E-commerce & WordPress: Navigating the Minefield

Uploaded on

How to navigate the e-commerce minefield so you can launch the best site possible. The presentation goes over payment gateways, how credit card processing works, merchant accounts, SSL certificates, …

How to navigate the e-commerce minefield so you can launch the best site possible. The presentation goes over payment gateways, how credit card processing works, merchant accounts, SSL certificates, PCI compliance, WordPress security tips and (briefly) some of the more popular e-commerce plugin solutions for WordPress.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. E-commerce & WordPress: Navigating the Minefield Jonathan Davis, Ingenesis Limited @jonathandavis
  • 2. $165.4 billion total e-commerce sales in 2010
  • 3. merchant accounts payment gateways fulfillment systems e-commerce is hard! SEOPCI compliance Security SSL certificates shopping carts
  • 4. Navigating the Minefield not so much!‣ Offsite/Onsite payments ‣ Encryption certificate easy buyers guide‣ Processing payments with gateways ‣ PCI Compliance‣ Merchant Account ‣ Security Tips for shopping tips Ecommerce on WordPress ‣ Ecommerce Tools for WP
  • 5. Onsite or Offsite?Offsite Payments Onsite Payments• Extra checkout steps • Extra setup steps• Can be more confusing • Seamless (easy) checkout experience• No SSL certificate • Website requires• No PCI-compliance SSL certificate certification required • Merchant required to certify• Examples: PayPal Standard or PCI compliance Google Checkout • Requires a Merchant Account
  • 6. payment gateway• a service to process payments online• it’s a kind of PoS
  • 7. PayPal Standard Express Checkout WebsitePaymentsProCustomer leaves Customer jumps to Seamless checkoutthe website to PayPal to enter onsite. Customerenter payment payment details, never leaves thedetails and does returns to complete store. Extra setupnot return to the the order. Not work.site. No setup work. much setup work.
  • 8. Payment Gateway Providers
  • 9. Credit Card Payments Secure authorize & capture Payment GatewayWeb Server response co e nfi r ns de rm po or s re re s po ns e Customer Banks d re fer ns tra n ds fu Merchant
  • 10. merchant account• a special type of bank account for accepting payments from debit or credit cards (payment cards)• an agreement between the merchant, the bank and payment processor
  • 11. Merchant Accounts | CostsDiscount Rates• 3-Tiered pricing • 6-Tiered pricing • Qualified Rate • Interchange Plus Pricing • Mid-qualified rate • Bill Backs • Non-qualified rate
  • 12. Merchant Accounts | CostsFees• Authorization fee • Customer Service fee• Statement fee • Annual fee• Monthly minimum fee • Early termination fee• Batch fee • Chargeback fee
  • 13. Merchant Accounts | Tips• Some merchant account providers have their own payment gateways• Plan time to get approval• Find out about your monthly limits to prevent shutdowns• Find out about the reserve amount• Beware the chargeback
  • 14. encryption• the process of making information unreadable to anyone without “special knowledge”• “special knowledge” is the key
  • 15. TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer• Some seriously scary • Browser uses the public key technical voodoo magic found in the certificate to• Garbles browser to server encrypt information before communication over the sending it to the server Internet • Server uses a private key to• No one else can access the decrypt information from the information browser
  • 16. Customer 4111 1111 1111 1111 encryptweb browser public f37b13464e451a214b39 507061af9c9a2613fbabpublic internet 4111 1111 1111 1111 decrypt private Secure Web Serverserver side
  • 17. secure (SSL) certificate• a specialized electronic document certifies a public encryption key to an identity
  • 18. Secure Certificate | Buyers Guide• Ongoing costs in the range Vendors $50–$1500/year • Verisign (Costly)• 3-4 certificate types: www.verisign.com • Single-domain • Comodo (Moderate) • Multiple sub-domains instantssl.com • Wildcard sub-domains • GoDaddy (Cheap) • Extended Validation (EV) godaddy.com • Network Solutions (Cheap) networksolutions.com
