Tell me more ×
Webmasters Stack Exchange is a question and answer site for pro webmasters. It's 100% free, no registration required.
up vote 3 down vote favorite

My site handles sensitive data, is there any website security accreditation that is well respected and worth having?

share|improve this question
1  
Be more specific. What kind of sensitive data? – JCL1178 May 14 at 3:49
1  
@JCL1178 - Personal information including private photographs, however i don't see how the nature of the data has any bearing on my question? – dangerousdave May 14 at 14:31
3  
There are different certifications for different types of "sensitive" data. For instance, if you are handling credit card payments you want to learn about PCI compliance. Medical data, HIPAA compliance. If you just want general security, that's something else. – JCL1178 May 14 at 18:20
I see, I was thinking of general security to give confidence to my customers that their data can only be accessed by those authorised. – dangerousdave May 14 at 20:07

3 Answers

up vote 3 down vote accepted
+50

If you want something that's immediately noticeable as a security change to the visitor, Google: "Trusted green browser bar", which for modern browsers turns most if not the entire browser address bar green (depending on the browser).

This is occurs when a site has a "Premium SSL" certificate installed, more specifically called an "Extended Validation Certificate". Just for reference, GoDaddy sells Premium SSL's with a $250,000 warranty. You can chose to use either GoDaddy or its security brand "Starfield", both of which will provide an HTML snippet to add a "Verified & Secured" graphic to the bottom of your webpages.

Aside from that, a standard SSL certificate with a login requirement (i.e., through a .htacess passwords file) should tell your visitors that you're quite serious about security.

Tip: Always check for discount codes when buying SSL certificates, as they can drastically lower the cost for the first year.

share|improve this answer
I personally feel that Starfield sounds a bit more professional, I feel that the name godaddy immediately makes people think of "small business" and the name discredits the site a bit (just a personal opinion!) – NRGdallas May 29 at 15:49
@NRGdallas Agreed - I always opt for Stafield too. BTW, GoDaddy was just an example, there are lots of other issuers: en.wikipedia.org/wiki/… – dan May 29 at 15:57
I would disagree that using .htpasswd suggests any level of seriousness about security. Passwords should be properly encrypted/hashed (not stored plaintext like a .htpasswd file) and really shouldn't even be known by anybody but the user. – Andrew Lott May 30 at 1:15
@AndrewLott I primarily meant that requiring a login demonstrates a level of security to the visitor. How to most effectively secure a login is another topic since the asker specified he was thinking about "general security" to build confidence. The passwords file was just an example to convey the login requirement, and in parenthesis as such. – dan May 30 at 4:20
1  
Having an SSL certificate is only one part of a complex chain of possible security weaknesses. Having a "green browser bar" is completely different from being able to claim that the contents of your server cannot be compromised. – Octopus May 31 at 15:04
show 3 more comments
up vote 1 down vote

Here some "neutral information concerning "SSL certificates" and website security:

https://en.wikipedia.org/wiki/Certificate_authority

A SSL certificate provides a secure connection for your users as well as assurance to visit the "original" domain (See phishing).

https://www.us-cert.gov/ncas/tips/ST05-010

A SSL certificate does in no way guarantee secure storage of data on the website/company servers, nor does it guarantee that the website/server is not exploitable.

share|improve this answer
1  
Correct. An Extended Validation Certificate does however require steps to validate the recipient by the issuer and commonly provides a warranty. Since it's incorporated into all modern browsers and commonly used by industries requiring highly secure sites, like online banking, it should instill confidence to users. How data and servers are secured though is dependent on the standards each operator follows, and best relayed through a Privacy Statement. – dan Jun 2 at 4:50
up vote 0 down vote

Comodo offer a HackerProof "trustmark". This shows that the site has passed certain security requirements and is PCI compliant. Having some sort of security seal like this along with an EV Certificate (to give you that "green bar" in most modern browsers) should instil confidence in your users.

Additionally, having information on your site detailing what you do with sensitive data, how you store it, and why you handle it the way you do should make users feel safer providing it to you.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.