Home Phishing Blog Webmasters About Privacy Site map  

SiteTruth and payment sites
a guide for webmasters

alpha test

Web sites which handle their own credit card processing will generally have their own SSL certificates. This allows SiteTruth to directly validate the site ownership. Smaller merchants tend to use off-site credit card processing systems, where, when payment is to be made, the customer is sent to an off-site link. This can make it difficult for SiteTruth to validate the ownership of the merchant's site. As a convenience for smaller merchants, SiteTruth will, when appropriate, accept the payment site's verification of the merchant's identity. This increases the merchant's legitimacy rating and allows them to receive the SiteTruth checkmark.

Payment site requirements

Technical requirements - payment site

  • The payment site must have a high assurance SSL certificate. Most major payment systems already have this or shortly will.
  • The page on the payment site linked to from the merchant's site must prominently display the actual business name and address of the merchant. Some payment sites already do this. The format of the name and address should be a mailing address suitable for US Postal Service mailing, surrounded by white space. If your site formatting is unusually complex, making the address difficult to find, please enclose the address within an HTML <address> tag.
  • The payment site must validate the referrer link from the merchant site, or provide a backlink to it. This is to prevent spoofing by phony sites which link to the payment site as a form of identity theft. Some payment sites already do this.

Technical requirements - merchant site

  • The name and address of the merchant as displayed on the payment site must match the name and address in the merchant site's domain registration. This is under the merchant's control.
  • The merchant site must have at least one easily findable directl link to the payment site. For most sites, this will be an existing "checkout" or "buy" link. Some sites, though, require that the user fill in a form before reaching the payment site, and if that is the only path to the payment site, SiteTruth cannot find it. A simple link to the payment site from an "about" or "help" or "site map" page will resolve this issue.

Contractual requirements

When SiteTruth accepts a payment site's verification of a merchant site's identity, the payment site is acting as an issuer of credentials. We therefore require that the payment site stand behind its verification of the merchant's identity.

Before accepting a payment site as a source of merchant credentials, SiteTruth requires that the payment site warrant its identity verification in terms no less comprehensive than the "EV Certificate Warranties and Representations" defined by the CA Browser Forum EV Certificate Guidelines. These are standardized terms developed in conjunction with the Information Security Committee of the American Bar Association Section of Science & Technology Law and the Canadian Institute of Chartered Accountants, agreed to by all major certificate issuers (Comodo, Verisign, CyberTrust, RSA, Wells Fargo, etc.) and all major web browser developers (Microsoft, Mozilla, Opera, KDE). The payment site must accept the limited financial liability required by the "CA Liability" section of the Guidelines.

Compliance by a payment site can be demonstrated by publishing, on the payment site's web site, a suitable "Relying Party Agreement" similar to that required of certification authorities.

SiteTruth will publish a list of the payment sites which, in our opinion, meet these criteria.

SiteTruth. Search, with less evil.

Another service from the publishers of Downside