  • 19. PCIPCI SSC PCI-DSS PA-DSSPayment Card The PCI Data The PaymentIndustry Security Security Standard Application DataStandards Council Security Standard The securityThe body standards Security standardsresponsible for merchants are for paymentmanaging the required to follow applications such assecurity standards and certify their payment gatewaysfor the industry compliance & shopping carts
  • 20. PCI-DSS12 requirements for any business that stores, processes or transmits cardholder payment data
  • 21. PCI-DSS Build and Maintain a Secure NetworkRequirement 1: Requirement 2:Install and maintain a firewall Do not use vendor-suppliedconfiguration to protect defaults for system passwordscardholder data and other security parameters
  • 22. PCI-DSS Protect Cardholder DataRequirement 3: Requirement 4:Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
  • 23. PCI-DSSMaintain a Vulnerability Management ProgramRequirement 5: Requirement 6:Use and regularly update Develop and maintain secureanti-virus software systems and applications
  • 24. PCI-DSS Implement Strong Access Control MeasuresRequirement 7: Requirement 8: Requirement 9:Restrict access to Assign a unique ID Restrict physicalcardholder data by to each person with access tobusiness need-to- computer access cardholder dataknow
  • 25. PCI-DSS Regularly Monitor and Test NetworksRequirement 10: Requirement 11:Track and monitor all access to Regularly test security systemsnetwork resources and and processescardholder data
  • 26. PCI-DSSMaintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
  • 27. PCI ComplianceAssess Remediate Report
  • 28. PCI ComplianceAssess Remediate ReportAssess your network and IT resources for vulnerabilities.Constantly monitor access and usage of cardholder data. Logdata must be available for analysis
  • 29. PCI ComplianceAssess Remediate ReportRemediate (fix) vulnerabilities that threaten unauthorizedaccess to cardholder data
  • 30. PCI ComplianceAssess Remediate ReportReport compliance and present evidence that data protectioncontrols are in place
  • 31. SAQ Self Assessment Questionnaire• A checklist for the requirements with nice little yes/no boxes• You “assess” with it• Get it here: http://j.mp/pcisaqs
  • 32. WordPress Security in a Nutshell
  • 33. Use a Strong PasswordThe first line of defense against would-be hackers
  • 34. Avoid the ‘admin’ accountSetup a different admin account with another name
  • 35. Salt your keysdefine(AUTH_KEY, el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-);define(SECURE_AUTH_KEY, -)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-);define(LOGGED_IN_KEY, ]MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du);define(NONCE_KEY, p2?y4<?z3NwtC>=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z);define(AUTH_SALT, 4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X );define(SECURE_AUTH_SALT, X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shm<dFxc}7goavd?zWO!6%7Xgel~^3S);define(LOGGED_IN_SALT, &>,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA);define(NONCE_SALT, Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a);
  • 36. Hide your database tables Change the table prefix: $table_prefix = ‘wp_’; $table_prefix = ‘g5a21R_’;
  • 37. Update EverythingKeep WordPress, your theme and plugins up-to-date
  • 38. Backup EverythingAlways, always, always make regular backups: files & db
  • 39. E-commerce Tools for WordPress What’s out there?
  • 40. WP eCommerce getshopped.orgThe oldest & most widely used Physical & digital products A variety of payment options Several shipping options Marketing toolsFree + paid add-ons ($10-195)
  • 41. Cart66 cart66.com Newest solution Uses [shortcodes] 7 payment solutionsSubscriptions & Membership Free Lite Version or $89-399/year
  • 42. Shopp shopplugin.net A popular solution18 payment gateways 10 shipping options 200+ template tags $55 or $299 $25 add-ons
  • 43. Jonathan Davis Twitter: @jonathandavisEmail: jon@shopplugin.net shopplugin.net