WebTrust: A Seal Too Far

If you remember WebTrust, the AICPA's assurance program for Web sites, you may remember that the original prediction was that there would be 400 seals within a year of the program's launch.

Now, the institute is downplaying the importance of having seals displayed on Web sites. "If an organization wants a seal, the seal is available. But we're really encouraging use of the Principles & Criteria," is the official explanation. It sounds like an epitaph. The push is towards the umbrella program, Trust Services, which, if you drill down on www.aicpa.org, still has separate sections for WebTrust and SysTrust.

The list of companies with seals displayed on the www.cpawebtrust.org site got to 40 once. That's counting the AICPA itself and ignoring the fact that VeriSign and an affiliate were listed separately. The count is now 16. The "Site with Seals Page" has become "A Sampling of Sites with SysTrust/WebTrust Seals. The AICPA is not among the samples, nor is the seal displayed on its Web site anymore. It's downplayed, indeed, if you don't display your own seal.

Launched in the fall of 1997, WebTrust was supposed to provide assurance to consumers worried about buying through the Web. That failed because most people make their purchases on the Internet with credit cards, which limits their losses. There were several efforts to kick-start the program. Early in 2000, the AICPA unbundled the program so certifications for things like confidentiality, privacy, and system integrity could be offered separately. In the first half of 2001, the pitch was seals for certification authorities, companies that provide digital signatures, because Microsoft was requiring such assurance. Likewise, there was supposed to be a boom in these, potentially hundreds of them I was told at the time.

Similarly, I can't see that SysTrust, a program for certifying the reliability of computer systems, has done that well either. Usually, organizations that want to promote a program or service trot out their happy users to talk to the press, although I'm not sure the institute has ever used this technique. But if you want to research this subject, do a Google search for the term "SysTrust." Not many recent examples come up. Companies don't want to tell the buying public their systems are reliable?

A new wrinkle is emphasizing 404 controls. It should tell you something that in an article in the Journal of Accountancy called, "Trust Services: A Better Way to Evaluate I.T. Controls," that, when the author surveyed companies to see which framework they used, 136 companies listed COSO, 27 utilized COBIT, and one company had implemented TrustServices. Twenty-six used a combination of the three, but I'm guessing it's more often a combination of the first two.

These developments all add up to the question that that AICPA itself asks on its Web site, "What Does a SysTrust/WebTrust Seal Mean to You?" What, indeed.