When you visit the website of your financial institution, whether it be your bank, insurance agency, brokerage house or credit card company, the site is most likely using an Extended Validation (EV) certificate to secure its communication and to project its identity to users. Your browser will show the encryption lock in the address bar as well as the company name. Sometimes this will be highlighted in green, depending on your browser. This tells the user that the company’s identity has been verified with detailed information contained within the certificate, including its physical address, country and the type of business registration.
Financial institutions have always been targets of fraudsters due to the value of information and assets they contain. Because of this, banks and others recognize that identity is important and the value that EV provides to their customers. However, website authentication is just one use case for EV certificates. But before we discuss other use cases, let’s summarize why financial institutions use EV:
What else can EV be used for? There are broad uses besides website authentication in cybersecurity. IT departments are using EV for things like verifying websites belong to the company, adding rules to internal firewalls, and configuring managed security services, internal audits and compliance.
In the European Union, EV is taking on another role. In 2016, the EU passed a new regulation called eIDAS, which updates the 1999 EU Digital Signature Act. As part of this update, the regulation defined Qualified Website Authentication Certificates (QWACs). These are based on EV certificates with some additional information added. A further regulation called Payment Services Directive (PSD2) requires the use of QWACs by certain financial institutions doing business in the EU. This goes into effect in June 2019 and Certificate Authorities are already getting requests for this product from EU-based banks and other financial organizations doing business in Europe.
To protect end users, work continues to ensure the highest standards of identity verification for online businesses. Most notably, this focuses around the browser, where inconsistent user experiences continue.
The only problem with everything mentioned here is that piece of software people use to view websites — the browser. The browser experience for EV websites is vastly inconsistent today. Some display the company name in green, some in gray. One doesn’t display the company name at all, but rather the domain name in green. Some are promising changes to the user interface, others haven’t changed them in years.
What improvements can we hope for?
Until then, the use of EV for financial and other high-value sites to proclaim their identity (whether it is exposed or not) remains useful for the reasons mentioned above, because what good is encryption if we don’t know who we are transacting with?
DigiCert plans to propose additional improvements to the EV standards in the months to come, and we look forward to continuing the conversation on the importance of identity for all aspects of our connected, digital lives.