E-commerce & WordPress: Navigating the Minefield

8,946 views

Published on

How to navigate the e-commerce minefield so you can launch the best site possible. The presentation goes over payment gateways, how credit card processing works, merchant accounts, SSL certificates, PCI compliance, WordPress security tips and (briefly) some of the more popular e-commerce plugin solutions for WordPress.

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,946
On SlideShare
0
From Embeds
0
Number of Embeds
2,149
Actions
Shares
0
Downloads
0
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

E-commerce & WordPress: Navigating the Minefield

  1. 1. E-commerce & WordPress: Navigating the Minefield Jonathan Davis, Ingenesis Limited @jonathandavis
  2. 2. $165.4 billion total e-commerce sales in 2010
  3. 3. merchant accounts payment gateways fulfillment systems e-commerce is hard! SEOPCI compliance Security SSL certificates shopping carts
  4. 4. Navigating the Minefield not so much!‣ Offsite/Onsite payments ‣ Encryption certificate easy buyers guide‣ Processing payments with gateways ‣ PCI Compliance‣ Merchant Account ‣ Security Tips for shopping tips Ecommerce on WordPress ‣ Ecommerce Tools for WP
  5. 5. Onsite or Offsite?Offsite Payments Onsite Payments• Extra checkout steps • Extra setup steps• Can be more confusing • Seamless (easy) checkout experience• No SSL certificate • Website requires• No PCI-compliance SSL certificate certification required • Merchant required to certify• Examples: PayPal Standard or PCI compliance Google Checkout • Requires a Merchant Account
  6. 6. payment gateway• a service to process payments online• it’s a kind of PoS
  7. 7. PayPal Standard Express Checkout WebsitePaymentsProCustomer leaves Customer jumps to Seamless checkoutthe website to PayPal to enter onsite. Customerenter payment payment details, never leaves thedetails and does returns to complete store. Extra setupnot return to the the order. Not work.site. No setup work. much setup work.
  8. 8. Payment Gateway Providers
  9. 9. Credit Card Payments Secure authorize & capture Payment GatewayWeb Server response co e nfi r ns de rm po or s re re s po ns e Customer Banks d re fer ns tra n ds fu Merchant
  10. 10. merchant account• a special type of bank account for accepting payments from debit or credit cards (payment cards)• an agreement between the merchant, the bank and payment processor
  11. 11. Merchant Accounts | CostsDiscount Rates• 3-Tiered pricing • 6-Tiered pricing • Qualified Rate • Interchange Plus Pricing • Mid-qualified rate • Bill Backs • Non-qualified rate
  12. 12. Merchant Accounts | CostsFees• Authorization fee • Customer Service fee• Statement fee • Annual fee• Monthly minimum fee • Early termination fee• Batch fee • Chargeback fee
  13. 13. Merchant Accounts | Tips• Some merchant account providers have their own payment gateways• Plan time to get approval• Find out about your monthly limits to prevent shutdowns• Find out about the reserve amount• Beware the chargeback
  14. 14. encryption• the process of making information unreadable to anyone without “special knowledge”• “special knowledge” is the key
  15. 15. TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer• Some seriously scary • Browser uses the public key technical voodoo magic found in the certificate to• Garbles browser to server encrypt information before communication over the sending it to the server Internet • Server uses a private key to• No one else can access the decrypt information from the information browser
  16. 16. Customer 4111 1111 1111 1111 encryptweb browser public f37b13464e451a214b39 507061af9c9a2613fbabpublic internet 4111 1111 1111 1111 decrypt private Secure Web Serverserver side
  17. 17. secure (SSL) certificate• a specialized electronic document certifies a public encryption key to an identity
  18. 18. Secure Certificate | Buyers Guide• Ongoing costs in the range Vendors $50–$1500/year • Verisign (Costly)• 3-4 certificate types: www.verisign.com • Single-domain • Comodo (Moderate) • Multiple sub-domains instantssl.com • Wildcard sub-domains • GoDaddy (Cheap) • Extended Validation (EV) godaddy.com • Network Solutions (Cheap) networksolutions.com
