Hand-holding

With online sales growing at 25% a year, it’s hard for some to imagine that there are still consumers who are not making purchases online. But there are—to the tune of 24% of consumers. That’s the proportion that told Forrester Research Inc. in the last holiday shopping season that they were making no purchases online due to security concerns.

In addition, 37% of consumers told Forrester that security concerns would affect their online shopping to some extent while 39% said it wouldn’t affect their holiday shopping at all.

In addition, fears don’t disappear even when consumers shop at well known retail brand names. That became apparent last November to Petco Animal Supplies Inc., a retailer with 740 stores nationwide, when it tested a safe-shopping certification service from ScanAlert Inc. on Petco.com and experienced an 8% increase in conversion rates. “That was a pretty big shock,” says John Lazarchic, vice president of e-commerce for Petco. “We had thought that with a recognized brand name like Petco, we would not need another company’s logo to make customers trust us.”

Retailers’ responsibilities

Consumers also clearly believe that retailers should be doing something to protect their personal and credit card data: 84% of respondents to the Forrester survey said they don’t think retailers are doing enough to protect their customers online.

As a result of these fears, several companies have sprung up to provide hand-holding to jittery consumers in the form of safe-shopping certifications.

In some cases, these companies conduct full-blown security audits and in other cases, they authenticate the identity of the retailer to fight against phishing or other scams where criminals set up web sites pretending to be legitimate retailers, with the sole purpose of stealing credit card numbers.

Few retailers would dispute the notion that having an expert security company inspect their web sites to certify that they are up to code could potentially make their sites more secure for consumers to shop on. But many, like Petco, were surprised that such inspections and the subsequent certification resulted in increased sales.

Petco.com performed a series of A/B split tests in November and January where half of the customers who went to Petco.com did not see the Hacker Safe logo issued by Scan Alert and half saw it. In November, the group who saw the logo converted at a rate 8% higher than the group of shoppers who did not see the logo, Lazarchic reports. “An 8% higher conversion rate represents a substantial growth in sales.” he says.

A positive experience

Petco.com is not the only retailer to conduct A/B studies and report increases in conversions. Fredericks.com, the online shopping site of Frederick’s of Hollywood, retailer of lingerie and sexy apparel, experienced a 3% increase in conversions with shoppers who saw the Hacker Safe logo over those who did not see it, reports Tracy Rhyan, Frederick’s director of e-commerce.

Frederick’s conducted its A/B test in September, shortly after being certified by Scan Alert, Rhyan says. “We wanted to make sure that our customers had a positive experience shopping at our site,” she says. “We were skeptical at first that just posting these labels could increase sales, but we have seen an increase in sales and continue to see increases since putting the Hacker Safe logos on our web site.”

The large-ticket benefit

Both Petco and Frederick’s of Hollywood are nationally known companies where most shoppers presumably know at least that they are dealing with legitimate companies and they would likely be perceived as having the more advanced security systems. Small, unknown companies typically experience even higher conversions rates because consumers are more likely to be fearful of shopping with them since they don’t know if some of them are legitimate businesses—let alone have confidence in their security systems.

“Although all the retailers who put our seal on their sites see increases in sales, those companies with well-recognized brands will see somewhat smaller increases,” says Ken Leonard, CEO of Napa, Calif.-based ScanAlert. “Most of those recognized companies will see single-digit increases while the small, lesser known companies will see double-digital increases, in some cases as much as 30%.”

Scan Alert has conducted A/B split tests with 130 retailers involving more than 8 million online shoppers. Those tests showed an average conversion increase of 14% for customers seeing the Hacker Safe image compared to a control group.

One small retailer that ScanAlert worked with, Binoculars.com, experienced a 30% increase in conversion rates when customers saw the Hacker Safe logo, Leonard says. That test was four years ago when Binoculars.com was just getting started. Since that time, Binoculars.com and its sister sites, part ofThralow Inc., have gone from less than $1 million in annual sales to $20 million, Leonard points out.

