E-commerce & WordPress: Navigating the Minefield

E-commerce & WordPress: Navigating the Mineﬁeld Jonathan Davis, Ingenesis Limited @jonathandavis

$165.4 billion total e-commerce sales in 2010

merchant accounts payment gateways fulﬁllment systems e-commerce is hard! SEOPCI compliance Security SSL certiﬁcates shopping carts

Navigating the Minefield not so much!‣ Offsite/Onsite payments ‣ Encryption certificate easy buyers guide‣ Processing payments with gateways ‣ PCI Compliance‣ Merchant Account ‣ Security Tips for shopping tips Ecommerce on WordPress ‣ Ecommerce Tools for WP

Onsite or Offsite?Offsite Payments Onsite Payments• Extra checkout steps • Extra setup steps• Can be more confusing • Seamless (easy) checkout experience• No SSL certificate • Website requires• No PCI-compliance SSL certificate certification required • Merchant required to certify• Examples: PayPal Standard or PCI compliance Google Checkout • Requires a Merchant Account

payment gateway• a service to process payments online• it’s a kind of PoS

PayPal Standard Express Checkout WebsitePaymentsProCustomer leaves Customer jumps to Seamless checkoutthe website to PayPal to enter onsite. Customerenter payment payment details, never leaves thedetails and does returns to complete store. Extra setupnot return to the the order. Not work.site. No setup work. much setup work.

Payment Gateway Providers

Credit Card Payments Secure authorize & capture Payment GatewayWeb Server response co e nﬁ r ns de rm po or s re re s po ns e Customer Banks d re fer ns tra n ds fu Merchant

merchant account• a special type of bank account for accepting payments from debit or credit cards (payment cards)• an agreement between the merchant, the bank and payment processor

Merchant Accounts | CostsDiscount Rates• 3-Tiered pricing • 6-Tiered pricing • Qualified Rate • Interchange Plus Pricing • Mid-qualified rate • Bill Backs • Non-qualified rate

Merchant Accounts | CostsFees• Authorization fee • Customer Service fee• Statement fee • Annual fee• Monthly minimum fee • Early termination fee• Batch fee • Chargeback fee

Merchant Accounts | Tips• Some merchant account providers have their own payment gateways• Plan time to get approval• Find out about your monthly limits to prevent shutdowns• Find out about the reserve amount• Beware the chargeback

encryption• the process of making information unreadable to anyone without “special knowledge”• “special knowledge” is the key

TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer• Some seriously scary • Browser uses the public key technical voodoo magic found in the certiﬁcate to• Garbles browser to server encrypt information before communication over the sending it to the server Internet • Server uses a private key to• No one else can access the decrypt information from the information browser

Customer 4111 1111 1111 1111 encryptweb browser public f37b13464e451a214b39 507061af9c9a2613fbabpublic internet 4111 1111 1111 1111 decrypt private Secure Web Serverserver side

secure (SSL) certificate• a specialized electronic document certiﬁes a public encryption key to an identity

Secure Certiﬁcate | Buyers Guide• Ongoing costs in the range Vendors $50–$1500/year • Verisign (Costly)• 3-4 certiﬁcate types: www.verisign.com • Single-domain • Comodo (Moderate) • Multiple sub-domains instantssl.com • Wildcard sub-domains • GoDaddy (Cheap) • Extended Validation (EV) godaddy.com • Network Solutions (Cheap) networksolutions.com

PCIPCI SSC PCI-DSS PA-DSSPayment Card The PCI Data The PaymentIndustry Security Security Standard Application DataStandards Council Security Standard The securityThe body standards Security standardsresponsible for merchants are for paymentmanaging the required to follow applications such assecurity standards and certify their payment gatewaysfor the industry compliance & shopping carts

PCI-DSS12 requirements for any business that stores, processes or transmits cardholder payment data

PCI-DSS Build and Maintain a Secure NetworkRequirement 1: Requirement 2:Install and maintain a ﬁrewall Do not use vendor-suppliedconﬁguration to protect defaults for system passwordscardholder data and other security parameters

PCI-DSS Protect Cardholder DataRequirement 3: Requirement 4:Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks

PCI-DSSMaintain a Vulnerability Management ProgramRequirement 5: Requirement 6:Use and regularly update Develop and maintain secureanti-virus software systems and applications

PCI-DSS Implement Strong Access Control MeasuresRequirement 7: Requirement 8: Requirement 9:Restrict access to Assign a unique ID Restrict physicalcardholder data by to each person with access tobusiness need-to- computer access cardholder dataknow

PCI-DSS Regularly Monitor and Test NetworksRequirement 10: Requirement 11:Track and monitor all access to Regularly test security systemsnetwork resources and and processescardholder data

PCI-DSSMaintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security

PCI ComplianceAssess Remediate Report

PCI ComplianceAssess Remediate ReportAssess your network and IT resources for vulnerabilities.Constantly monitor access and usage of cardholder data. Logdata must be available for analysis

PCI ComplianceAssess Remediate ReportRemediate (ﬁx) vulnerabilities that threaten unauthorizedaccess to cardholder data

PCI ComplianceAssess Remediate ReportReport compliance and present evidence that data protectioncontrols are in place

SAQ Self Assessment Questionnaire• A checklist for the requirements with nice little yes/no boxes• You “assess” with it• Get it here: http://j.mp/pcisaqs

WordPress Security in a Nutshell

Use a Strong PasswordThe ﬁrst line of defense against would-be hackers

Avoid the ‘admin’ accountSetup a diﬀerent admin account with another name

Salt your keysdefine(AUTH_KEY, el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-);define(SECURE_AUTH_KEY, -)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-);define(LOGGED_IN_KEY, ]MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du);define(NONCE_KEY, p2?y4<?z3NwtC>=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z);define(AUTH_SALT, 4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X );define(SECURE_AUTH_SALT, X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shm<dFxc}7goavd?zWO!6%7Xgel~^3S);define(LOGGED_IN_SALT, &>,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA);define(NONCE_SALT, Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a);

Hide your database tables Change the table preﬁx: $table_prefix = ‘wp_’; $table_prefix = ‘g5a21R_’;

Update EverythingKeep WordPress, your theme and plugins up-to-date

Backup EverythingAlways, always, always make regular backups: ﬁles & db

E-commerce Tools for WordPress What’s out there?

WP eCommerce getshopped.orgThe oldest & most widely used Physical & digital products A variety of payment options Several shipping options Marketing toolsFree + paid add-ons ($10-195)

Cart66 cart66.com Newest solution Uses [shortcodes] 7 payment solutionsSubscriptions & Membership Free Lite Version or $89-399/year

Shopp shopplugin.net A popular solution18 payment gateways 10 shipping options 200+ template tags $55 or $299 $25 add-ons

Jonathan Davis Twitter: @jonathandavisEmail: jon@shopplugin.net shopplugin.net

http://www.ilovecolors.com.ar	410
http://www.thetechscoop.net	193
http://planetwordpress.planetozh.com	154
http://feeds.feedburner.com	90
http://adesignjourney.com	36
http://paper.li	22
http://www.atslearn.com	20
http://lanyrd.com	18
http://twitter.com	6
http://127.0.0.1:8795	2
http://www.zhuaxia.com	2
https://twitter.com	2
http://planetewordpress.planetozh.com	1
https://mail.google.com	1
http://webcache.googleusercontent.com	1
http://trunk.ly	1
http://feedproxy.google.com	1

E-commerce & WordPress: Navigating the Minefield

by Ingenesis Limited on May 14, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

17 Embeds 960

Statistics

E-commerce & WordPress: Navigating the Minefield — Presentation Transcript