SlideShare a Scribd company logo

E-commerce & WordPress: Navigating the Minefield

Ingenesis Limited
Ingenesis Limited

How to navigate the e-commerce minefield so you can launch the best site possible. The presentation goes over payment gateways, how credit card processing works, merchant accounts, SSL certificates, PCI compliance, WordPress security tips and (briefly) some of the more popular e-commerce plugin solutions for WordPress.

1 of 44
E-commerce & WordPress: Navigating the Minefield Jonathan Davis, Ingenesis Limited @jonathandavis
$165.4 billion total e-commerce sales in 2010
merchant accounts payment gateways fulfillment systems e-commerce is hard! SEO PCI compliance Security SSL certificates shopping carts
E-commerce & WordPress: Navigating the Minefield
Navigating the Minefield not so much! ‣ Offsite/Onsite payments ‣ Encryption certificate easy buyers guide ‣ Processing payments with gateways ‣ PCI Compliance ‣ Merchant Account ‣ Security Tips for shopping tips Ecommerce on WordPress ‣ Ecommerce Tools for WP
Onsite or Offsite? Offsite Payments Onsite Payments • Extra checkout steps • Extra setup steps • Can be more confusing • Seamless (easy) checkout experience • No SSL certificate • Website requires • No PCI-compliance SSL certificate certification required • Merchant required to certify • Examples: PayPal Standard or PCI compliance Google Checkout • Requires a Merchant Account
payment gateway • a service to process payments online • it’s a kind of PoS
PayPal Standard Express Checkout WebsitePaymentsPro Customer leaves Customer jumps to Seamless checkout the website to PayPal to enter onsite. Customer enter payment payment details, never leaves the details and does returns to complete store. Extra setup not return to the the order. Not work. site. No setup work. much setup work.
Payment Gateway Providers
Credit Card Payments Secure authorize & capture Payment Gateway Web Server response co e nfi r ns de rm po or s re re s po ns e Customer Banks d re fer ns tra n ds fu Merchant
merchant account • a special type of bank account for accepting payments from debit or credit cards (payment cards) • an agreement between the merchant, the bank and payment processor
Merchant Accounts | Costs Discount Rates • 3-Tiered pricing • 6-Tiered pricing • Qualified Rate • Interchange Plus Pricing • Mid-qualified rate • Bill Backs • Non-qualified rate
Merchant Accounts | Costs Fees • Authorization fee • Customer Service fee • Statement fee • Annual fee • Monthly minimum fee • Early termination fee • Batch fee • Chargeback fee
Merchant Accounts | Tips • Some merchant account providers have their own payment gateways • Plan time to get approval • Find out about your monthly limits to prevent shutdowns • Find out about the reserve amount • Beware the chargeback
encryption • the process of making information unreadable to anyone without “special knowledge” • “special knowledge” is the key
TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer • Some seriously scary • Browser uses the public key technical voodoo magic found in the certificate to • Garbles browser to server encrypt information before communication over the sending it to the server Internet • Server uses a private key to • No one else can access the decrypt information from the information browser
Customer 4111 1111 1111 1111 encrypt web browser public f37b13464e451a214b39 507061af9c9a2613fbab public internet 4111 1111 1111 1111 decrypt private Secure Web Server server side
secure (SSL) certificate • a specialized electronic document certifies a public encryption key to an identity
Secure Certificate | Buyers Guide • Ongoing costs in the range Vendors $50–$1500/year • Verisign (Costly) • 3-4 certificate types: www.verisign.com • Single-domain • Comodo (Moderate) • Multiple sub-domains instantssl.com • Wildcard sub-domains • GoDaddy (Cheap) • Extended Validation (EV) godaddy.com • Network Solutions (Cheap) networksolutions.com
PCI PCI SSC PCI-DSS PA-DSS Payment Card The PCI Data The Payment Industry Security Security Standard Application Data Standards Council Security Standard The security The body standards Security standards responsible for merchants are for payment managing the required to follow applications such as security standards and certify their payment gateways for the industry compliance & shopping carts
PCI-DSS 12 requirements for any business that stores, processes or transmits cardholder payment data
PCI-DSS Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall Do not use vendor-supplied configuration to protect defaults for system passwords cardholder data and other security parameters
PCI-DSS Protect Cardholder Data Requirement 3: Requirement 4: Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
PCI-DSS Maintain a Vulnerability Management Program Requirement 5: Requirement 6: Use and regularly update Develop and maintain secure anti-virus software systems and applications
PCI-DSS Implement Strong Access Control Measures Requirement 7: Requirement 8: Requirement 9: Restrict access to Assign a unique ID Restrict physical cardholder data by to each person with access to business need-to- computer access cardholder data know
PCI-DSS Regularly Monitor and Test Networks Requirement 10: Requirement 11: Track and monitor all access to Regularly test security systems network resources and and processes cardholder data
PCI-DSS Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
PCI Compliance Assess Remediate Report
PCI Compliance Assess Remediate Report Assess your network and IT resources for vulnerabilities. Constantly monitor access and usage of cardholder data. Log data must be available for analysis
PCI Compliance Assess Remediate Report Remediate (fix) vulnerabilities that threaten unauthorized access to cardholder data
PCI Compliance Assess Remediate Report Report compliance and present evidence that data protection controls are in place
SAQ Self Assessment Questionnaire • A checklist for the requirements with nice little yes/no boxes • You “assess” with it • Get it here: http://j.mp/pcisaqs
WordPress Security in a Nutshell
Use a Strong Password The first line of defense against would-be hackers
Avoid the ‘admin’ account Setup a different admin account with another name
Salt your keys define('AUTH_KEY', 'el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-'); define('SECURE_AUTH_KEY', '-)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-'); define('LOGGED_IN_KEY', ']MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du'); define('NONCE_KEY', 'p2?y4<?z3NwtC>=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z'); define('AUTH_SALT', '4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X '); define('SECURE_AUTH_SALT', 'X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shm<dFxc}7goavd?zWO!6%7Xgel~^3S'); define('LOGGED_IN_SALT', '&>,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA'); define('NONCE_SALT', 'Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a');
Hide your database tables Change the table prefix: $table_prefix = ‘wp_’; $table_prefix = ‘g5a21R_’;
Update Everything Keep WordPress, your theme and plugins up-to-date
Backup Everything Always, always, always make regular backups: files & db
E-commerce Tools for WordPress What’s out there?
WP eCommerce getshopped.org The oldest & most widely used Physical & digital products A variety of payment options Several shipping options Marketing tools Free + paid add-ons ($10-195)
Cart66 cart66.com Newest solution Uses [shortcodes] 7 payment solutions Subscriptions & Membership Free Lite Version or $89-399/year
Shopp shopplugin.net A popular solution 18 payment gateways 10 shipping options 200+ template tags $55 or $299 $25 add-ons
Jonathan Davis Twitter: @jonathandavis Email: jon@shopplugin.net shopplugin.net

