E-commerce & WordPress: Navigating the Minefield

Transcript

1. E-commerce & WordPress:
   Navigating the Minefield
   Jonathan Davis, Ingenesis Limited
   @jonathandavis
   

   View Slide

2. $165.4 billion
   total US e-commerce sales in 2010
   Source: US Commerce Department
   

   View Slide

3. $193.6 billion
   total US e-commerce sales in 2011
   Source: US Commerce Department
   

   View Slide

4. e-commerce is hard!
   payment gateways
   merchant accounts
   fulfillment systems
   PCI compliance
   Security
   SEO
   SSL certificates shopping carts
   

   View Slide

5. View Slide

6. Navigating the Minefield
   ‣ Offsite/Onsite payments
   ‣ Processing payments with
   gateways
   ‣ Merchant Account
   shopping tips
   ‣ Encryption certificate
   buyers guide
   ‣ PCI Compliance
   ‣ Security Tips for
   Ecommerce on WordPress
   ‣ Ecommerce Tools for WP
   easy
   not so much!
   

   View Slide

7. Onsite or Offsite?
   Offsite Payments
   • Extra checkout steps
   • Can be more confusing
   • No SSL certificate
   • No PCI-compliance
   certification required
   • Examples: PayPal Standard or
   Google Checkout
   Onsite Payments
   • Extra setup steps
   • Seamless (easy) checkout
   experience
   • Website requires
   SSL certificate
   • Merchant required to certify
   PCI compliance
   • Requires a Merchant Account
   

   View Slide

8. payment gateway
   • a service to process payments online
   • it’s a kind of PoS
   

   View Slide

9. Standard
   Customer leaves
   the website to
   enter payment
   details and does
   not return to the
   site. No setup work.
   Express
   Customer jumps to
   PayPal to enter
   payment details,
   returns to complete
   the order. Not
   much setup work.
   Pro
   Seamless checkout
   onsite. Customer
   never leaves the
   store. Extra setup
   work.
   

   View Slide

10. Payment Gateway Providers
    

    View Slide

11. Customer
    Secure
    Web Server
    Payment Gateway
    Banks
    Merchant
    Credit Card Payments
    order
    authorize & capture
    confirm
    funds transferred
    response
    response
    response
    

    View Slide

12. merchant account
    • a special type of bank account for accepting
    payments from debit or credit cards (payment
    cards)
    • an agreement between the merchant, the bank
    and payment processor
    

    View Slide

13. Merchant Accounts | Costs
    Discount Rates
    • 3-Tiered pricing
    • Qualified Rate
    • Mid-qualified rate
    • Non-qualified rate
    • 6-Tiered pricing
    • Interchange Plus Pricing
    • Bill Backs
    

    View Slide

14. Merchant Accounts | Costs
    Fees
    • Authorization fee
    • Statement fee
    • Monthly minimum fee
    • Batch fee
    • Customer Service fee
    • Annual fee
    • Early termination fee
    • Chargeback fee
    

    View Slide

15. Merchant Accounts | Tips
    • Some merchant account providers have their
    own payment gateways
    • Plan time to get approval
    • Find out about your monthly limits to prevent
    shutdowns
    • Find out about the reserve amount
    • Beware the chargeback
    

    View Slide

16. encryption
    • the process of making information unreadable to
    anyone without “special knowledge”
    • “special knowledge” is the key
    

    View Slide

17. Customer
    Secure
    Web Server
    4111 1111 1111 1111 encrypt
    4111 1111 1111 1111 decrypt
    f37b13464e451a214b39
    507061af9c9a2613fbab
    public
    private
    public internet
    web browser
    server side
    

    View Slide

18. secure (SSL) certificate
    • a specialized electronic document certifies a
    public encryption key to an identity
    

    View Slide

19. Secure Certificate | Buyers Guide
    • Ongoing costs in the range
    $50–$1500/year
    • 3-4 certificate types:
    • Single-domain
    • Multiple domains (UCC)
    • Wildcard sub-domains
    • Extended Validation (EV)
    Vendors
    • Verisign (Costly)
    www.verisign.com
    • Comodo (Moderate)
    instantssl.com
    • GoDaddy (Cheap)
    godaddy.com
    • Network Solutions (Cheap)
    networksolutions.com
    

    View Slide

20. PCI-DSS
    12 requirements for any business that stores, processes or
    transmits cardholder payment data
    

    View Slide

21. PCI-DSS
    Build and Maintain a Secure Network
    Requirement 1:
    Install and maintain a firewall
    configuration to protect
    cardholder data
    Requirement 2:
    Do not use vendor-supplied
    defaults for system passwords
    and other security parameters
    

    View Slide

22. PCI-DSS
    Protect Cardholder Data
    Requirement 3:
    Protect stored cardholder data
    Requirement 4:
    Encrypt transmission of
    cardholder data across open,
    public networks
    

