HSBC E-Secure payment certificate issue

[TimmoB]

Hi, Excuse me if anyone has asked this already.

A customer has pointed out to me that there is a problem with HSBC E-Secure's online certificate which scared him off using that payment option.

After investigation, it seems that IE8.0 allows the certificate to go through, but Firefox and Safari flag it up as untrusted.

Now when a customer sees something like this we lose sales.

With customers so nervous about being scammed these days, I wonder just how many sales we've lost.

Anyone else getting this?

Timmo.

 

[TimmoB]

Just had a converstion with HSBC -E-Secure, apparently the only browser they recomend is IE8.0, and she suggested i tell my clients to use IE8 when purchasing from my site. I nearly fell of my chair with laughter.

From my web stats i can see that 45% of my clients use other browsers, so how a major bank can tell us we have to persuade them to use IE 8.0.

Time to ditch them and find another psp.

Timmo.

 

[Grassman]

has this always been the case or is it the result of a recent change ???

 

[limessl]

It is seriously rare for a certificate that's trusted by IE NOT to be trusted by Firefox or any of the other major browsers these days.

Have you got a link so I can have a nosey at the site and see what the certificate is?

 

[cmcp]

I thought it was quite common. It happens when the cert is signed to domain A but presented by domain B. It usually happens when there's subdomains and refreshing on the go. It can also happen when the users computer clock is out of sync so the cert thinks it's expired, or hasn't been born yet.

 

[limessl]

I thought it was quite common. It happens when the cert is signed to domain A but presented by domain B. It usually happens when there's subdomains and refreshing on the go. It can also happen when the users computer clock is out of sync so the cert thinks it's expired, or hasn't been born yet.

Yes those are the more common reasons, but "using the wrong browser" is pretty unusual, with the exception of using mobile devices.

 

[TimmoB]

sorry i haven't got the link to it, but i checked the cert and it stated it was valid until 16th may 2010.

So whether it was an expiry issue, im not sure.

but whatever i can't survive in this financial climate if my already nervous clients are scared away by things like this.

I had a call earlier from HSBC, they asked if i was still getting the problem, when i said i'd disabled their payment option on the site, the guy said 'Oh'. and put the phone down.

Nice.

To be honest i'm not best pleased by the lack of support that i have been receiving from these guys recently.

Perhaps they don't want m,y custom.

Timmo.

 

[ItsJustMe]

It happens when the cert is signed to domain A but presented by domain B. It usually happens when there's subdomains and refreshing on the go.

That's what's happened here. If you look at the technical info, it says:

"cpi hsbc com uses an invalid security certificate.

The certificate is only valid for www cpi hsbc com"

The domain name for the certificate has been set incorrectly (they should have left out the 'www').

(Spaces added to domain names because I haven't written 15 posts yet!)

 

[edmondscommerce]

never been impressed with HSBC's PSP services..

Just use SagePay (or someone else) You can still use HSBC's merchant services - you in no way HAVE to use their PSP services.

 

[PayVector]

"cpi hsbc com uses an invalid security certificate.

The certificate is only valid for www cpi hsbc com"

The domain name for the certificate has been set incorrectly (they should have left out the 'www').

That is a pretty bad school boy error for any company to make. A bank doing it is about as *facepalm* as you can get.

 

[edmondscommerce]

lol yeah

love the total lack of browser testing as well

 

[limessl]

Crikey that's bad! And it's valid for another year too.

Some certificates these days will automatically secure the non-www version of the requested domain, obviously in their situation Verisign didn't offer it.

Schoolboy error somewhere down the line.

 

[siew]

HI
I am with Hsbc pCi security metrics here is the links to be nosy..
My webmaster still cannot work out why and how to sort out the problems they say we have something to do with numbers and computers..
Here is a sample of the email they send me each time to log in and see what happens. I have to ring usa to get help and moreover I pay £75 a year for this losy service I thinks it s a con . see what you think ?

Thank you for using SecurityMetrics for your PCI DSS compliance.

After reviewing our records, we noticed you are not currently PCI compliant.

Some acquiring banks or processors charge their merchants a PCI non-compliance fee. In order to avoid PCI non-compliance fees (if applicable) we recommend that you become compliant as soon as possible.

You currently have one or more failing Site Certifications.

Please log into your account at ........to view the results of your scan.

The items in the RISK column marked in red indicate that you need to make changes to your system in order to correct the security problem. After you correct any failing items shown in the scan report, you will need to run a new scan. To run a new scan, click the "Run" button next to the appropriate Site Certification in your account. Expired Site Certifications are considered failing.

If you have any questions regarding your scan results or SAQ, contact our Technical Support Department at 801.705.5700 (USA), 0844.561.1658 (UK), or by email at We appreciate your business.

SecurityMetrics Support Team

It is seriously rare for a certificate that's trusted by IE NOT to be trusted by Firefox or any of the other major browsers these days.

Have you got a link so I can have a nosey at the site and see what the certificate is?