In guarding against online fraud, we are cautioned to look for HTTPS and padlocks, indicators of secure sites. How do we know that the bad guys can’t arrange for those indicators to be displayed, thus defeating the whole intent? In other words, I need a brief explanation of where those come from and how sure we can be of them. Thanks.
— John Russell
That's not what https does. What that does is establish a secure connection between you and the web site. This prevents someone in between from getting the information that flows in between. So if you send your info to a store, then anyone listening in on the wifi network, the wired network, or any server between you and the store will see encrypted information which they cannot decode.
It can't be faked because your browser is sending and receiving encrypted data back and forth -- that's just a fact.
https has no bearing on whether the store on the other end is a good one and will protect your data once they have it.
For that, you need to decide whether you trust the store and its employees. Look at their reputation. But also protect yourself on your end by making sure you are using a credit card that has fraud protection and other services.