  19. 19. PCIPCI SSC PCI-DSS PA-DSSPayment Card The PCI Data The PaymentIndustry Security Security Standard Application DataStandards Council Security Standard The securityThe body standards Security standardsresponsible for merchants are for paymentmanaging the required to follow applications such assecurity standards and certify their payment gatewaysfor the industry compliance & shopping carts
  20. 20. PCI-DSS12 requirements for any business that stores, processes or transmits cardholder payment data
  21. 21. PCI-DSS Build and Maintain a Secure NetworkRequirement 1: Requirement 2:Install and maintain a firewall Do not use vendor-suppliedconfiguration to protect defaults for system passwordscardholder data and other security parameters
  22. 22. PCI-DSS Protect Cardholder DataRequirement 3: Requirement 4:Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
  23. 23. PCI-DSSMaintain a Vulnerability Management ProgramRequirement 5: Requirement 6:Use and regularly update Develop and maintain secureanti-virus software systems and applications
  24. 24. PCI-DSS Implement Strong Access Control MeasuresRequirement 7: Requirement 8: Requirement 9:Restrict access to Assign a unique ID Restrict physicalcardholder data by to each person with access tobusiness need-to- computer access cardholder dataknow
  25. 25. PCI-DSS Regularly Monitor and Test NetworksRequirement 10: Requirement 11:Track and monitor all access to Regularly test security systemsnetwork resources and and processescardholder data
  26. 26. PCI-DSSMaintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
  27. 27. PCI ComplianceAssess Remediate Report
  28. 28. PCI ComplianceAssess Remediate ReportAssess your network and IT resources for vulnerabilities.Constantly monitor access and usage of cardholder data. Logdata must be available for analysis
  29. 29. PCI ComplianceAssess Remediate ReportRemediate (fix) vulnerabilities that threaten unauthorizedaccess to cardholder data
  30. 30. PCI ComplianceAssess Remediate ReportReport compliance and present evidence that data protectioncontrols are in place
  31. 31. SAQ Self Assessment Questionnaire• A checklist for the requirements with nice little yes/no boxes• You “assess” with it• Get it here: http://j.mp/pcisaqs
  32. 32. WordPress Security in a Nutshell
  33. 33. Use a Strong PasswordThe first line of defense against would-be hackers
  34. 34. Avoid the ‘admin’ accountSetup a different admin account with another name
  35. 35. Salt your keysdefine(AUTH_KEY, el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-);define(SECURE_AUTH_KEY, -)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-);define(LOGGED_IN_KEY, ]MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du);define(NONCE_KEY, p2?y4<?z3NwtC>=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z);define(AUTH_SALT, 4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X );define(SECURE_AUTH_SALT, X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shm<dFxc}7goavd?zWO!6%7Xgel~^3S);define(LOGGED_IN_SALT, &>,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA);define(NONCE_SALT, Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a);
  36. 36. Hide your database tables Change the table prefix: $table_prefix = ‘wp_’; $table_prefix = ‘g5a21R_’;
  37. 37. Update EverythingKeep WordPress, your theme and plugins up-to-date
  38. 38. Backup EverythingAlways, always, always make regular backups: files & db
  39. 39. E-commerce Tools for WordPress What’s out there?
  40. 40. WP eCommerce getshopped.orgThe oldest & most widely used Physical & digital products A variety of payment options Several shipping options Marketing toolsFree + paid add-ons ($10-195)
  41. 41. Cart66 cart66.com Newest solution Uses [shortcodes] 7 payment solutionsSubscriptions & Membership Free Lite Version or $89-399/year
  42. 42. Shopp shopplugin.net A popular solution18 payment gateways 10 shipping options 200+ template tags $55 or $299 $25 add-ons
  43. 43. Jonathan Davis Twitter: @jonathandavisEmail: jon@shopplugin.net shopplugin.net

×