Thursday, September 8, 11

Transcription

1

2 Jonathan Davis, Ingenesis

3 E-commerce & WordPress: Navigating the Minefield Jonathan Davis, Ingenesis

4

5 $165.4 total e-commerce sales in 2010

6

7 merchant accounts payment gateways fulfillment systems e-commerce is hard! PCI compliance Security SEO SSL certificates shopping carts

8

9

10 Navigating the Minefield

11 Navigating the Minefield Offsite/Onsite payments

12 Navigating the Minefield Offsite/Onsite easy payments not so much!

13 Navigating the Minefield Offsite/Onsite easy payments not so much! Processing payments with gateways

14 Navigating the Minefield Offsite/Onsite easy payments not so much! Processing payments with gateways Merchant Account shopping tips

15 Navigating the Minefield Offsite/Onsite easy payments not so much! Encryption certificate buyers guide Processing payments with gateways Merchant Account shopping tips

16 Navigating the Minefield Offsite/Onsite easy payments not so much! Processing payments with gateways Encryption certificate buyers guide PCI Compliance Merchant Account shopping tips

17 Navigating the Minefield Offsite/Onsite easy payments not so much! Processing payments with gateways Merchant Account shopping tips Encryption certificate buyers guide PCI Compliance Security Tips for Ecommerce on WordPress

18

19 Onsite or Offsite?

20 Onsite or Offsite? Offsite Payments

21 Onsite or Offsite? Offsite Payments Extra checkout steps

22 Onsite or Offsite? Offsite Payments Extra checkout steps Can be more confusing

23 Onsite or Offsite? Offsite Payments Extra checkout steps Can be more confusing No SSL certificate

24 Onsite or Offsite? Offsite Payments Extra checkout steps Can be more confusing No SSL certificate No PCI-compliance certification required

25 Onsite or Offsite? Offsite Payments Extra checkout steps Can be more confusing No SSL certificate No PCI-compliance certification required Examples: PayPal Standard or Google Checkout

26 Onsite or Offsite? Offsite Payments Onsite Payments Extra checkout steps Can be more confusing No SSL certificate No PCI-compliance certification required Examples: PayPal Standard or Google Checkout

27 Onsite or Offsite? Offsite Payments Extra checkout steps Onsite Payments Extra setup steps Can be more confusing No SSL certificate No PCI-compliance certification required Examples: PayPal Standard or Google Checkout

28 Onsite or Offsite? Offsite Payments Extra checkout steps Can be more confusing No SSL certificate Onsite Payments Extra setup steps Seamless (easy) checkout experience No PCI-compliance certification required Examples: PayPal Standard or Google Checkout

29 Onsite or Offsite? Offsite Payments Extra checkout steps Can be more confusing No SSL certificate No PCI-compliance certification required Onsite Payments Extra setup steps Seamless (easy) checkout experience Website requires SSL certificate Examples: PayPal Standard or Google Checkout

30 Onsite or Offsite? Offsite Payments Extra checkout steps Can be more confusing No SSL certificate No PCI-compliance certification required Examples: PayPal Standard or Google Checkout Onsite Payments Extra setup steps Seamless (easy) checkout experience Website requires SSL certificate Merchant required to certify PCI compliance

31 Onsite or Offsite? Offsite Payments Extra checkout steps Can be more confusing No SSL certificate No PCI-compliance certification required Examples: PayPal Standard or Google Checkout Onsite Payments Extra setup steps Seamless (easy) checkout experience Website requires SSL certificate Merchant required to certify PCI compliance Requires a Merchant

32

33 payment gateway

34 payment gateway a service to process payments online

35 payment gateway a service to process payments online it s a kind of PoS

36

37

38 PayPal Standard Customer leaves the website to enter payment details and does not return to the site. No setup work.

39 PayPal Standard Customer leaves the website to enter payment details and does not return to the site. No setup work. Express Checkout Customer jumps to PayPal to enter payment details, returns to complete the

40

41 Payment Gateway Providers

42

43 Credit Card Payments

44 Credit Card Payments Customer

45 Credit Card Payments Customer

46 Credit Card Payments Secure Web Server order Customer

47 Credit Card Payments authorize & capture or de r Secure Web Server Customer Payment Gateway

48 Credit Card Payments authorize & capture Customer Payment Gateway rm nfi co or de r Secure Web Server Banks

49 Credit Card Payments Secure Web Server authorize & capture e re sp on s or de r s on sp re rm nfi co response Payment Gateway e Customer Banks

50 Credit Card Payments Secure Web Server authorize & capture Payment Gateway re sp on s s on sp re or de r e rm nfi co response e Customer Merchant Banks s d n u f d e r r e f s n a tr

51

52 merchant account

53 merchant account a special type of bank account for accepting payments from debit or credit cards (payment cards)

54 merchant account a special type of bank account for accepting payments from debit or credit cards (payment cards) an agreement between the merchant, the bank and payment processor