    View Slide

23. PCI-DSS
    Maintain a Vulnerability Management Program
    Requirement 5:
    Use and regularly update
    anti-virus software
    Requirement 6:
    Develop and maintain secure
    systems and applications
    

    View Slide

24. PCI-DSS
    Implement Strong Access Control Measures
    Requirement 7:
    Restrict access to
    cardholder data by
    business need-to-
    know
    Requirement 8:
    Assign a unique ID
    to each person with
    computer access
    Requirement 9:
    Restrict physical
    access to
    cardholder data
    

    View Slide

25. PCI-DSS
    Regularly Monitor and Test Networks
    Requirement 10:
    Track and monitor all access to
    network resources and
    cardholder data
    Requirement 11:
    Regularly test security systems
    and processes
    

    View Slide

26. PCI-DSS
    Maintain an Information Security Policy
    Requirement 12:
    Maintain a policy that
    addresses information
    security
    

    View Slide

27. PCI Compliance
    Assess Remediate Report
    

    View Slide

28. PCI Compliance
    Assess Remediate Report
    Assess your network and IT resources for vulnerabilities.
    Constantly monitor access and usage of cardholder data. Log
    data must be available for analysis
    

    View Slide

29. PCI Compliance
    Assess Remediate Report
    Remediate (fix) vulnerabilities that threaten unauthorized
    access to cardholder data
    

    View Slide

30. PCI Compliance
    Assess Remediate Report
    Report compliance and present evidence that data protection
    controls are in place
    

    View Slide

31. SAQ
    Self Assessment Questionnaire
    • A checklist for the requirements with nice little yes/no boxes
    • You “assess” with it
    • Get it here: http://j.mp/pcisaqs
    

    View Slide

32. WordPress Security
    in a Nutshell
    

    View Slide

33. Use a Strong Password
    The first line of defense against would-be hackers
    

    View Slide

34. Avoid the ‘admin’ account
    Setup a different admin account with another name
    

    View Slide

35. Salt your keys
    define('AUTH_KEY', 'el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-');
    define('SECURE_AUTH_KEY', '-)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-');
    define('LOGGED_IN_KEY', ']MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du');
    define('NONCE_KEY', 'p2?y4=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z');
    define('AUTH_SALT', '4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X ');
    define('SECURE_AUTH_SALT', 'X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shmdefine('LOGGED_IN_SALT', '&>,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA');
    define('NONCE_SALT', 'Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a');
    

    View Slide

36. Hide your database tables
    Change the table prefix:
    $table_prefix = ‘wp_’;
    $table_prefix = ‘g5a21R_’;
    

    View Slide

37. Update Everything
    Keep WordPress, your theme and plugins up-to-date
    

    View Slide

38. Backup Everything
    Always, always, always make regular backups: files & db
    

    View Slide

39. E-commerce Tools for
    WordPress
    What’s out there?
    

    View Slide

40. WP eCommerce
    getshopped.org
    Free!
    + paid add-ons ($17-197)
    The oldest & widely used
    Physical & digital products
    9 official payment processors
    Built-in shipping calculators +
    5 real-time shipping plugins
    Works with most WP themes
    

    View Slide

41. Cart66
    cart66.com
    Free Lite Version OR
    $89, $179, $299 per year
    Newest solution
    Uses [shortcodes]
    13 payment solutions
    Subscriptions (Pro-only)
    Works with most WP themes
    

    View Slide

42. Jigoshop
    jigoshop.com
    Free + paid addons $5-$100
    OR $500 Club Membership
    Full e-commerce solution
    7 builtin payment systems
    27 payment systems available
    2 basic shipping included
    5 realtime shipping rates
    6 officially supported themes
    

    View Slide

43. WooCommerce
    woothemes.com
    Free + paid addons $15-$75
    Fork of Jigoshop
    5 builtin payment systems
    79 payment systems available
    3 basic shipping included
    11 realtime shipping rates
    23 officially supported themes
    

    View Slide

44. Shopp
    shopplugin.net
    $55 or $299
    + $25 addons
    Full featured, Dev friendly
    5 builtin payment systems
    33 payment solutions
    7 builtin shipping calculators
    16 templates, 500+ API calls
    Works with most WP themes
    

    View Slide

45. Other Solutions
    Ready! Ecommerce
    readyshoppingcart.com
    Easy Digital Downloads
    easydigitaldownloads.com
    WP eStore
    tipsandtricks-hq.com
    MarketPress
    premium.wpmudev.org/project/ecommerce/
    eShop
    quirm.net
    ecwid
    ecwid.com
    Event Espresso
    eventespresso.com
    

    View Slide

46. Jonathan Davis
    Twitter: @jonathandavis
    Email: [email protected]
    shopplugin.net
    slides – http://j.mp/EComWP
    

    View Slide