Upgrade to Pro — share decks privately, control downloads, hide ads and more …

E-commerce & WordPress: Navigating the Minefield

E-commerce & WordPress: Navigating the Minefield

This presentation provides an overview of the essential e-commerce concepts along with some basic tips for implementing an e-commerce website on Wordpress. It includes discussion of payment gateways, how credit card processing really works, merchant accounts, SSL certificates, PCI compliance, basic WordPress security tips and a very brief review of popular e-commerce solutions for WordPress.

The goal of this talk is to arm you with the right information so you can make the best decisions and recommendations for e-commerce related projects.

Learn what it takes, how to avoid the traps, save money and be successful using WordPress as an e-commerce development platform.

Jonathan Davis

October 13, 2012

More Decks by Jonathan Davis

Other Decks in Programming


  1. e-commerce is hard! payment gateways merchant accounts fulfillment systems PCI

    compliance Security SEO SSL certificates shopping carts
  2. Navigating the Minefield ‣ Offsite/Onsite payments ‣ Processing payments with

    gateways ‣ Merchant Account shopping tips ‣ Encryption certificate buyers guide ‣ PCI Compliance ‣ Security Tips for Ecommerce on WordPress ‣ Ecommerce Tools for WP easy not so much!
  3. Onsite or Offsite? Offsite Payments • Extra checkout steps •

    Can be more confusing • No SSL certificate • No PCI-compliance certification required • Examples: PayPal Standard or Google Checkout Onsite Payments • Extra setup steps • Seamless (easy) checkout experience • Website requires SSL certificate • Merchant required to certify PCI compliance • Requires a Merchant Account
  4. Standard Customer leaves the website to enter payment details and

    does not return to the site. No setup work. Express Customer jumps to PayPal to enter payment details, returns to complete the order. Not much setup work. Pro Seamless checkout onsite. Customer never leaves the store. Extra setup work.
  5. Customer Secure Web Server Payment Gateway Banks Merchant Credit Card

    Payments order authorize & capture confirm funds transferred response response response
  6. merchant account • a special type of bank account for

    accepting payments from debit or credit cards (payment cards) • an agreement between the merchant, the bank and payment processor
  7. Merchant Accounts | Costs Discount Rates • 3-Tiered pricing •

    Qualified Rate • Mid-qualified rate • Non-qualified rate • 6-Tiered pricing • Interchange Plus Pricing • Bill Backs
  8. Merchant Accounts | Costs Fees • Authorization fee • Statement

    fee • Monthly minimum fee • Batch fee • Customer Service fee • Annual fee • Early termination fee • Chargeback fee
  9. Merchant Accounts | Tips • Some merchant account providers have

    their own payment gateways • Plan time to get approval • Find out about your monthly limits to prevent shutdowns • Find out about the reserve amount • Beware the chargeback
  10. encryption • the process of making information unreadable to anyone

    without “special knowledge” • “special knowledge” is the key
  11. Customer Secure Web Server 4111 1111 1111 1111 encrypt 4111

    1111 1111 1111 decrypt f37b13464e451a214b39 507061af9c9a2613fbab public private public internet web browser server side
  12. Secure Certificate | Buyers Guide • Ongoing costs in the

    range $50–$1500/year • 3-4 certificate types: • Single-domain • Multiple domains (UCC) • Wildcard sub-domains • Extended Validation (EV) Vendors • Verisign (Costly) www.verisign.com • Comodo (Moderate) instantssl.com • GoDaddy (Cheap) godaddy.com • Network Solutions (Cheap) networksolutions.com
  13. PCI-DSS Build and Maintain a Secure Network Requirement 1: Install

    and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  14. PCI-DSS Protect Cardholder Data Requirement 3: Protect stored cardholder data

    Requirement 4: Encrypt transmission of cardholder data across open, public networks
  15. PCI-DSS Maintain a Vulnerability Management Program Requirement 5: Use and

    regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications
  16. PCI-DSS Implement Strong Access Control Measures Requirement 7: Restrict access

    to cardholder data by business need-to- know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data
  17. PCI-DSS Regularly Monitor and Test Networks Requirement 10: Track and

    monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes
  18. PCI Compliance Assess Remediate Report Assess your network and IT

    resources for vulnerabilities. Constantly monitor access and usage of cardholder data. Log data must be available for analysis
  19. SAQ Self Assessment Questionnaire • A checklist for the requirements

    with nice little yes/no boxes • You “assess” with it • Get it here: http://j.mp/pcisaqs
  20. Salt your keys define('AUTH_KEY', 'el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-'); define('SECURE_AUTH_KEY', '-)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-'); define('LOGGED_IN_KEY', ']MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du');

    define('NONCE_KEY', 'p2?y4<?z3NwtC>=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z'); define('AUTH_SALT', '4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X '); define('SECURE_AUTH_SALT', 'X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shm<dFxc}7goavd?zWO!6%7Xgel~^3S'); define('LOGGED_IN_SALT', '&>,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA'); define('NONCE_SALT', 'Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a');
  21. WP eCommerce getshopped.org Free! + paid add-ons ($17-197) The oldest

    & widely used Physical & digital products 9 official payment processors Built-in shipping calculators + 5 real-time shipping plugins Works with most WP themes
  22. Cart66 cart66.com Free Lite Version OR $89, $179, $299 per

    year Newest solution Uses [shortcodes] 13 payment solutions Subscriptions (Pro-only) Works with most WP themes
  23. Jigoshop jigoshop.com Free + paid addons $5-$100 OR $500 Club

    Membership Full e-commerce solution 7 builtin payment systems 27 payment systems available 2 basic shipping included 5 realtime shipping rates 6 officially supported themes
  24. WooCommerce woothemes.com Free + paid addons $15-$75 Fork of Jigoshop

    5 builtin payment systems 79 payment systems available 3 basic shipping included 11 realtime shipping rates 23 officially supported themes
  25. Shopp shopplugin.net $55 or $299 + $25 addons Full featured,

    Dev friendly 5 builtin payment systems 33 payment solutions 7 builtin shipping calculators 16 templates, 500+ API calls Works with most WP themes
  26. Other Solutions Ready! Ecommerce readyshoppingcart.com Easy Digital Downloads easydigitaldownloads.com WP

    eStore tipsandtricks-hq.com MarketPress premium.wpmudev.org/project/ecommerce/ eShop quirm.net ecwid ecwid.com Event Espresso eventespresso.com