55

56 Merchant Accounts Costs

57 Merchant Accounts Costs Discount Rates

58 Merchant Accounts Costs Discount Rates 3-Tiered pricing

59 Merchant Accounts Costs Discount Rates 3-Tiered pricing Qualified Rate

60 Merchant Accounts Costs Discount Rates 3-Tiered pricing Qualified Rate Mid-qualified rate

61 Merchant Accounts Costs Discount Rates 3-Tiered pricing Qualified Rate Mid-qualified rate Non-qualified rate

62 Merchant Accounts Costs Discount Rates 3-Tiered pricing Qualified Rate Mid-qualified rate Non-qualified rate

63 Merchant Accounts Costs Discount Rates 3-Tiered pricing 6-Tiered pricing Qualified Rate Mid-qualified rate Non-qualified rate

64 Merchant Accounts Costs Discount Rates 3-Tiered pricing Qualified Rate 6-Tiered pricing Interchange Plus Pricing Mid-qualified rate Non-qualified rate

65 Merchant Accounts Costs Discount Rates 3-Tiered pricing Qualified Rate Mid-qualified rate 6-Tiered pricing Interchange Plus Pricing Bill Backs Non-qualified rate

66 Merchant Accounts Costs

67 Merchant Accounts Costs Fees Authorization fee Statement fee Monthly minimum fee Batch fee Customer Service fee Annual fee Early termination fee Chargeback fee

68

69 Merchant Accounts Tips

70 Merchant Accounts Tips Some merchant account providers have their own payment gateways

71 Merchant Accounts Tips Some merchant account providers have their own payment gateways Plan time to get approval

72 Merchant Accounts Tips Some merchant account providers have their own payment gateways Plan time to get approval Find out about your monthly limits to prevent shutdowns

73 Merchant Accounts Tips Some merchant account providers have their own payment gateways Plan time to get approval Find out about your monthly limits to prevent shutdowns Find out about the reserve amount

74 Merchant Accounts Tips Some merchant account providers have their own payment gateways Plan time to get approval Find out about your monthly limits to prevent shutdowns Find out about the reserve amount Beware the chargeback

75

76 encryption

77 encryption the process of making information unreadable to anyone without special knowledge

78 encryption the process of making information unreadable to anyone without special knowledge special knowledge is the key

79

80 TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer

81 TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer Some seriously scary technical voodoo magic

82 TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer Some seriously scary technical voodoo magic Garbles browser to server communication over the Internet

83 TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer Some seriously scary technical voodoo magic Garbles browser to server communication over the Internet No one else can access the information

84 TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer Some seriously scary technical voodoo magic Garbles browser to server communication over the Internet Browser uses the public key found in the certificate to encrypt information before sending it to the server No one else can access the information

85 TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer Some seriously scary technical voodoo magic Garbles browser to server communication over the Internet No one else can access the information Browser uses the public key found in the certificate to encrypt information before sending it to the server Server uses a private key to decrypt information from the browser

86

87 Customer web browser public internet server side Secure Web Server

88 Customer web browser public internet private server side Secure Web Server

89 Customer web browser public public internet private server side Secure Web Server

90 Customer web browser public public internet private server side Secure Web Server

91 Customer web browser public public internet private server side Secure Web Server

92 Customer web browser public f37b13464e451a214b af9c9a2613fba public internet private server side Secure Web Server

93 Customer web browser public f37b13464e451a214b af9c9a2613fba public internet private server side Secure Web Server

94 Customer web browser public f37b13464e451a214b af9c9a2613fba public internet private server side Secure Web Server

95

96 secure (SSL)

97 secure (SSL) a specialized electronic document certifies a public encryption key to an identity

98

99 Secure Certificate Buyers Guide

100 Secure Certificate Buyers Guide Ongoing costs in the range $50 $1500/year

101 Secure Certificate Buyers Guide Ongoing costs in the range $50 $1500/year 3-4 certificate types:

102 Secure Certificate Buyers Guide Ongoing costs in the range $50 $1500/year 3-4 certificate types: Single-domain

103 Secure Certificate Buyers Guide Ongoing costs in the range $50 $1500/year 3-4 certificate types: Single-domain Multiple sub-domains

104 Secure Certificate Buyers Guide Ongoing costs in the range $50 $1500/year 3-4 certificate types: Single-domain Multiple sub-domains Wildcard sub-domains

105 Secure Certificate Buyers Guide Ongoing costs in the range $50 $1500/year Extended Validation (EV) 3-4 certificate types: Single-domain Multiple sub-domains Wildcard sub-domains

106 Secure Certificate Buyers Guide Ongoing costs in the range $50 $1500/year 3-4 certificate types: Extended Validation (EV) Vendors Single-domain Multiple sub-domains Wildcard sub-domains

107 Secure Certificate Buyers Guide Ongoing costs in the range $50 $1500/year 3-4 certificate types: Single-domain Multiple sub-domains Extended Validation (EV) Vendors Verisign (Costly) Wildcard sub-domains

108 Secure Certificate Buyers Guide Ongoing costs in the range $50 $1500/year 3-4 certificate types: Single-domain Multiple sub-domains Wildcard sub-domains Extended Validation (EV) Vendors Verisign (Costly) Comodo (Moderate) instantssl.com

