Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

E-commerce information security (user trust)

1,222 views

Published on

WordCamp Chicago 2016 talk on gaining customer's trust and safeguarding their information during their experience with your e-commerce site.

Published in: Internet
  • Be the first to comment

E-commerce information security (user trust)

  1. 1. Customer Information Security in E-Commerce Andrew Wikel WooCommerce Ninja @slash1andy
  2. 2. About WooCommerceWe are the #1 e-commerce plugin for WordPress. We currently power approx. 37% of every online store.
  3. 3. I Like Legos. And Star Wars. And Star Wars Legos.
  4. 4. My Background • I love WordPress • I’ve been working with it since 2008 • I worked for a non-profit for 7 years before coming to WooThemes, and then Automattic • I work in Payment Gateways Support for WooCommerce at Automattic
  5. 5. The #1 tip for people accepting payment online: Respect your users’ data, and treat it as your own.
  6. 6. It’s all about trust. Getting your users to trust you, and not betraying that trust by securing their info.
  7. 7. User Trust This is huge. If you don’t have the users’ trust, they won’t give you money. There are many factors, and not all of them are technical
  8. 8. Cart Abandonment • Approx. 67% of customer on average never complete checkout • There is a huge barrier in getting customers to checkout
  9. 9. Optimize Checkout Process• Tear down the “sign-in” barrier - don’t disconnect your customer from giving you money. Customers can resent being forced to create an account. • Provide a progress indicator - just let people know how long the process is, and where they are in it. • Match the checkout with your site’s look and feel • Never send your customer outside the checkout process once they are there. • Visually reinforce all sensitive fields on the payment page
  10. 10. Smashing Magazine StudyThere is a clear divergence between the customer’s mental model of form-field security and the actual security. Many test subjects didn’t think about security until they had to enter their credit card details. As one test subject who had just abandoned their purchase said, “It didn’t look safe enough.” Her reaction wasn’t based on the technical security of the website, but rather on the perceived security of the fields. Source: http://www.smashingmagazine.com/2011/04/06/fundamental-guidelines-of-e-commerce-checkout- design/
  11. 11. PCI Compliance • Payment Card Industry Data Security Standard (PCI DSS) is a set of rules that ALL companies that process, store, or transmit credit card info have to follow to maintain security. • PCI-DSS SAQ A is where you want to be.
  12. 12. There are a Lot of Implications • Your payment gateway is the place that your customers are trusting to be safe with their info • Not only do you have to be completely trusting that they won’t betray *your* trust, but your user does. • Different gateways have varying security methods some better than others.
  13. 13. On-Site Processing • That just means that it stays on your site, rather than sending your customers to another site to checkout. • There are multiple ways to make this happen, varying in the security of the methods.
  14. 14. Off-Site Processing • That just means that your customers are sent to another site to complete payment, and then that site sends your store a notification that payment was complete.
  15. 15. PCI-DSS SAQ A-EP • This includes a lot of the payment gateways in use, including most authorize.net integrations, etc.
  16. 16. PCI-DSS SAQ-A • Methods like PayPal and other redirect methods are definitely under SAQ-A. • Other methods that are include Stripe, Pay With Amazon, and Braintree (at least the ones that we make), since they are all iFrames coming directly from the payment processor.
  17. 17. Payment Options I recommend 4 payment gateways: A. Stripe B. PayPal C. Amazon D. Braintree
  18. 18. That is the theory.
  19. 19. Guarding Their Info
  20. 20. Do • Have a clear, user-friendly privacy policy • Make your email lists strictly opt-in • Use an SSL on EVERY SINGLE PAGE that has a checkout form, log in form, etc. There are no exceptions.
  21. 21. Don’t • Some people obscure their return policy or privacy policy • It’s a bad idea to mail people without their permission or sell or give their info to others. • One of the worst things you can do is have a credit card form on a plain HTTP page. Please just don’t.
  22. 22. Privacy Policy • *Have* a privacy policy. It’s almost a majority of small business owners that don’t have one. • Use minimal “legalese” and with the user retaining their rights to privacy. • Ask for as little permissions and information as possible. Not only does that improve your chances of getting it, but it limits the info you have to care for.
  23. 23. Mailing Lists • Mailing lists should be double opt-in, with few exceptions. • There are a lot of guidelines to email marketing that you should look into (laws you have to comply with, etc. • Use a reputable email service to send out your emails. You can get a service like MailChimp at a low cost, and the tools that they have are worth it.
  24. 24. Why All This Work? • Giving the power to your customer to make decisions based on what information they do and don’t want you to have is always good for business. • You want your customers to feel empowered, able to choose, and know what is happening with their data. • Knowledge and transparency = Trust
  25. 25. SSL: The tl;dr
  26. 26. • Purchase and install an SSL certificate • Update your site URL in WordPress • Force HTTPS throughout the site • Resolve any insecure elements on your pages • Update Google Webmaster Tools and Google Analytics
  27. 27. Installing an SSL Certificate • Purchase from your host, and have them install it. (hands down the easiest way) • Use https://letsencrypt.org/ (FREE) • Do it yourself (slightly masochistic, but ¯_(ツ )_/¯)
  28. 28. Forcing over HTTPS • Your blog/site URL in WordPress general settings • Use WordPress Force HTTPS • .htaccess rewrite rules
  29. 29. Resolving Mixed Content • Use Better Search Replace (replace all http with https in the posts and postmeta tables) • Your theme and/or plugins could also be loading in assets over a hardcoded http call, but you can fix those sometimes with child themes, or you might be better off switching themes/plugins.
  30. 30. Security
  31. 31. Probably the Easiest One • Keep *all the things* updated. • Themes • Plugins • WordPress
  32. 32. General WordPress Security• Use strong passwords. Seriously, stop using your cat’s name. • Change the username from “admin” or easy to guess ones • Your database username and password are also at risk. • Disable file editing from the WordPress admin define( ‘DISALLOW_FILE_EDIT’, true );
  33. 33. Security Plugins • Prevention • Scans • Backups
  34. 34. Security Plugins • Jetpack • Wordfence • iThemes Security • Sucuri
  35. 35. Hosting • Your host plays a critical role in your security. • Never pick a host that starts you out on a PHP version that is lower than 5.4 • They should have firewalls in place, have correct file permissions set up, not allow for connections via plain FTP, etc. • Shared hosting is cheap, but it’s probably not really worth the risk.
  36. 36. Use Good Code • Pick plugins/themes with good support behind them. • A lot of times, this means premium code (you might have to pay for it)
  37. 37. Limit External Connections• Sometimes you use 3rd party solutions for parts of your store (shipping, tax, inventory, accounting, etc.) • Even things that don’t relate to your store can potentially have access. • Make sure you investigate who has what of your site’s data, what their security is like, and what their privacy policy is like.
  38. 38. The #1 tip for people accepting payment online: Respect your users’ data, and treat it as your own.
  39. 39. @slash1andy @WooThemes @Automattic

×