted to sign-in to my account with them, it would be done insecurely. This one I could not believe, as a secure sign-in for any ecommerce store is the standard these days.

One retailer (QVC) actually had their SSL certificate installed incorrectly! They were missing a required intermediate certificate. This is like “SSL 101″, and is inexcusable for any large ecommerce store. (They have recently renewed their SSL certificate and it is now valid).

What can we take away from these results?

Although the numbers are interesting to look at, you have to be careful when trying to apply these trends to your own business.

1. EV SSL Certificates

Just because 86% of the largest retailers are not using EV certs does not mean that it’s a good idea to avoid EV. Similar to a past blog post about Not Copying Amazon, or Is an EV SSL Cert Worth It, blindly doing what larger retailers are doing can be dangerous.

In fact, this data lends itself to give smaller merchants an advantage when it comes to outwardly portraying the security of their website. The more you can do to demonstrate your site’s safety, coupled with using the latest technology that other large merchants are not using, the more it can help close sales that may have otherwise been lost.

Remember,  people already trust the large merchants. With your store, they may have never heard of you. They may have just found your product in a Google search. You have to convince them it’s safe and secure for them to hand over their payment details to complete the sale.

2. Security Errors

I guess 7% of big companies think it’s not important that the padlock appear on their secure pages, or that it’s no big deal when a security warning pops-up. I can tell you this:

If you’re a small(er) merchant, and think this way, you’ll be losing more sales than you can imagine! Make sure your secure pages are 100% secure. One simple security error can ruin your sales!

3. Secure sign-in a must

If you offer customer registration or a customer log-in in your ecommerce store, it must be on a secure SSL page with no security errors. 97% of the biggest ecommerce merchants offer this (although it should be 100% in my opinion). This is one area where it’s a good idea to copy the majority.  :)

If you’d like to see the full list of the top 100 retailers, their SSL certificate details, and any notes I made, click to enlarge the images below:

1-50

Click image to enlarge

51-100

Click image to enlarge

photo credit

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

Connect with me on Google+

Leave a Reply