109 Secure Certificate Buyers Guide Ongoing costs in the range $50 $1500/year 3-4 certificate types: Single-domain Multiple sub-domains Wildcard sub-domains Extended Validation (EV) Vendors Verisign (Costly) Comodo (Moderate) instantssl.com GoDaddy (Cheap)

110

111 PCI

112 PCI PCI SSC

113 PCI PCI SSC Payment Card Industry Security Standards Council

114 PCI PCI SSC Payment Card Industry Security Standards Council The body responsible for managing the security standards for the industry

115 PCI PCI SSC Payment Card Industry Security Standards Council The body responsible for managing the security standards for the industry PCI-DSS

116 PCI PCI SSC Payment Card Industry Security Standards Council The body responsible for managing the security standards for the industry PCI-DSS The PCI Data Security Standard

117 PCI PCI SSC Payment Card Industry Security Standards Council The body responsible for managing the security standards for the industry PCI-DSS The PCI Data Security Standard The security standards merchants are required to follow and certify

118

119 PCI-DSS

120 PCI-DSS 12 requirements for any business that stores, processes or transmits cardholder payment data

121 PCI-DSS Build and Maintain a Secure Network

122 PCI-DSS Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data

123 PCI-DSS Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters

124 PCI-DSS Protect Cardholder Data

125 PCI-DSS Protect Cardholder Data Requirement 3: Protect stored cardholder data

126 PCI-DSS Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks

127 PCI-DSS Maintain a Vulnerability Management

128 PCI-DSS Maintain a Vulnerability Management Requirement 5: Use and regularly update anti-virus software

129 PCI-DSS Maintain a Vulnerability Management Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications

130 PCI-DSS Implement Strong Access Control Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data

131 PCI-DSS Regularly Monitor and Test Networks

132 PCI-DSS Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data

133 PCI-DSS Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes

134 PCI-DSS Maintain an Information Security Policy

135 PCI-DSS Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security

136

137 PCI Compliance

138 PCI Compliance Assess Remediate Report

139 PCI Compliance Assess Remediate Report

140 PCI Compliance Assess Remediate Report Assess your network and IT resources for vulnerabilities. Constantly monitor access and usage of cardholder data. Log data must be available for

141 PCI Compliance Assess Remediate Report

142 PCI Compliance Assess Remediate Report Remediate (fix) vulnerabilities that threaten unauthorized access to cardholder data

143 PCI Compliance Assess Remediate Report

144 PCI Compliance Assess Remediate Report Report compliance and present evidence that data protection controls are in place

145 SAQ Self Assessment A checklist for the requirements with nice little yes/ no boxes You assess with it Get it here:

146

147 WordPress Security

148 WordPress Security in a Nutshell

149

150 Use a Strong Password

151 Use a Strong Password The first line of defense against would-be hackers

152

153 Avoid the admin account

154 Avoid the admin account Setup a different admin account with another name

155

156 Salt your keys

157 Salt your keys define('auth_key', 'el1%+7]b}r._7jj fz{xsg]yh8#>s,qjnd}%x?w~h-y99hk5+#+won7=$l8iqgm-'); define('secure_auth_key', '-)pv+c~$2[6o TBobgd+n#8H8` QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-'); define('logged_in_key', ']MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS )l-r9%or/?w!]vvp~du'); define('nonce_key', 'p2?y4<?z3nwtc>= kwv#qqx 12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z'); define('auth_salt', '4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X '); define('secure_auth_salt', v0{r:h`ti-i,shm<dfxc}7goavd?zwo!6%7xgel~^3s'); define('logged_in_salt', '&>,SOL-.7cwk*Wf define('nonce_salt',

158

159 Hide your database tables

160 Hide your database tables Change the table prefix:

161 Hide your database tables Change the table prefix: $table_prefix = wp_ ;

162 Hide your database tables Change the table prefix: $table_prefix = wp_ ; $table_prefix = g5a21r_ ;

163

164 Update Everything

165 Update Everything Keep WordPress, your theme and plugins up-todate

166 Update Everything Keep WordPress, your theme and plugins up-todate

167

168 Backup Everything

169 Backup Everything Always, always, always make regular backups: files & db

170 Backup Everything Always, always, always make regular backups: files & db

171 E-commerce Tools for WordPress What s out there?

172 WP ecommerce getshopped.org The oldest & most widely used Physical & digital products A variety of payment options Several shipping options

173 Cart66 cart66.com Newest solution Uses [shortcodes] 7 payment solutions Subscriptions & Membership Free Lite Version or

174 Shopp shopplugin.net A popular solution 18 payment gateways 10 shipping options 200+ template tags $55 or $299 $25 add-ons

175

176 Jonathan Davis

177 Jonathan Davis

178 Jonathan Davis

179 Jonathan Davis

180 Jonathan Davis shopplugin.net

181 Jonathan Davis shopplugin.net

182 Jonathan Davis shopplugin.net slides