SlideShare a Scribd company logo

E-commerce & WordPress: Navigating the Minefield

Ingenesis Limited
Ingenesis Limited

How to navigate the e-commerce minefield so you can launch the best site possible. The presentation goes over payment gateways, how credit card processing works, merchant accounts, SSL certificates, PCI compliance, WordPress security tips and (briefly) some of the more popular e-commerce plugin solutions for WordPress.

Technology
1 of 44
E-commerce & WordPress: Navigating the Minefield Jonathan Davis, Ingenesis Limited @jonathandavis
$165.4 billion total e-commerce sales in 2010
merchant accounts payment gateways fulfillment systems e-commerce is hard! SEO PCI compliance Security SSL certificates shopping carts
Navigating the Minefield not so much! ‣ Offsite/Onsite payments ‣ Encryption certificate easy buyers guide ‣ Processing payments with gateways ‣ PCI Compliance ‣ Merchant Account ‣ Security Tips for shopping tips Ecommerce on WordPress ‣ Ecommerce Tools for WP
Onsite or Offsite? Offsite Payments Onsite Payments • Extra checkout steps • Extra setup steps • Can be more confusing • Seamless (easy) checkout experience • No SSL certificate • Website requires • No PCI-compliance SSL certificate certification required • Merchant required to certify • Examples: PayPal Standard or PCI compliance Google Checkout • Requires a Merchant Account
payment gateway • a service to process payments online • it’s a kind of PoS
PayPal Standard Express Checkout WebsitePaymentsPro Customer leaves Customer jumps to Seamless checkout the website to PayPal to enter onsite. Customer enter payment payment details, never leaves the details and does returns to complete store. Extra setup not return to the the order. Not work. site. No setup work. much setup work.
Payment Gateway Providers
Credit Card Payments Secure authorize & capture Payment Gateway Web Server response co e nfi r ns de rm po or s re re s po ns e Customer Banks d re fer ns tra n ds fu Merchant
merchant account • a special type of bank account for accepting payments from debit or credit cards (payment cards) • an agreement between the merchant, the bank and payment processor
Merchant Accounts | Costs Discount Rates • 3-Tiered pricing • 6-Tiered pricing • Qualified Rate • Interchange Plus Pricing • Mid-qualified rate • Bill Backs • Non-qualified rate
Merchant Accounts | Costs Fees • Authorization fee • Customer Service fee • Statement fee • Annual fee • Monthly minimum fee • Early termination fee • Batch fee • Chargeback fee
Merchant Accounts | Tips • Some merchant account providers have their own payment gateways • Plan time to get approval • Find out about your monthly limits to prevent shutdowns • Find out about the reserve amount • Beware the chargeback
encryption • the process of making information unreadable to anyone without “special knowledge” • “special knowledge” is the key
TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer • Some seriously scary • Browser uses the public key technical voodoo magic found in the certificate to • Garbles browser to server encrypt information before communication over the sending it to the server Internet • Server uses a private key to • No one else can access the decrypt information from the information browser
Customer 4111 1111 1111 1111 encrypt web browser public f37b13464e451a214b39 507061af9c9a2613fbab public internet 4111 1111 1111 1111 decrypt private Secure Web Server server side
secure (SSL) certificate • a specialized electronic document certifies a public encryption key to an identity
Secure Certificate | Buyers Guide • Ongoing costs in the range Vendors $50–$1500/year • Verisign (Costly) • 3-4 certificate types: www.verisign.com • Single-domain • Comodo (Moderate) • Multiple sub-domains instantssl.com • Wildcard sub-domains • GoDaddy (Cheap) • Extended Validation (EV) godaddy.com • Network Solutions (Cheap) networksolutions.com
PCI PCI SSC PCI-DSS PA-DSS Payment Card The PCI Data The Payment Industry Security Security Standard Application Data Standards Council Security Standard The security The body standards Security standards responsible for merchants are for payment managing the required to follow applications such as security standards and certify their payment gateways for the industry compliance & shopping carts
PCI-DSS 12 requirements for any business that stores, processes or transmits cardholder payment data
PCI-DSS Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall Do not use vendor-supplied configuration to protect defaults for system passwords cardholder data and other security parameters
PCI-DSS Protect Cardholder Data Requirement 3: Requirement 4: Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
PCI-DSS Maintain a Vulnerability Management Program Requirement 5: Requirement 6: Use and regularly update Develop and maintain secure anti-virus software systems and applications
PCI-DSS Implement Strong Access Control Measures Requirement 7: Requirement 8: Requirement 9: Restrict access to Assign a unique ID Restrict physical cardholder data by to each person with access to business need-to- computer access cardholder data know
PCI-DSS Regularly Monitor and Test Networks Requirement 10: Requirement 11: Track and monitor all access to Regularly test security systems network resources and and processes cardholder data
PCI-DSS Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
PCI Compliance Assess Remediate Report
PCI Compliance Assess Remediate Report Assess your network and IT resources for vulnerabilities. Constantly monitor access and usage of cardholder data. Log data must be available for analysis
PCI Compliance Assess Remediate Report Remediate (fix) vulnerabilities that threaten unauthorized access to cardholder data
PCI Compliance Assess Remediate Report Report compliance and present evidence that data protection controls are in place
SAQ Self Assessment Questionnaire • A checklist for the requirements with nice little yes/no boxes • You “assess” with it • Get it here: http://j.mp/pcisaqs
WordPress Security in a Nutshell
Use a Strong Password The first line of defense against would-be hackers
Avoid the ‘admin’ account Setup a different admin account with another name
Salt your keys define('AUTH_KEY', 'el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-'); define('SECURE_AUTH_KEY', '-)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-'); define('LOGGED_IN_KEY', ']MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du'); define('NONCE_KEY', 'p2?y4<?z3NwtC>=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z'); define('AUTH_SALT', '4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X '); define('SECURE_AUTH_SALT', 'X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shm<dFxc}7goavd?zWO!6%7Xgel~^3S'); define('LOGGED_IN_SALT', '&>,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA'); define('NONCE_SALT', 'Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a');
Hide your database tables Change the table prefix: $table_prefix = ‘wp_’; $table_prefix = ‘g5a21R_’;
Update Everything Keep WordPress, your theme and plugins up-to-date
Backup Everything Always, always, always make regular backups: files & db
E-commerce Tools for WordPress What’s out there?
WP eCommerce getshopped.org The oldest & most widely used Physical & digital products A variety of payment options Several shipping options Marketing tools Free + paid add-ons ($10-195)
Cart66 cart66.com Newest solution Uses [shortcodes] 7 payment solutions Subscriptions & Membership Free Lite Version or $89-399/year
Shopp shopplugin.net A popular solution 18 payment gateways 10 shipping options 200+ template tags $55 or $299 $25 add-ons
Jonathan Davis Twitter: @jonathandavis Email: jon@shopplugin.net shopplugin.net