Additionally, Leonard notes that companies with large-ticket sales will benefit even more from security certification than other retailers because consumers are often more cautious about handing over credit card information related to purchases that cost in the thousands of dollars.

“Even though the risk is the same to buy a $2.95 CD as it is to buy a $2,000 diamond ring, the purchaser of the latter item is more security conscious,” Leonard says.

The reason for the increased sales at sites with certification is that consumers are increasingly afraid to hand over credit card information to sites when they’re not familiar with the retailer or, in the case of nationally recognized merchants, they can’t be sure the site is who it says it is.

“We’ve all seen statistics where consumers say one of their biggest concerns with shopping online is security. The fact is that these concerns hold back Internet sales. Posting a certification logo addresses those concerns,” Leonard says.

Indeed, Tim Calan, group product marketing manager for Mountain View, Calif. based-VeriSign Inc., explains that just making sure your web site is secure is not enough. “Investing in security is only half the story,” Callan says. “You have to let customers know that you are protecting their security.”

The rise of phishing

VeriSign researches the backgrounds of companies that apply for its seals—including researching the financial documents and the background of key executives—to assure that these are legitimate retail operations. Even well-known retailers like having the VeriSign seal so that shoppers know that the site they are shopping on really belongs to the retailer they think it belongs to and not some criminal impersonating a well-know retail chain or catalog brand.

Callan estimates that VeriSign’s security logo is on 57,000 web sites today, including about half of the Internet Retailer Top 400 retail sites. While VeriSign is still collecting information from its retailers that could document increased sales from the use of its logo, its executives point to outside research that shows consumers want more authentication.

Callan notes that a study by London-based TNS PLC, a market research company, in April 2005 found that 75% of online shoppers surveyed say they have abandoned a retail site at one time or other due to security concerns.

When those customers who admitted to site abandonment were questioned further, 90% said they would have gone ahead with the sale if they had seen a recognized security market, Callan says.

Opening the shopping options

In addition, consumers are right to be worried about identity theft. Such fraud represented 37% of Internet-related complaints to the Federal Trade Commission in 2005, the FTC reported in January. “With the rise of phishing and other Internet-related fraud, we live in a world where there is a lot more attention on consumer fraud and that makes customers more uncomfortable about shopping at sites where they don’t know what security measures were taken,” Callan says.

IRCE 2008 Conference Multi-Media CD-ROM

While many retailers have pages on their sites that explain their security measures, a simple logo that says this site was recognized by a known security authority is often more meaningful, Callan says.

ScanAlert does not have a marketing program directed at consumers to look for the safety seal. But ScanAlert estimates that 10 million consumers a day see its logo on web sites and have come to know what it means just through its market presence. In addition, shoppers who click on the logo get a pop-up with an explanation of what the certification means.

VeriSign does conduct some limited consumer marketing, however Callan also notes that having customers see its logo at so many sites does more to get customers to recognize the significance of that logo than any consumer marketing campaign VeriSign might conduct.

Not only do certification programs give comfort to consumers who are afraid to shop online at all, but they also open up the number of retail possibilities to those consumers who will shop online, but only at retailers with whom they are familiar.

“A lot of consumers shop only with a few retailers that they are comfortable with rather than explore all of the options that are available,” Leonard says. “These consumers are missing the full potential of Internet shopping.”

With phishing scams in the news, there is even concern that some criminals will illegally use the logos of respected retailers and pretend to be those companies in order to get customers to hand over their credit card numbers. One way for customers to verify that the site they are shopping on actually is the authentic site of that retailer is to click on the security seal. “When people click on the VeriSign seal on a site, they are shown who actually owns that site and they can verify that the retailer is who it says it is,” Callan says.

