cx-i

Insights into the online customer experience from Mike Baxter

transactional trust: getting it all wrong

It takes years to build up trust, and only seconds to destroy it
Anonymous (sourced from ThinkExist)

Customers trust the Internet to very different extents. According to a survey by TNS-TRUSTe, around half of all customers actively seek out and read privacy policies, a quarter take proactive measures to protect their personal information and just under a quarter take no measures to either find out about or protect their privacy. The extent to which customers need to be reassured on trust issues, therefore, varies considerably but to satisfy most of the people most of the time requires best-practice to be deployed rigorously. www.zoominfo.com gets all of the basic trust requirements wrong and, as such, provides an interesting case study in what we should be looking out for to safeguard transactional trust.

ZoomInfo claims to hold the latest online information on 25,662,724 people, their work, affiliations and interests. They offer a free search tool and a subscription-based business service. If, as I did, you happen to find yourself on ZoomInfo, you can update your records. A great service, until you come to confirm the changes you've just entered!

To get to the page I'm talking about, go to www.zoominfo.com and enter your name in the Find people summaries text box. Click on your entry (you're bound to be there, Mike Baxter produced 300 results!). and then click the link (top right) called "Is this your web summary? You can update it here ..." Once you've done all your updating, you will arrive at a page entitled Verify your identity, at which point you will be asked to provide your name, address and credit card details. I had scam-alerts immediately start ringing inside my head! And they weren't reassured by what I found upon closer inspection of the page.

Lesson #1 Dont give your customers any surprises at the end of a transactional process. No mention is made of the need for a credit card during any of the preceding stages of the process. Saying in this introductory paragraph that a credit card "is the simplest online mechanism to verify your identity" is hardly a convincing argument for a sceptic. It is, in fact, very difficult to verify personal identity and even a credit card check doesn't do it well (as Bruce Schneier's recent blog entry on Two-Factor Authentication points out "credit card companies spend their security dollar authenticating the transaction, not the cardholder"). A credit card is, however, one of the few ways to obtain some form of proof of identity across national borders. ZoomInfo needs to explain this clearly and persuasively before anyone starts updating their records: if possible, they need to offer links to expert opinion endorsing the value of credit cards as an effective way of confirming personal identity.

Lesson #2 Don't hide the browser address bar on a transaction page This is a pop-up page and the address bar on the browser has been hidden. Readers, therefore are denied access to one of the major indicators of transaction security - https at the start of the URL on a payment page. One of the National Consumer League's 6 tips for shopping safely online is "when you provide payment information the http at the beginning of the address bar should change to https or shttp".

Lesson #3 Don't hide the browser status bar on a transaction page Again as part of the configuration of the pop-up page, the Status bar at the foot of the browser has been hidden. This denies yet another key indicator of trustworthiness: the little padlock icon showing that the site has a digital certificate and that information submitted from this page will be secured using SSL encryption.

Lesson #4 Always make sure any 3rd party certification logos are linked to proof of certification Having 3rd party certification of a site is usually persuasive evidence that the site can be trusted and ZoomInfo features both VeriSign and Thawte logos. The certification logo should, however, be more than a simple image. Thawte's own advice to consumers says "By clicking on (the Thawte logo), visitors will get real-time confirmation of the validity of the certificate. The Thawte Trusted Site Seal pop-up will verify the details of the business behind the certificate".Neither the Verisign nor the Thawte logos are hyperlinked.

Lesson #5 Always provide links to further information and reassurances about security and privacy issues Under a heading Important Note , the reader is invited to "please read our Privacy Policy for more information". This is the only link on the page offering more information to anyone who might want reassurance - yet the link returns an http 500 "page cannot be displayed" error message (tested on the 10th, 11th and 12th April).

They have managed to get 5 major trust features wrong - all on a single page! It must be emphasised that the issues raised here are to do with transactional trust, not transactional security - with a little digging in the right places it transpired that the page was hosted on a secure server belonging to zoominfo and that any information submitted from this page would be encrypted with 128 bit security. Rather, the above concerns are all about customer perceptions of security and resulting trust in that security.

Conclusions Trust is an emergent property that arises out of a multitude of small trust-engendering features of a web site. No single feature will, on its own, engender trust in the mind of customers but its absence could well damage trust. The features (or lack of them) discussed in this post are mostly technical and relatively simple to deploy. In another post I consider the softer and more intangible aspects of trust which are much less straightforward to implement (see touching the intangibles in the financial services section of cx-i).

posted at 5.39pm on tuesday 12th april 2005 by mike baxter
Want to comment?

	Lesson #1 Dont give your customers any surprises at the end of a transactional process. No mention is made of the need for a credit card during any of the preceding stages of the process. Saying in this introductory paragraph that a credit card "is the simplest online mechanism to verify your identity" is hardly a convincing argument for a sceptic. It is, in fact, very difficult to verify personal identity and even a credit card check doesn't do it well (as Bruce Schneier's recent blog entry on Two-Factor Authentication points out "credit card companies spend their security dollar authenticating the transaction, not the cardholder"). A credit card is, however, one of the few ways to obtain some form of proof of identity across national borders. ZoomInfo needs to explain this clearly and persuasively before anyone starts updating their records: if possible, they need to offer links to expert opinion endorsing the value of credit cards as an effective way of confirming personal identity.
	Lesson #2 Don't hide the browser address bar on a transaction page This is a pop-up page and the address bar on the browser has been hidden. Readers, therefore are denied access to one of the major indicators of transaction security - https at the start of the URL on a payment page. One of the National Consumer League's 6 tips for shopping safely online is "when you provide payment information the http at the beginning of the address bar should change to https or shttp".
	Lesson #3 Don't hide the browser status bar on a transaction page Again as part of the configuration of the pop-up page, the Status bar at the foot of the browser has been hidden. This denies yet another key indicator of trustworthiness: the little padlock icon showing that the site has a digital certificate and that information submitted from this page will be secured using SSL encryption.
	Lesson #4 Always make sure any 3rd party certification logos are linked to proof of certification Having 3rd party certification of a site is usually persuasive evidence that the site can be trusted and ZoomInfo features both VeriSign and Thawte logos. The certification logo should, however, be more than a simple image. Thawte's own advice to consumers says "By clicking on (the Thawte logo), visitors will get real-time confirmation of the validity of the certificate. The Thawte Trusted Site Seal pop-up will verify the details of the business behind the certificate".Neither the Verisign nor the Thawte logos are hyperlinked.
	Lesson #5 Always provide links to further information and reassurances about security and privacy issues Under a heading Important Note , the reader is invited to "please read our Privacy Policy for more information". This is the only link on the page offering more information to anyone who might want reassurance - yet the link returns an http 500 "page cannot be displayed" error message (tested on the 10th, 11th and 12th April).