An Evaluation of Multichannel Shopping at PetSmart

Safety and Privacy

PetSmart.com uses version 1.2 of the Transport Layer Security (TLS) industry standard protocol to encrypt online transactions as evidenced by the “s” in https:// and by the closed padlock icon displayed to the the right of the address in Internet Explorer and to the left of the address bar in Firefox and Chrome. TLS provides authentication, confidentiality, and data integrity between two communicating applications and is based on the earlier Secure Socket Layer (SSL) standard as described by Polk, McKay, and Chokhani (2014). A cipher suite specifies the algorithms to use for key exchange and provides the confidentiality and integrity services that combined provide the cryptographic support in TLS. An examination of the security settings of the petsmart.com checkout page in Chrome revealed that the domain was verified by GeoTrust and that the connection was encrypted using the Advanced Encryption Standard (AES) operating in cipher-block chaining mode (CBC) using a 256-bit cipher. Messages were authenticated using a Secure Hash Algorithm (SHA). Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) was used along with the Rivest-Shamir-Adleman (RSA) cryptosystem for the key exchange (Figure 5).

Figure 5: PetSmart’s Checkout Page Security Settings

In addition to reporting the algorithms and cipher strength used in the connection shown in Figure 5 above, Chrome reported that the site uses outdated security settings which may prevent future access. Specifically the warning refers to the use of SHA-1 for message authentication which was disallowed after December 31, 2013 (Barker & Roginsky, 2011). However, as Polk, et al. (2014) explained, SHA-1 may be used in conjunction with the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA cipher suite, which is the case with petsmart.com. Given this exception and the fact that no such warning was reported in either Internet Explorer or Firefox use of SHA-1 was not considered a security issue. Chrome also indicated that not all elements on the checkout page were encrypted as did the other two browsers, however the elements referred to likely included the header and footer neither of which contained private information nor needed to be encrypted so was also not considered an issue.

A review of security and privacy policies published by petsmart.com revealed that the company offers a secure shopping guarantee and will cover the shopper’s liability up to $50 even if the card issuer holds the shopper responsible. Shoppers are expected to first follow the procedures for reporting suspicious charges as instructed by the card issuer (PetSmart Store Support Group, Inc., 2015b). With respect to credit cards, petsmart.com supports the Verified by Visa (VbV) and MasterCard SecureCode security technologies. These technologies are only used if the card issuer also supports them. The company’s privacy policy outlines what information is collected and how, how the information is used and shared, what opt-out and access options customers can choose from, and who to contact regarding privacy concerns. The policy is comprehensive yet clearly written indicating that the company takes customer privacy issues seriously (PetSmart Store Support Group, Inc., 2015a).

print