Recommended

PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009Jason Edelstein
 
eMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseeMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseScott Taylor
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressandrewnacin
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...andrewnacin
 
How Testing Changed My Life
How Testing Changed My LifeHow Testing Changed My Life
How Testing Changed My LifeNikolay Bachiyski
 
Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!Mark Jaquith
 
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Shannon Smith
 
Don't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit TestingDon't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit Testingaaronjorbin
 

Recommended

PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009Jason Edelstein
 
eMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseeMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseScott Taylor
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressandrewnacin
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...andrewnacin
 
How Testing Changed My Life
How Testing Changed My LifeHow Testing Changed My Life
How Testing Changed My LifeNikolay Bachiyski
 
Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!Mark Jaquith
 
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Shannon Smith
 
Don't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit TestingDon't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit Testingaaronjorbin
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
State of the Word 2016
State of the Word 2016State of the Word 2016
State of the Word 2016photomatt
 
Pushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency SystemPushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency SystemKevin Ballard
 
State of the Word 2015, WordCamp US
State of the Word 2015, WordCamp USState of the Word 2015, WordCamp US
State of the Word 2015, WordCamp USphotomatt
 
Git study notes
Git study notesGit study notes
Git study notesAngus Li
 
Twitter Presentation: #APIConSF
Twitter Presentation: #APIConSFTwitter Presentation: #APIConSF
Twitter Presentation: #APIConSFRyan Choi
 
Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...Richard Swart, PhD
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Ako na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatkaAko na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatkaKatarina Novotna
 
Customize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right WayCustomize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right WayDustin Hartzler
 
The power of a video library
The power of a video libraryThe power of a video library
The power of a video libraryLauren Jeffcoat
 
Lecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability IssuesLecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability IssuesRadka Nacheva
 
5-Point Online Marketing Training Regimen
5-Point Online Marketing Training Regimen5-Point Online Marketing Training Regimen
5-Point Online Marketing Training RegimenStoney deGeyter
 
Secure Payment Integration for SAP
Secure Payment Integration for SAPSecure Payment Integration for SAP
Secure Payment Integration for SAPPaymetric, Inc.
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Tisc99keynote
Tisc99keynoteTisc99keynote
Tisc99keynoteOnkar Sule
 