Recommended

PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009
Jason Edelstein
 
eMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseeMusic: WordPress in the Enterprise
eMusic: WordPress in the Enterprise
Scott Taylor
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPress
andrewnacin
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
andrewnacin
 
How Testing Changed My Life
How Testing Changed My LifeHow Testing Changed My Life
How Testing Changed My Life
Nikolay Bachiyski
 
Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!
Mark Jaquith
 
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Shannon Smith
 
Don't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit TestingDon't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit Testing
aaronjorbin
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
State of the Word 2016
State of the Word 2016State of the Word 2016
State of the Word 2016
photomatt
 
Pushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency SystemPushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency System
Kevin Ballard
 
State of the Word 2015, WordCamp US
State of the Word 2015, WordCamp USState of the Word 2015, WordCamp US
State of the Word 2015, WordCamp US
photomatt
 
Git study notes
Git study notesGit study notes
Git study notes
Angus Li
 
Twitter Presentation: #APIConSF
Twitter Presentation: #APIConSFTwitter Presentation: #APIConSF
Twitter Presentation: #APIConSF
Ryan Choi
 
Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...
Richard Swart, PhD
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
Ako na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatkaAko na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatka
Katarina Novotna
 
Customize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right WayCustomize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right Way
Dustin Hartzler
 
The power of a video library
The power of a video libraryThe power of a video library
The power of a video library
Lauren Jeffcoat
 
Lecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability IssuesLecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability Issues
Radka Nacheva
 
5-Point Online Marketing Training Regimen
5-Point Online Marketing Training Regimen5-Point Online Marketing Training Regimen
5-Point Online Marketing Training Regimen
Stoney deGeyter
 
Secure Payment Integration for SAP
Secure Payment Integration for SAPSecure Payment Integration for SAP
Secure Payment Integration for SAP
Paymetric, Inc.
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
Tisc99keynote
Tisc99keynoteTisc99keynote
Tisc99keynote
Onkar Sule
 
Payliance Industry partner program
Payliance Industry partner programPayliance Industry partner program
Payliance Industry partner program
DustinP_Channel
 
WordPress eCommerce Review
WordPress eCommerce ReviewWordPress eCommerce Review
WordPress eCommerce Review
belsien
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
amadhireddy
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIT
hiteshasnani94
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage
- Mark - Fullbright
 

More Related Content

Viewers also liked (13)

DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
State of the Word 2016
State of the Word 2016State of the Word 2016
State of the Word 2016
photomatt
 
Pushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency SystemPushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency System
Kevin Ballard
 
State of the Word 2015, WordCamp US
State of the Word 2015, WordCamp USState of the Word 2015, WordCamp US
State of the Word 2015, WordCamp US
photomatt
 
Git study notes
Git study notesGit study notes
Git study notes
Angus Li
 
Twitter Presentation: #APIConSF
Twitter Presentation: #APIConSFTwitter Presentation: #APIConSF
Twitter Presentation: #APIConSF
Ryan Choi
 
Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...
Richard Swart, PhD
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
Ako na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatkaAko na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatka
Katarina Novotna
 
Customize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right WayCustomize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right Way
Dustin Hartzler
 
The power of a video library
The power of a video libraryThe power of a video library
The power of a video library
Lauren Jeffcoat
 
Lecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability IssuesLecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability Issues
Radka Nacheva
 
5-Point Online Marketing Training Regimen
5-Point Online Marketing Training Regimen5-Point Online Marketing Training Regimen
5-Point Online Marketing Training Regimen
Stoney deGeyter
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
State of the Word 2016
State of the Word 2016State of the Word 2016
State of the Word 2016
photomatt
 
Pushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency SystemPushing Python: Building a High Throughput, Low Latency System
Pushing Python: Building a High Throughput, Low Latency System
Kevin Ballard
 
State of the Word 2015, WordCamp US
State of the Word 2015, WordCamp USState of the Word 2015, WordCamp US
State of the Word 2015, WordCamp US
photomatt
 
Git study notes
Git study notesGit study notes
Git study notes
Angus Li
 
Twitter Presentation: #APIConSF
Twitter Presentation: #APIConSFTwitter Presentation: #APIConSF
Twitter Presentation: #APIConSF
Ryan Choi
 
Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...Time to climb-- results of national study of disadvantaged entrepreneurs ...
Time to climb-- results of national study of disadvantaged entrepreneurs ...
Richard Swart, PhD
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
Ako na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatkaAko na rýchly web - WordCamp Žilina 2016 - xKatka
Ako na rýchly web - WordCamp Žilina 2016 - xKatka
Katarina Novotna
 
Customize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right WayCustomize Your WordPress Theme the Right Way
Customize Your WordPress Theme the Right Way
Dustin Hartzler
 
The power of a video library
The power of a video libraryThe power of a video library
The power of a video library
Lauren Jeffcoat
 
Lecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability IssuesLecture - (WordPress) Usability Issues
Lecture - (WordPress) Usability Issues
Radka Nacheva
 
5-Point Online Marketing Training Regimen
5-Point Online Marketing Training Regimen5-Point Online Marketing Training Regimen
5-Point Online Marketing Training Regimen
Stoney deGeyter
 

Similar to E-commerce & WordPress: Navigating the Minefield (20)

Secure Payment Integration for SAP
Secure Payment Integration for SAPSecure Payment Integration for SAP
Secure Payment Integration for SAP
Paymetric, Inc.
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
Tisc99keynote
Tisc99keynoteTisc99keynote
Tisc99keynote
Onkar Sule
 
