How to Tell if a Website is Secure
Pages that don't display a lock symbol in the web browser but are https (not http, but https - the "s" is the secure port, 443 instead of the standard port, 80) could still be secure but that's not the best practice in website design - let's explain...
What many people may not understand is that the page you're putting your credit card information into does not need to be secure itself. It's just a form on a page that where you put your information into. For you to first get that page containing that form, the connection did not need to be secure. However, the page that the information is being submitted TO does have to be https for the transaction to be transmitted securely to the server. Let's take a step back for a moment...
Forms (like credit card forms on a page) have two parts:
The page the form is sitting on.
The script (and page) the form submits to.
We call the submit (clicking the "check out" button or whatever) a "post" in web lingo - the form posts to a script (computer program) sitting on your website. This is a PHP or CGI or DotNet program that does something with the information it's receiving. When you post the form to that script, that communication does need to be secure. That is what makes a transaction secure - well, part of it.
The next part of the secure transaction happens within the script itself. That script can either store the information (which it really shouldn't if it's sensitive information like a credit card or social security number) or else it does something else with it like send it through a payment gateway and subsequently from there, the paymet gateway connects with a bank to see if funds are available, for example. The communication from the script (server) to the payment gateway also needs to be secure. There's no way to tell in your web browser if that communication is secure since it's beyond your web browser - another layer deep. You just have to trust that things are set up right and that's where there's such a thing as PCI Compliance.
Best Practices
With that said, people ARE used to seeing the lock symbol on the page that they are putting their information into. If that is done, then you, as the website owner, are showing your customers that you value their security and sensitive information and are conyeing to them that you have adequate security in place. Having a lock in the address bar is the best practice and should be followed.
Problems
The problem that is most likely encountered when a page with a credit card form on it does not have the lock symbol is that there is an element or two on the page that was not transmitted to the website visitor securely. This item can be anything from a JavaScript file to a CSS file (stylesheet) to an image or video. Our clients will often add some sort of widget or code they get from another website to their website template and since that code has references that are http and not https, those elements end up on https page, casing the web browser to not show the lock symbol.
To fix it, those items must be removed from pages that are secure - meaning pages that have https in the address bar. Often, we need to write some logic into the template/theme file to not show some particular code on a page if the page is secure. Another fix is to change the URLs to https but if the server hosting that piece of code does not have an SSL certificate installed, then it cannot be done.
Another thing that can wrong is that the SSL certificate is expired. If that's the case, then the website visitor will see a warning stating that the transaction might not be secure. Make sure you know when your SSL certificate is set to expire so that it can be renewed before it expires - this way, people will not see this message.
What if This Happens?
Here is what you should do:
Webstix Clients - If you notice a lock symbol not appearing on a website we've built on a page that should show it, then please contact us so that we can investigate it and fix it right away.
Non-Webstix Clients - If you're not a Webstix client but still want a page that is not showing a lock symbol fixed, then please contact our Website Maintenance Department, submit a ticket to us and we can get you a quote on that work.
Website Visitors - If you notice the absence of a lock symbol on a page and you ended up on here, looking for answers, then please contact the owner of that particular website and make sure they know that their secure pages are missing the lock symbol. Again, those pages should show "https" and not "http" in the address bar (some web browsers are not showing the "http" part anymore, we know. There are ways of turning that back on.