Ongoing certification

Certification is ongoing and, in the case of ScanAlert, the audit takes about two hours and is conducted daily. If a company at any time receives a ranking of 3, 4, or 5, on a scale of 1 to 5 scale with 5 having the most serious problems, it must fix problems within 72 hours or take the certification logo off the site. The audit looks at both server level security as well as any open ports or web applications that might be vulnerable. Rankings of 1 or 2 are typically “information disclosures” where there is not a breach in security per se, but companies may be giving away information about its security in such a way that a hacker might take advantage of it. In such cases, retailers are notified of potential problems.

VeriSign does its research upfront by checking the financial records and other documents to certify that a retailer is legitimate. It does not actually inspect the security-related technology the retailer uses.

Once a retailer has achieved certification, one of the big questions becomes how to display the certification seal. There is actually a trick to making sure customers see the seal.

Frederick’s puts its security certification on its home page, on each product page and at the check-out. “We’ve tested putting the logos in multiple places such as the top and the bottom of the page,” Rhyan says. “The larger the logo was, the greater the conversion rates, but we need to weigh increases in sales conversions against concerns that the logo could become too intrusive. We don’t want anything that will interfere with our own logo.”

Indeed, for logos to be effective, they need to be “on every product page, preferably above the fold,” Leonard says.

VeriSign’s Callan agrees. “You need to put the certification on every page where purchases are made. The best strategy is to put the mark near the buy button so that customers see it when they are deciding whether or not to make a purchase. You also need to put the logo on the home page or you may not get the customer engaged enough to go farther.”

Logo ubiquity

One big mistake that some retailers initially made, Leonard says, is putting the security logos only on the checkout page. “Once consumers get to that page, they have already made the decision to buy. You need to have the logos on the product pages to avoid abandonment.”

Yet, the checkout page should still have the seal. “It’s important to have the seal on the checkout page in order to avoid buyer’s remorse. Seeing the seal on the checkout page is reinforcement to the customer that he or she made a good decision,” Callan says.

What the seal should look like is also in dispute. The Hacker Safe logo is available in different sizes and colors to allow retailers to tailor the logo to fit the desired graphic look. “The larger, more colorful logo may not be fitting on some sites,” says Leonard. “On the other hand, some sites are visually more active and they need a larger logo that will stand out.”

But VeriSign believes retailers should all use the same size and color seal. “You should not tamper with the mark by shrinking it down in size or changing its colors,” Callan says. “The mark should always look the same so that customers recognize it regardless of what site they are on.”

Still, having another company’s logo on a retailer’s site is not easy for some retailers who are concerned that other company’s logos may take away from their own brand identity efforts.

“We had always shied away from using logos from third-party companies before,” says Lazarchic. “We thought the Petco site should be all about Petco and our logo.”

New—or not?

But the ability to increase sales allayed those fears. One question that remains is whether the increase in sales in coming from customers who might otherwise browse at the web site, but then shop at the chain’s offline stores or if they are all-new customers.

Lazarchic says there was no way to tell whether the increase in conversions came from existing Petco customers or new customers. “But my gut tells me that the higher conversions are the results of people who were not Petco shoppers before. I believe they would be more likely to be influenced by the certification of an outside security company.”

And while some retailers get the certification merely to increase sales, some end up finding out better ways to improve security in the process.

The decision for Petco to hire ScanAlert to check out its site was more a “marketing decision than an IT one since we believed our site was already secure,” Lazarchic says. “But now that we’re working with the company, our IT staff is interested in what they have to say about improving our security.”

Indeed, Leonard says his firm deals with a number of retailers who come to his company to get a logo that will increase sales and end up finding out a lot more about what is needed to make their sites safe. “We talk to the IT staffs and find they are often feel that security is under-budgeted,” he says.

Once these companies have an outside company look at their site for security, however, they often find there were security breaches that they had been blind to. “A lot of retailers think their site is safe so they focus on sales and revenue. Security is something that is done to put out fires or repair damage rather than planning ahead.”

Lauri Giesen is a Libertyville, Ill.-based freelance business writer.