Payliance Industry partner program
Payliance Industry partner programPayliance Industry partner program
Payliance Industry partner programDustinP_Channel
 
WordPress eCommerce Review
WordPress eCommerce ReviewWordPress eCommerce Review
WordPress eCommerce Reviewbelsien
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...amadhireddy
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIThiteshasnani94
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage- Mark - Fullbright
 

More Related Content

Viewers also liked

DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
State of the Word 2016
State of the Word 2016State of the Word 2016
State of the Word 2016photomatt
 
Pushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency SystemPushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency SystemKevin Ballard
 
State of the Word 2015, WordCamp US
State of the Word 2015, WordCamp USState of the Word 2015, WordCamp US
State of the Word 2015, WordCamp USphotomatt
 
Git study notes
Git study notesGit study notes
Git study notesAngus Li
 
Twitter Presentation: #APIConSF
Twitter Presentation: #APIConSFTwitter Presentation: #APIConSF
Twitter Presentation: #APIConSFRyan Choi
 
Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...Richard Swart, PhD
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Ako na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatkaAko na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatkaKatarina Novotna
 
Customize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right WayCustomize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right WayDustin Hartzler
 
The power of a video library
The power of a video libraryThe power of a video library
The power of a video libraryLauren Jeffcoat
 
Lecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability IssuesLecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability IssuesRadka Nacheva
 
5-Point Online Marketing Training Regimen
5-Point Online Marketing Training Regimen5-Point Online Marketing Training Regimen
5-Point Online Marketing Training RegimenStoney deGeyter
 

Viewers also liked (13)

DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
State of the Word 2016
State of the Word 2016State of the Word 2016
State of the Word 2016
 
Pushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency SystemPushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency System
 
State of the Word 2015, WordCamp US
State of the Word 2015, WordCamp USState of the Word 2015, WordCamp US
State of the Word 2015, WordCamp US
 
Git study notes
Git study notesGit study notes
Git study notes
 
Twitter Presentation: #APIConSF
Twitter Presentation: #APIConSFTwitter Presentation: #APIConSF
Twitter Presentation: #APIConSF
 
Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Ako na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatkaAko na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatka
 
Customize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right WayCustomize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right Way
 
The power of a video library
The power of a video libraryThe power of a video library
The power of a video library
 
Lecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability IssuesLecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability Issues
 
5-Point Online Marketing Training Regimen
5-Point Online Marketing Training Regimen5-Point Online Marketing Training Regimen
5-Point Online Marketing Training Regimen
 

Similar to E-commerce & WordPress: Navigating the Minefield

Secure Payment Integration for SAP
Secure Payment Integration for SAPSecure Payment Integration for SAP
Secure Payment Integration for SAPPaymetric, Inc.
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Payliance Industry partner program
Payliance Industry partner programPayliance Industry partner program
Payliance Industry partner programDustinP_Channel
 
WordPress eCommerce Review
WordPress eCommerce ReviewWordPress eCommerce Review
WordPress eCommerce Reviewbelsien
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...amadhireddy
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIThiteshasnani94
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage- Mark - Fullbright
 
Credit Call Multi Channel
Credit Call Multi ChannelCredit Call Multi Channel
Credit Call Multi Channelpmsherlock
 
Digital banking cards
Digital banking cardsDigital banking cards
Digital banking cardsDhatshanaG
 
Subscription Systems and Recurring Payments in Drupal
Subscription Systems and Recurring Payments in DrupalSubscription Systems and Recurring Payments in Drupal
Subscription Systems and Recurring Payments in DrupalProdosh Banerjee
 
PayU Biz Product Deck (1)
PayU Biz Product Deck (1)PayU Biz Product Deck (1)
PayU Biz Product Deck (1)ICICI Bank
 
PCI Version Three and Thee
PCI Version Three and TheePCI Version Three and Thee
PCI Version Three and TheeTerra Verde
 
AtomicPay - Decentralized & Non-Custodial Payment Gateway
AtomicPay - Decentralized & Non-Custodial Payment GatewayAtomicPay - Decentralized & Non-Custodial Payment Gateway
AtomicPay - Decentralized & Non-Custodial Payment GatewayAtomicPay Ltd
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecurePaymetric, Inc.
 
