VeraSafe Website Security Program Certification Criteria

The VeraSafe Trust Seal program recognizes your commitment to VeraSafe’s code of business best practices (as set forth below).

Displaying the seal can boosts sales by proving to shoppers that you’re trustworthy and accountable to a third party.

Register Now

VeraSafe is recommended
by the US Postal Service
for eCommerce websites.


VeraSafe Website Security Program Certification Criteria

1. Introduction.

  • 1.1. The VeraSafe Website Security Program is comprised of services that help Participants ensure their compliance with these Program Criteria. The Program Criteria are based on industry best practices and consumer protection legislation such as the California Senate Bill 1386.
  • 1.2. For a Participant to become certified in the Program it must at least meet these minimum Program Criteria, pass the verification process as described in these Program Criteria and certify its compliance with these Program Criteria.
  • 1.3. VeraSafe will issue its Secure Site seals to Participants of the Program that successfully pass the verification process, certify their compliance with these Program Criteria and are in good standing in the Program. Any Third-Party that believes that a Participant has failed to abide by these Program Criteria can send a complaint to VeraSafe per the terms of the applicable VeraSafe dispute resolution process.

2. Definitions.

  • 2.1. The following definitions apply to these Program Criteria:(a) “Data Breach” Unauthorized acquisition of data or a reasonable belief of an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of PII maintained by the Participant.(b) “Data Subject” The natural person described by the Personal Identifying Information.

    (c) “End-User” Any consumer or a natural person that is the data subject of PII collected by the Participant.

    (d) “High Level Threat” Any issue listed in the High Level Threat section of a VeraSafe Vulnerability Scanner scan report.

    (e) “IT System” Any equipment, or interconnected system(s) or subsystem(s) of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

    (f) “Malicious” Any issue listed in the Malicious section of a VeraSafe Malware Scanner scan report.

    (g) “Malware” Any computer code used to disrupt normal IT System operations, gather PII without due authorization, or gain unauthorized access to IT Systems.

    (h) “Participant” A natural person, business or other legal entity that has entered into an agreement with VeraSafe to participate in the Program and certify its compliance with these Program Criteria.

    (i) “Participant’s Website(s) (Website)” The website(s) that have been submitted by the Participant to VeraSafe for verification and are listed in the program amendment(s).

    (j) “Personal Identifying Information (PII)” Any information or combination of information that can be used to identify or locate a specific individual person. This includes names, contact information, Social Security numbers, email addresses and other individually identifiable information.

    (k) “Program” The VeraSafe Website Security Program.

    (l) “Program Criteria” These VeraSafe Website Security Program Certification Criteria.

    (m) “Seal” The VeraSafe Secure Site Seal(s) in their digital form, as shown in the VeraSafe user control panel.

    (n) “Sensitive information” Financial account numbers, financial account passwords or PII that relates to race, ethnic origin, political opinions, religious beliefs, trade union membership, or concerns health, or sexual orientation, or convictions, proceedings and criminal acts as well as any information received from a Third-Party where the Third-Party treats and identifies it as sensitive.

    (o) “Third-Party” Any individual, business or entity that is not Participant or VeraSafe.

    (p) “Web Server” An IT System that, using the client/server model and the Hypertext Transfer Protocol, transmits files that form web pages to web users.

3. Minimum Criteria To Achieve the VeraSafe Website Security Program Certification.

  • 3.1. Neutrality. Participant must not have a direct or indirect business affiliation with VeraSafe or with any employee of VeraSafe that would prejudice the ability of VeraSafe to render a fair decision with respect to the certification of the Participant. Such affiliations include but are not limited to the Participant and VeraSafe being under common control such that the Participant can exert undue influence in VeraSafe.
  • 3.2. Contact Information.(a) Participant must provide and maintain accurate, functional contact information on file with VeraSafe.
  • 3.3. Malware Mitigation. Participant’s Website(s) and IT Systems must be free of Malware, but if infected, Participant must remedy such infections expeditiously after their discovery.(a) Whether detected by the VeraSafe Malware Scanner, or by other means, Malware infected files on Participant’s Website(s) and/or IT Systems must be removed or mitigated so that they pose no infection threat to End-Users not more than 1 day following their discovery.(b) Upon remediation, Participant must manually initiate a Malware scan via the VeraSafe security control panel. The threat shall be considered sufficiently mitigated when the VeraSafe Malware Scanner no longer identifies the affected file(s) as Malicious.
  • 3.4. Vulnerability Mitigation. Participant’s Website(s) and IT Systems must be free from known Vulnerabilities, but if discovered, Participant must patch such Vulnerabilities expeditiously after their discovery.
    • (a) Whether detected by the VeraSafe Vulnerability Scanner, or by other means, known Vulnerabilities in Participant’s Website(s) and/or IT systems must be patched within the later of:(1) seven (7) days after their discovery;(2) seven (7) days of the release of a patch for the Vulnerability; or

      (3) as expeditiously as possible.

