E-commerce & WordPress: Navigating the Minefield Jonathan Davis, Ingenesis Limited @jonathandavis 

$165.4 billion total US e-commerce sales in 2010 Source: US Commerce Department 

$193.6 billion total US e-commerce sales in 2011 Source: US Commerce Department 

e-commerce is hard! payment gateways merchant accounts fulfillment systems PCI compliance Security SEO SSL certificates shopping carts 

No content

Navigating the Minefield ‣ Offsite/Onsite payments ‣ Processing payments with gateways ‣ Merchant Account shopping tips ‣ Encryption certificate buyers guide ‣ PCI Compliance ‣ Security Tips for Ecommerce on WordPress ‣ Ecommerce Tools for WP easy not so much! 

Onsite or Offsite? Offsite Payments • Extra checkout steps • Can be more confusing • No SSL certificate • No PCI-compliance certification required • Examples: PayPal Standard or Google Checkout Onsite Payments • Extra setup steps • Seamless (easy) checkout experience • Website requires SSL certificate • Merchant required to certify PCI compliance • Requires a Merchant Account 

payment gateway • a service to process payments online • it’s a kind of PoS 

Standard Customer leaves the website to enter payment details and does not return to the site. No setup work. Express Customer jumps to PayPal to enter payment details, returns to complete the order. Not much setup work. Pro Seamless checkout onsite. Customer never leaves the store. Extra setup work. 

Payment Gateway Providers 

Customer Secure Web Server Payment Gateway Banks Merchant Credit Card Payments order authorize & capture confirm funds transferred response response response 

merchant account • a special type of bank account for accepting payments from debit or credit cards (payment cards) • an agreement between the merchant, the bank and payment processor 

Merchant Accounts | Costs Discount Rates • 3-Tiered pricing • Qualified Rate • Mid-qualified rate • Non-qualified rate • 6-Tiered pricing • Interchange Plus Pricing • Bill Backs 

Merchant Accounts | Costs Fees • Authorization fee • Statement fee • Monthly minimum fee • Batch fee • Customer Service fee • Annual fee • Early termination fee • Chargeback fee 

Merchant Accounts | Tips • Some merchant account providers have their own payment gateways • Plan time to get approval • Find out about your monthly limits to prevent shutdowns • Find out about the reserve amount • Beware the chargeback 

encryption • the process of making information unreadable to anyone without “special knowledge” • “special knowledge” is the key 

Customer Secure Web Server 4111 1111 1111 1111 encrypt 4111 1111 1111 1111 decrypt f37b13464e451a214b39 507061af9c9a2613fbab public private public internet web browser server side 

secure (SSL) certificate • a specialized electronic document certifies a public encryption key to an identity 

Secure Certificate | Buyers Guide • Ongoing costs in the range $50–$1500/year • 3-4 certificate types: • Single-domain • Multiple domains (UCC) • Wildcard sub-domains • Extended Validation (EV) Vendors • Verisign (Costly) www.verisign.com • Comodo (Moderate) instantssl.com • GoDaddy (Cheap) godaddy.com • Network Solutions (Cheap) networksolutions.com 

PCI-DSS 12 requirements for any business that stores, processes or transmits cardholder payment data 

PCI-DSS Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 

PCI-DSS Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 

PCI-DSS Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications 

PCI-DSS Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to- know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data 

PCI-DSS Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes 

PCI-DSS Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security 

PCI Compliance Assess Remediate Report 

PCI Compliance Assess Remediate Report Assess your network and IT resources for vulnerabilities. Constantly monitor access and usage of cardholder data. Log data must be available for analysis 

PCI Compliance Assess Remediate Report Remediate (fix) vulnerabilities that threaten unauthorized access to cardholder data 

PCI Compliance Assess Remediate Report Report compliance and present evidence that data protection controls are in place 

SAQ Self Assessment Questionnaire • A checklist for the requirements with nice little yes/no boxes • You “assess” with it • Get it here: http://j.mp/pcisaqs 

WordPress Security in a Nutshell 

Use a Strong Password The first line of defense against would-be hackers 

Avoid the ‘admin’ account Setup a different admin account with another name 

Salt your keys define('AUTH_KEY', 'el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-'); define('SECURE_AUTH_KEY', '-)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-'); define('LOGGED_IN_KEY', ']MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du'); define('NONCE_KEY', 'p2?y4=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z'); define('AUTH_SALT', '4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X '); define('SECURE_AUTH_SALT', 'X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shm,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA'); define('NONCE_SALT', 'Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a'); 

Hide your database tables Change the table prefix: $table_prefix = ‘wp_’; $table_prefix = ‘g5a21R_’; 

Update Everything Keep WordPress, your theme and plugins up-to-date 

Backup Everything Always, always, always make regular backups: files & db 

E-commerce Tools for WordPress What’s out there? 

WP eCommerce getshopped.org Free! + paid add-ons ($17-197) The oldest & widely used Physical & digital products 9 official payment processors Built-in shipping calculators + 5 real-time shipping plugins Works with most WP themes 

Cart66 cart66.com Free Lite Version OR $89, $179, $299 per year Newest solution Uses [shortcodes] 13 payment solutions Subscriptions (Pro-only) Works with most WP themes 

Jigoshop jigoshop.com Free + paid addons $5-$100 OR $500 Club Membership Full e-commerce solution 7 builtin payment systems 27 payment systems available 2 basic shipping included 5 realtime shipping rates 6 officially supported themes 

WooCommerce woothemes.com Free + paid addons $15-$75 Fork of Jigoshop 5 builtin payment systems 79 payment systems available 3 basic shipping included 11 realtime shipping rates 23 officially supported themes 

Shopp shopplugin.net $55 or $299 + $25 addons Full featured, Dev friendly 5 builtin payment systems 33 payment solutions 7 builtin shipping calculators 16 templates, 500+ API calls Works with most WP themes 

Other Solutions Ready! Ecommerce readyshoppingcart.com Easy Digital Downloads easydigitaldownloads.com WP eStore tipsandtricks-hq.com MarketPress premium.wpmudev.org/project/ecommerce/ eShop quirm.net ecwid ecwid.com Event Espresso eventespresso.com 

Jonathan Davis Twitter: @jonathandavis Email: [email protected] shopplugin.net slides – http://j.mp/EComWP