Adaptive Payments SDK - Magento Developers Paradise
Adaptive Payments SDK - Magento Developers ParadiseAdaptive Payments SDK - Magento Developers Paradise
Adaptive Payments SDK - Magento Developers ParadisePayPal
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 
Credit card processing highrisk gateways
Credit card processing highrisk gatewaysCredit card processing highrisk gateways
Credit card processing highrisk gatewayshighrisk gateways
 

Similar to E-commerce & WordPress: Navigating the Minefield (20)

Secure Payment Integration for SAP
Secure Payment Integration for SAPSecure Payment Integration for SAP
Secure Payment Integration for SAP
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
Tisc99keynote
Tisc99keynoteTisc99keynote
Tisc99keynote
 
Payliance Industry partner program
Payliance Industry partner programPayliance Industry partner program
Payliance Industry partner program
 
WordPress eCommerce Review
WordPress eCommerce ReviewWordPress eCommerce Review
WordPress eCommerce Review
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIT
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage
 
Credit Call Multi Channel
Credit Call Multi ChannelCredit Call Multi Channel
Credit Call Multi Channel
 
Digital banking cards
Digital banking cardsDigital banking cards
Digital banking cards
 
Subscription Systems and Recurring Payments in Drupal
Subscription Systems and Recurring Payments in DrupalSubscription Systems and Recurring Payments in Drupal
Subscription Systems and Recurring Payments in Drupal
 
PayU Biz Product Deck (1)
PayU Biz Product Deck (1)PayU Biz Product Deck (1)
PayU Biz Product Deck (1)
 
PCI Version Three and Thee
PCI Version Three and TheePCI Version Three and Thee
PCI Version Three and Thee
 
AtomicPay - Decentralized & Non-Custodial Payment Gateway
AtomicPay - Decentralized & Non-Custodial Payment GatewayAtomicPay - Decentralized & Non-Custodial Payment Gateway
AtomicPay - Decentralized & Non-Custodial Payment Gateway
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
 
Adaptive Payments SDK - Magento Developers Paradise
Adaptive Payments SDK - Magento Developers ParadiseAdaptive Payments SDK - Magento Developers Paradise
Adaptive Payments SDK - Magento Developers Paradise
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
 
RBS World Pay
RBS World Pay RBS World Pay
RBS World Pay
 
Credit card processing highrisk gateways
Credit card processing highrisk gatewaysCredit card processing highrisk gateways
Credit card processing highrisk gateways
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

