E-commerce & WordPress: Navigating the Minefield

Transcript

1. E-commerce & WordPress: Navigating the Minefield Jonathan Davis, Ingenesis Limited

   @jonathandavis

2. $165.4 billion total US e-commerce sales in 2010 Source: US

   Commerce Department

3. $193.6 billion total US e-commerce sales in 2011 Source: US

   Commerce Department

4. e-commerce is hard! payment gateways merchant accounts fulfillment systems PCI

   compliance Security SEO SSL certificates shopping carts
5. None

6. Navigating the Minefield ‣ Offsite/Onsite payments ‣ Processing payments with

   gateways ‣ Merchant Account shopping tips ‣ Encryption certificate buyers guide ‣ PCI Compliance ‣ Security Tips for Ecommerce on WordPress ‣ Ecommerce Tools for WP easy not so much!

7. Onsite or Offsite? Offsite Payments • Extra checkout steps •

   Can be more confusing • No SSL certificate • No PCI-compliance certification required • Examples: PayPal Standard or Google Checkout Onsite Payments • Extra setup steps • Seamless (easy) checkout experience • Website requires SSL certificate • Merchant required to certify PCI compliance • Requires a Merchant Account

8. payment gateway • a service to process payments online •

   it’s a kind of PoS

9. Standard Customer leaves the website to enter payment details and

   does not return to the site. No setup work. Express Customer jumps to PayPal to enter payment details, returns to complete the order. Not much setup work. Pro Seamless checkout onsite. Customer never leaves the store. Extra setup work.

10. Payment Gateway Providers

11. Customer Secure Web Server Payment Gateway Banks Merchant Credit Card

    Payments order authorize & capture confirm funds transferred response response response

12. merchant account • a special type of bank account for

    accepting payments from debit or credit cards (payment cards) • an agreement between the merchant, the bank and payment processor

13. Merchant Accounts | Costs Discount Rates • 3-Tiered pricing •

    Qualified Rate • Mid-qualified rate • Non-qualified rate • 6-Tiered pricing • Interchange Plus Pricing • Bill Backs

14. Merchant Accounts | Costs Fees • Authorization fee • Statement

    fee • Monthly minimum fee • Batch fee • Customer Service fee • Annual fee • Early termination fee • Chargeback fee

15. Merchant Accounts | Tips • Some merchant account providers have

    their own payment gateways • Plan time to get approval • Find out about your monthly limits to prevent shutdowns • Find out about the reserve amount • Beware the chargeback

16. encryption • the process of making information unreadable to anyone

    without “special knowledge” • “special knowledge” is the key

17. Customer Secure Web Server 4111 1111 1111 1111 encrypt 4111

    1111 1111 1111 decrypt f37b13464e451a214b39 507061af9c9a2613fbab public private public internet web browser server side

18. secure (SSL) certificate • a specialized electronic document certifies a

    public encryption key to an identity

19. Secure Certificate | Buyers Guide • Ongoing costs in the

    range $50–$1500/year • 3-4 certificate types: • Single-domain • Multiple domains (UCC) • Wildcard sub-domains • Extended Validation (EV) Vendors • Verisign (Costly) www.verisign.com • Comodo (Moderate) instantssl.com • GoDaddy (Cheap) godaddy.com • Network Solutions (Cheap) networksolutions.com

20. PCI-DSS 12 requirements for any business that stores, processes or

    transmits cardholder payment data

21. PCI-DSS Build and Maintain a Secure Network Requirement 1: Install

    and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

22. PCI-DSS Protect Cardholder Data Requirement 3: Protect stored cardholder data

    Requirement 4: Encrypt transmission of cardholder data across open, public networks

23. PCI-DSS Maintain a Vulnerability Management Program Requirement 5: Use and

    regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications

24. PCI-DSS Implement Strong Access Control Measures Requirement 7: Restrict access

    to cardholder data by business need-to- know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data

25. PCI-DSS Regularly Monitor and Test Networks Requirement 10: Track and

    monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes

26. PCI-DSS Maintain an Information Security Policy Requirement 12: Maintain a

    policy that addresses information security

27. PCI Compliance Assess Remediate Report

28. PCI Compliance Assess Remediate Report Assess your network and IT

    resources for vulnerabilities. Constantly monitor access and usage of cardholder data. Log data must be available for analysis

29. PCI Compliance Assess Remediate Report Remediate (fix) vulnerabilities that threaten

    unauthorized access to cardholder data

30. PCI Compliance Assess Remediate Report Report compliance and present evidence

    that data protection controls are in place

31. SAQ Self Assessment Questionnaire • A checklist for the requirements

    with nice little yes/no boxes • You “assess” with it • Get it here: http://j.mp/pcisaqs

32. WordPress Security in a Nutshell

33. Use a Strong Password The first line of defense against

    would-be hackers

34. Avoid the ‘admin’ account Setup a different admin account with

    another name

35. Salt your keys define('AUTH_KEY', 'el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-'); define('SECURE_AUTH_KEY', '-)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-'); define('LOGGED_IN_KEY', ']MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du');

    define('NONCE_KEY', 'p2?y4<?z3NwtC>=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z'); define('AUTH_SALT', '4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X '); define('SECURE_AUTH_SALT', 'X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shm<dFxc}7goavd?zWO!6%7Xgel~^3S'); define('LOGGED_IN_SALT', '&>,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA'); define('NONCE_SALT', 'Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a');

36. Hide your database tables Change the table prefix: $table_prefix =

    ‘wp_’; $table_prefix = ‘g5a21R_’;

37. Update Everything Keep WordPress, your theme and plugins up-to-date

38. Backup Everything Always, always, always make regular backups: files &

    db

39. E-commerce Tools for WordPress What’s out there?

40. WP eCommerce getshopped.org Free! + paid add-ons ($17-197) The oldest

    & widely used Physical & digital products 9 official payment processors Built-in shipping calculators + 5 real-time shipping plugins Works with most WP themes

41. Cart66 cart66.com Free Lite Version OR $89, $179, $299 per

    year Newest solution Uses [shortcodes] 13 payment solutions Subscriptions (Pro-only) Works with most WP themes

42. Jigoshop jigoshop.com Free + paid addons $5-$100 OR $500 Club

    Membership Full e-commerce solution 7 builtin payment systems 27 payment systems available 2 basic shipping included 5 realtime shipping rates 6 officially supported themes

43. WooCommerce woothemes.com Free + paid addons $15-$75 Fork of Jigoshop

    5 builtin payment systems 79 payment systems available 3 basic shipping included 11 realtime shipping rates 23 officially supported themes

44. Shopp shopplugin.net $55 or $299 + $25 addons Full featured,

    Dev friendly 5 builtin payment systems 33 payment solutions 7 builtin shipping calculators 16 templates, 500+ API calls Works with most WP themes

45. Other Solutions Ready! Ecommerce readyshoppingcart.com Easy Digital Downloads easydigitaldownloads.com WP

    eStore tipsandtricks-hq.com MarketPress premium.wpmudev.org/project/ecommerce/ eShop quirm.net ecwid ecwid.com Event Espresso eventespresso.com

46. Jonathan Davis Twitter: @jonathandavis Email: [email protected] shopplugin.net slides – http://j.mp/EComWP