    • (b) Upon remediation, Participant must manually initiate a Vulnerability scan via the VeraSafe security control panel. The threat shall be considered sufficiently mitigated when the VeraSafe Vulnerability Scanner no longer identifies the Vulnerability as a High Level Threat.
  • 3.5. Data Security Controls. Participant must implement security policies that are reasonably designed and sufficient to protect the Participant’s IT Systems and Website(s) from unauthorized access and loss, destruction or misuse of data stored therein.
    • (a) Such policies shall be deemed sufficient when they are proportionate to the risks involved upon consideration of the Participant’s size, the complexity, nature and scope of the Participant’s business activity(s) and the sensitivity of the information stored or transmitted by the Participant’s IT Systems and/or Website(s).
    • (b) Administration areas of Participant’s IT Systems and Website(s) must be password protected with passwords that are not:(1) vendor supplied defaults;(2) easy to guess; or

      (3) written down or stored in a non-secure way.

    • (c) Participant’s IT Systems and Web Server(s) must be protected by a functional firewall.
    • (d) Participant must enact policies to expediently apply vendor supplied patches and updates to IT System software and Web Server software.
    • (e) If Participant transmits or receives Sensitive Information via the Internet, Participant must use a Secure Sockets Layer (SSL) or other encryption method, so that the information is protected from unauthorized access and loss, destruction or misuse in transit.(1) Such SSL encryption must be implemented as to prevent man-in-the-middle type attacks.
    • (f) Participant’s Website(s) must not store any critical information in cookies. For example, Participant must not store an End-User’s unencrypted password in a cookie, even temporarily. Participants must not keep anything in a cookie that, if spoofed, can compromise the Participant’s Website. Participant’s Website must:(1) set expiration dates on cookies to the shortest practical time; and(2) encrypt all Sensitive Information or passwords stored in cookies.
  • 3.6. Data Breach Disclosure. Participant must notify affected End-User(s) of any Data Breach without delay and promptly after the discovery of a Data Breach or sooner if required by applicable law. Unless a longer timeframe is officially requested by a law enforcement authority, notification to End-User(s) must occur no later than fifteen (15) days from the date of discovery of the Data Breach. Participant must at least notify affected End-User(s) by email and post a prominent notice on the Participant’s Website homepage.
    • (a) Unless otherwise required by applicable law, Participant’s Data Breach Disclosure notice to End-Users must disclose the following:(1) that a Data Breach occurred;(2) what type of information was disclosed in the Data Breach;

      (3) when the Data Breach occurred;

      (4) what steps End-Users can take to protect themselves;

      (5) what the actions Participant is taking regarding the Data Breach (e.g. investigation); and

      (6) what steps Participant is taking to reduce the risk of a repeated or sustained Data Breach.

    • (b) If Participant suspects a Data Breach, Participant must notify police and, if required by law to do so, the Attorney General’s office for its state or province. If Sensitive Information was probably disclosed in the Data Breach, Participant must send a press release to local media organizations to raise public awareness of the Data Breach.
    • (c) Participant must act immediately, without undue delay, to patch any unmitigated vulnerabilities and reduce the risk of a repeat or sustained Data Breach within twenty-four (24) hours of its discovery of a Data Breach.
    • (d) Participant must notify VeraSafe of the Data Breach no later than fifteen (15) days from the date of discovery of the Data Breach.
    • (e) Following a Data Breach, and after immediate data security risks are mitigated, the Participant must re-evaluate its existing data security controls to determine if they are appropriate for the risks involved and increase its level of data security if necessary.