E-commerce & WordPress: Navigating the Minefield

  • 1. E-commerce & WordPress: Navigating the Minefield Jonathan Davis, Ingenesis Limited @jonathandavis
  • 2. $165.4 billion total e-commerce sales in 2010
  • 3. merchant accounts payment gateways fulfillment systems e-commerce is hard! SEO PCI compliance Security SSL certificates shopping carts
  • 4.
  • 5. Navigating the Minefield not so much! ‣ Offsite/Onsite payments ‣ Encryption certificate easy buyers guide ‣ Processing payments with gateways ‣ PCI Compliance ‣ Merchant Account ‣ Security Tips for shopping tips Ecommerce on WordPress ‣ Ecommerce Tools for WP
  • 6. Onsite or Offsite? Offsite Payments Onsite Payments • Extra checkout steps • Extra setup steps • Can be more confusing • Seamless (easy) checkout experience • No SSL certificate • Website requires • No PCI-compliance SSL certificate certification required • Merchant required to certify • Examples: PayPal Standard or PCI compliance Google Checkout • Requires a Merchant Account
  • 7. payment gateway • a service to process payments online • it’s a kind of PoS
  • 8. PayPal Standard Express Checkout WebsitePaymentsPro Customer leaves Customer jumps to Seamless checkout the website to PayPal to enter onsite. Customer enter payment payment details, never leaves the details and does returns to complete store. Extra setup not return to the the order. Not work. site. No setup work. much setup work.
  • 10. Credit Card Payments Secure authorize & capture Payment Gateway Web Server response co e nfi r ns de rm po or s re re s po ns e Customer Banks d re fer ns tra n ds fu Merchant
  • 11. merchant account • a special type of bank account for accepting payments from debit or credit cards (payment cards) • an agreement between the merchant, the bank and payment processor
  • 12. Merchant Accounts | Costs Discount Rates • 3-Tiered pricing • 6-Tiered pricing • Qualified Rate • Interchange Plus Pricing • Mid-qualified rate • Bill Backs • Non-qualified rate
  • 13. Merchant Accounts | Costs Fees • Authorization fee • Customer Service fee • Statement fee • Annual fee • Monthly minimum fee • Early termination fee • Batch fee • Chargeback fee
  • 14. Merchant Accounts | Tips • Some merchant account providers have their own payment gateways • Plan time to get approval • Find out about your monthly limits to prevent shutdowns • Find out about the reserve amount • Beware the chargeback
  • 15. encryption • the process of making information unreadable to anyone without “special knowledge” • “special knowledge” is the key
  • 16. TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer • Some seriously scary • Browser uses the public key technical voodoo magic found in the certificate to • Garbles browser to server encrypt information before communication over the sending it to the server Internet • Server uses a private key to • No one else can access the decrypt information from the information browser
  • 17. Customer 4111 1111 1111 1111 encrypt web browser public f37b13464e451a214b39 507061af9c9a2613fbab public internet 4111 1111 1111 1111 decrypt private Secure Web Server server side
  • 18. secure (SSL) certificate • a specialized electronic document certifies a public encryption key to an identity
  • 19. Secure Certificate | Buyers Guide • Ongoing costs in the range Vendors $50–$1500/year • Verisign (Costly) • 3-4 certificate types: www.verisign.com • Single-domain • Comodo (Moderate) • Multiple sub-domains instantssl.com • Wildcard sub-domains • GoDaddy (Cheap) • Extended Validation (EV) godaddy.com • Network Solutions (Cheap) networksolutions.com
  • 20. PCI PCI SSC PCI-DSS PA-DSS Payment Card The PCI Data The Payment Industry Security Security Standard Application Data Standards Council Security Standard The security The body standards Security standards responsible for merchants are for payment managing the required to follow applications such as security standards and certify their payment gateways for the industry compliance & shopping carts
  • 21. PCI-DSS 12 requirements for any business that stores, processes or transmits cardholder payment data
  • 22. PCI-DSS Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall Do not use vendor-supplied configuration to protect defaults for system passwords cardholder data and other security parameters
  • 23. PCI-DSS Protect Cardholder Data Requirement 3: Requirement 4: Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
  • 24. PCI-DSS Maintain a Vulnerability Management Program Requirement 5: Requirement 6: Use and regularly update Develop and maintain secure anti-virus software systems and applications
  • 25. PCI-DSS Implement Strong Access Control Measures Requirement 7: Requirement 8: Requirement 9: Restrict access to Assign a unique ID Restrict physical cardholder data by to each person with access to business need-to- computer access cardholder data know
  • 26. PCI-DSS Regularly Monitor and Test Networks Requirement 10: Requirement 11: Track and monitor all access to Regularly test security systems network resources and and processes cardholder data
  • 27. PCI-DSS Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
  • 28. PCI Compliance Assess Remediate Report
  • 29. PCI Compliance Assess Remediate Report Assess your network and IT resources for vulnerabilities. Constantly monitor access and usage of cardholder data. Log data must be available for analysis
  • 30. PCI Compliance Assess Remediate Report Remediate (fix) vulnerabilities that threaten unauthorized access to cardholder data
  • 31. PCI Compliance Assess Remediate Report Report compliance and present evidence that data protection controls are in place
  • 32. SAQ Self Assessment Questionnaire • A checklist for the requirements with nice little yes/no boxes • You “assess” with it • Get it here: http://j.mp/pcisaqs
  • 33. WordPress Security in a Nutshell
  • 34. Use a Strong Password The first line of defense against would-be hackers
  • 35. Avoid the ‘admin’ account Setup a different admin account with another name
  • 36. Salt your keys define('AUTH_KEY', 'el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-'); define('SECURE_AUTH_KEY', '-)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-'); define('LOGGED_IN_KEY', ']MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du'); define('NONCE_KEY', 'p2?y4<?z3NwtC>=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z'); define('AUTH_SALT', '4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X '); define('SECURE_AUTH_SALT', 'X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shm<dFxc}7goavd?zWO!6%7Xgel~^3S'); define('LOGGED_IN_SALT', '&>,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA'); define('NONCE_SALT', 'Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a');
  • 37. Hide your database tables Change the table prefix: $table_prefix = ‘wp_’; $table_prefix = ‘g5a21R_’;
  • 38. Update Everything Keep WordPress, your theme and plugins up-to-date
  • 39. Backup Everything Always, always, always make regular backups: files & db
  • 40. E-commerce Tools for WordPress What’s out there?
  • 41. WP eCommerce getshopped.org The oldest & most widely used Physical & digital products A variety of payment options Several shipping options Marketing tools Free + paid add-ons ($10-195)
  • 42. Cart66 cart66.com Newest solution Uses [shortcodes] 7 payment solutions Subscriptions & Membership Free Lite Version or $89-399/year
  • 43. Shopp shopplugin.net A popular solution 18 payment gateways 10 shipping options 200+ template tags $55 or $299 $25 add-ons
  • 44. Jonathan Davis Twitter: @jonathandavis Email: jon@shopplugin.net shopplugin.net