Id say yes, it is worth it. We saw an increase of around 12%. My price was only $1700 but I know its based on the amount of traffic you get so yours must be a lot more than mine.

We did the a/b split test to "prove" it was of value to us. While that showed us on paper that it was worth it we can see by the sheer volume of orders post implementation that it was worth it.

Let me add ... in addition to the increase in conversions, it also has proven invaluable as a PCI compliance tool. I was dinged with a PCI compliance fine and was told I needed to use securitymetrics to veriy I was secure. After going around with my merchant provider I was able to print my PCI compliance certification from mcafeesecure and fax it to them and all fines have been removed.

well i was telephoned and given the hard sell by these guys ...

and when the salesman gave me the line:

if you had the cure for cancer, wouldn't you share it with everybody - i just hung up.

i don't in any way dispute their claims, on the other hand i've had a site freeze on me because the page was waiting for the mcAfee server to serve the 'safe' symbol - more than once, but then again maybe they have sorted that issue out by now.

I don't think it is, but this is just based on one web site I have it on. It's only on that web site as the client wanted to have it because his new cheap competitors that are copying his site don't have it. We did some A-B testing from day to day and didn't see any difference in conversion rates, even with all the recommendations on where to place it.

I may test it on other industry sites though. Ask them about their 30 day guarantee. They said that if I didn't see an increase in conversion rates, I could cancel and get a full refund if I did so in less than 30 days.

Intresting read on this topic
[theregister.co.uk...]

I dont agree with that article at all. They definitely do not "rubber stamp". My site has had XSS issues identified. I worked to resolve and and every once in a while a new one comes up. I think it is well worth the money for the increase in conversion, the PCI compliance and lastly for the insight into potential issues that I could fix. Without mcafee, how do you know if there is a threat to your site? My guess is you don't so it's just quietly sitting there. I think being proactive is a much better option.

What about Geeks.com then? Hackersafe/McAfee even says they are not 100% secure:

[informationweek.com...]

The geeks.com story is over a year old, but even so there are reports that they did in fact lose their certification off and on prior to the attack. In essence when a scan fails you have a limited amount of time to fix it or lose your seal. Even once its fixed, if you are working on your code you can easily inject your code with another issue and get another alert that it needs fixed. They do allow you a certain amount of time and in that time you certainly could be hacked. However, again, if you don't have something or someone telling you that you have an issue how would you know? Is it better to be vulnerable and blind or vulnerable and proactive?

In a perfect world, our code would be secure and ANY changes no matter how small would go through a thorough security code review. I know that as a VERY small retailer I do not have the resources for that so mcafee is kind of an after the fact check.

also, lets not be fooled into thinking anyone is secured. A seal in and of itself is NOT going to secure your site. Look at todays news. the FAA site was hacked.

We just signed up. It does help identify weaknesses, but does not 100% protect you.

We did it more for the recogonized seal and increased conversions. Unfortunatly we do not have conversion data yet because our market has taken a dip recently with all the stuff going on in the economy so it is hard to guage increased conversions because of the seal when order volume is generally dropping due to the economy.

They originally quoted around $3000 plus per site but they kept lowering the price and the last offer was about $1200 a year for 5 sites total.

We still said no.

Someday we will use photoshop to make an official looking seal.

Seriously, if your site already shows trust by having a 800 number, physical address, SSL logo, etc; you don't need all these expensive feel good trust seals.

Design your site right, and you won't need to buy trust.

We have an 800# prominently displayed, a physical address displayed, a nice statement about our use of SSL, a better business bureau logo, live chat and still the mcafee secure logo showed us a 12% increase in conversions. And again, it isnt all about the increase in conversions, it is about knowing/finding out you have a potential risk. Im kind of shocked how many people just think of it as a trust seal and not a proactive way to keep your site secure.

If you are required to become PCI compliant then you will need to pay for a site scan. (Most, if not all ecommerce sites are now required to do so.) Mcafee handles this and so does Security Metrics. You get a site seal with both of them which is optional to display. So in the future it may be a moot point about paying or not paying as everyone will have to. We have noticed in our surveys that a minority of customers express concern about site security. For us it is just one more small barrier to remove from their mind before buying. It's not a magic bullet but it probably won't hurt.

A $1,500 - $3,000 price tag is awful hard to swallow (and pitch), but as our e-commerce operations grow I think that it will be a necessary one to prove PCI compliance and match our top competitors.

I used to be dead set against Secure Seals, especially that old Hacker Safe logo. I even used to write against them, along the thoughts that it probably encouraged hackers.