4. Verification Process.

  • 4.1. The Verification Process for this Program relies heavily on the scan reports generated by the VeraSafe Malware Scanner and VeraSafe Vulnerability Scanner to verify Participant’s compliance with the Program Criteria. Additionally, the Verification Process relies on compliance reviews conducted by VeraSafe and Participant’s self-assessments and attestations pursuant to Participant’s representation that all statements and information it provides to VeraSafe are complete and accurate.
  • 4.2. To pass the Verification Process, the compliance review and Participant self-assessments and attestations must unanimously indicate that the Participant meets or exceeds these Program Criteria.
  • 4.3. Upon completion of the review, VeraSafe will, in it’s discretion, either:
    • (a) find that the Participant meets or exceeds these Program Criteria and grant Participant the opportunity to self-certify it’s adherence to these Program Criteria and then approve Participant’s certification in this Program; or
    • (b) notify Participant that a material deficiency(s) has been identified during the Verification Process and when possible, provide Participant an opportunity to remedy the deficiency(s).

5. Accountability & Enforcement.

  • 5.1. Self-Assessment & Follow-Up.
    • (a) Participant must regularly review its compliance with these Program Criteria and take corrective measures in the event that any non-compliance or non-adherence is found.
    • (b) Participant must regularly review its scan reports as generated by the VeraSafe Malware Scanner and VeraSafe Vulnerability Scanner and take corrective action when required, per Sections 3.3 and 3.4 of these Program Criteria.
  • 5.2. End-User Complaints.
    • (a) Participant must cooperate with VeraSafe’s efforts to investigate complaints that are determined to be valid and within the scope of these Program Criteria.
  • 5.3. Re-Verification.
    • (a) Participant shall complete the Verification Process at least annually to verify ongoing compliance with these Program Criteria.
    • (b) Re-verification can be initiated by VeraSafe at any time, at least once per year, and may be initiated by VeraSafe at the request of government agencies, independent watchdog groups, the general public, based on media reports, other complaints, or at VeraSafe’s discretion. VeraSafe will strive to perform re-verifications at intervals appropriate to the Participant’s compliance risk level.
    • (c) Participant’s material violation of the Program Criteria will result in Program Suspension.
  • 5.4. Suspension & Termination.
    • (a) In the event VeraSafe reasonably believes that Participant has violated these Program Criteria or it’s Master Service Agreement in a material way, Participant’s good standing in the Program shall be suspended (“Program Suspension”).(1) VeraSafe shall provide Participant with a description of the violation(s) and any remedial actions that VeraSafe will require Participant to take during the Program Suspension period (“Program Suspension Obligations”).(2) Participant will be considered to be in Program Suspension immediately upon receiving notice from VeraSafe.
  • 5.5. Program Suspension Obligations.
    • (a) Program Suspension Obligations may include, but are not limited to:(1) compliance with additional program terms;(2) cooperation with additional compliance monitoring by VeraSafe; and

      (3) payment to VeraSafe as compensation for VeraSafe’s additional compliance monitoring.

    • (b) Participant must comply with all Program Suspension Obligations within 45 days of receiving the suspension notice, unless a longer duration is mutually agreed upon.
    • (c) During the Program Suspension period, Participant’s suspended status may be indicated via its VeraSafe Instant Verification Page and VeraSafe may require Participant to cease using VeraSafe Seals.
  • 5.6. Exiting Program Suspension.
    • (a) Program Suspension shall last until such time as the Participant has corrected the material violation(s) to VeraSafe’s satisfaction.
    • (b) If the Participant has not rectified the material violation(s) by the end of the 45 day Program Suspension period, VeraSafe will, in its discretion, either:(1) extend the Program Suspension period; or(2) determine that Participant has failed to comply with the Program Suspension Obligations and apply one or more Enforcement Actions against the Participant.
  • 5.7. Enforcement Actions.
    • (a) VeraSafe may terminate the Participant’s participation in the Program and revoke its certification status (“Termination”).(1) Participants that are Terminated will no longer be entitled to use, reproduce or display any of the VeraSafe Seals and must immediately stop all use of any VeraSafe Seal.(2) Participant shall be considered to be Terminated immediately upon receiving notice from VeraSafe.
    • (b) VeraSafe may notify the relevant consumer protection authority in the Participant’s jurisdiction (such as the U.S. Federal Trade Commission) in cases where the Terminated Participant’s material violations are, in VeraSafe’s judgment, repeated, willful or negligent.
    • (c) VeraSafe may publish press releases notifying the media and the public about the Terminated Participant’s material violation(s) in cases where material violations are, in VeraSafe’s judgment, willful, negligent or constitute an ongoing risk to the general public.

Our Trust Seal program helps you become compliant with consumer protection laws that apply to your business.