Though I bet that the new McAfee Secure seal probably does increase conversions by a small amount, I think that a 12% increase in sales MUST be well above the norm - but if that's true than we could see a six figure increase in sales. That makes the initial investment seem very minimal.

What have others seen through split testing? 1%, 3%, 5%?

I believe you should check the facts and how these validation tools work. First of all these tools can only check the HTML and responses send from the server on a given request. They perform a limited number of requests and those are totally unaware of the shopping cart s/w or ecommerce web app specifics.

Therefore they can never catch errors that are generated on the server end when certain parameters are passed and target the specific web application or shopping cart. At the same time, attackers, when they deploy bots checking for vulnerabilities, are way more effective because they check software versions, server versions and other stuff like modules deployed with popular shopping carts.

End result is, these tools may do more damage, if a merchant ignores some basic facts and totally rely upon them. Facts like upgrading the server software, shopping cart code, etc. For some shopping carts, there are dedicated tools that check for weaknesses and can give you information on flaws from the server end.

Also lots of the errors reported from tools like hackersafe, refer to the host exclusively and not to the shopping cart code. If you're on a dedicated server you may be able to add the patches and get around it. But if you are on a virtual or shared host, good luck convincing the host to do upgrades.

enigma1 - Mcafee does more, way more, than checking HTML reponses. They perform server scans ... in fact they have pointed out issues with server specific settings that my host resolved for me. They have found cross site scripting issues with my cart and showed me exactly how they were able to do it. I was able to inject the mcafee secure site into the body of my page. They also showed my how a hacker could swipe cookie info. They have found issues and I have resolved them. Here is an example ... on my site I have product reviews ... very specific URL parameters for the reviews .. they were able to show me how they could manipulate these url parameters with embedded scripts and hack my site. Again, I resolved these issues but was VERY appreciative of them finding it. Mcafee has alerted me to specific versions of PHP I was running and vulnerabilities with them. I personally would not run a site without it.

ssgumby, hackersafe no matter how high you rank it, it doesn't know of the script specifics. I have used it and tested it on several occasions and it never caught problems that were script specific and manifest on the server end, simply it doesn't know the variables that are exposed by the script.

To give you an example, if your shopping cart s/w was using a variable $xyz, that was not exposed with the reviews form you mentioned and within the script you were doing something like
$xyz = $_GET['xyz'] followed by a dbase update, then those tools do not see anything. In other words a million things can happen on the server end for a request and the hackersafe won't have a clue because nothing will be send back by the server. However an attacker knows about the script specifics.

So it's best to keep your web s/w fully updated from the vendor and monitor the modules you have integrated, if any, for updates.

As I mentioned unless you're on a dedicated server, you don't have much choice but to either use the server s/w the host sets up for you or change hosts. There are separate issues that can happen from the PHP, MySQL, Apache, etc versions and different from the shopping cart s/w.

enigma1 - how would an attacker know of the script specifics? I can assure you that mcafee has found issues with my site with script specific variables ... not sure what you mean by "exposed" but they have found issues with hidden fields.

I agree it is best, not even best but critical to keep your s/w updated with the vendor.

I am not on a dedicated server, but when mcafee has found server specifics my host has updated the server within days to help keep my site PCI compliant.

how would an attacker know of the script specifics?

He can determine the web software by sending a bot to crawl it (or he can even see the urls as indexed by the search engines). So let's say you have an e-commerce store. What are the most popular shopping carts out there? 10? 20? For each one the bot can test for a unique url/parameters and determine the nature the cart, although search engines can cover for most cases.

Once this is determined he can get the source code of the application and now he knows the weaknesses between different versions of the s/w (btw these are documented by the vendor). So if your reviews script has a problem is not even necessary to figure out what additional module the site has on.

Also many of the popular carts are open source so the code is widely available as well as the various modules or plugins. For closed source carts, it's a bit harder to acquire the code but it's still possible. Or he can visit sites like secunia where it contains a vulnerability database and then he starts applying the various documented hacks at every level. Server s/w, application, cpanel etc. Because if he knows the site he knows the host, may also know the server version etc from the headers.

Unless you have developed your own custom cart in which case yea it can be quite secure from the application point.

So in my opinion it is way more important to keep the s/w updated, than relying on some other tool that operates at the html level to figure things out.

wow, I had no idea that was so expensive. I hope some of you find value in that, but I consider it my part of my job to do what that tool does, so besides that I don't think it is worth the money to stick the logo on our sites. In our case it would be 6x that because of the number of sites we have.