Payliance Industry partner program
Payliance Industry partner programPayliance Industry partner program
Payliance Industry partner program
DustinP_Channel
 
WordPress eCommerce Review
WordPress eCommerce ReviewWordPress eCommerce Review
WordPress eCommerce Review
belsien
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
amadhireddy
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIT
hiteshasnani94
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage
- Mark - Fullbright
 
Credit Call Multi Channel
Credit Call Multi ChannelCredit Call Multi Channel
Credit Call Multi Channel
pmsherlock
 
Digital banking cards
Digital banking cardsDigital banking cards
Digital banking cards
DhatshanaG
 
Subscription Systems and Recurring Payments in Drupal
Subscription Systems and Recurring Payments in DrupalSubscription Systems and Recurring Payments in Drupal
Subscription Systems and Recurring Payments in Drupal
Prodosh Banerjee
 
PayU Biz Product Deck (1)
PayU Biz Product Deck (1)PayU Biz Product Deck (1)
PayU Biz Product Deck (1)
ICICI Bank
 
PCI Version Three and Thee
PCI Version Three and TheePCI Version Three and Thee
PCI Version Three and Thee
Terra Verde
 
AtomicPay - Decentralized & Non-Custodial Payment Gateway
AtomicPay - Decentralized & Non-Custodial Payment GatewayAtomicPay - Decentralized & Non-Custodial Payment Gateway
AtomicPay - Decentralized & Non-Custodial Payment Gateway
AtomicPay Ltd
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
Paymetric, Inc.
 
Adaptive Payments SDK - Magento Developers Paradise
Adaptive Payments SDK - Magento Developers ParadiseAdaptive Payments SDK - Magento Developers Paradise
Adaptive Payments SDK - Magento Developers Paradise
PayPal
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
Subhash Gupta
 
RBS World Pay
RBS World Pay RBS World Pay
RBS World Pay
guestadcf699
 
Credit card processing highrisk gateways
Credit card processing highrisk gatewaysCredit card processing highrisk gateways
Credit card processing highrisk gateways
highrisk gateways
 
Secure Payment Integration for SAP
Secure Payment Integration for SAPSecure Payment Integration for SAP
Secure Payment Integration for SAP
Paymetric, Inc.
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
Tisc99keynote
Tisc99keynoteTisc99keynote
Tisc99keynote
Onkar Sule
 
Payliance Industry partner program
Payliance Industry partner programPayliance Industry partner program
Payliance Industry partner program
DustinP_Channel
 
WordPress eCommerce Review
WordPress eCommerce ReviewWordPress eCommerce Review
WordPress eCommerce Review
belsien
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
amadhireddy
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIT
hiteshasnani94
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage
- Mark - Fullbright
 
Credit Call Multi Channel
Credit Call Multi ChannelCredit Call Multi Channel
Credit Call Multi Channel
pmsherlock
 
Digital banking cards
Digital banking cardsDigital banking cards
Digital banking cards
DhatshanaG
 
Subscription Systems and Recurring Payments in Drupal
Subscription Systems and Recurring Payments in DrupalSubscription Systems and Recurring Payments in Drupal
Subscription Systems and Recurring Payments in Drupal
Prodosh Banerjee
 
PayU Biz Product Deck (1)
PayU Biz Product Deck (1)PayU Biz Product Deck (1)
PayU Biz Product Deck (1)
ICICI Bank
 
PCI Version Three and Thee
PCI Version Three and TheePCI Version Three and Thee
PCI Version Three and Thee
Terra Verde
 
AtomicPay - Decentralized & Non-Custodial Payment Gateway
AtomicPay - Decentralized & Non-Custodial Payment GatewayAtomicPay - Decentralized & Non-Custodial Payment Gateway
AtomicPay - Decentralized & Non-Custodial Payment Gateway
AtomicPay Ltd
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
Paymetric, Inc.
 
Adaptive Payments SDK - Magento Developers Paradise
Adaptive Payments SDK - Magento Developers ParadiseAdaptive Payments SDK - Magento Developers Paradise
Adaptive Payments SDK - Magento Developers Paradise
PayPal
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
Subhash Gupta
 
RBS World Pay
RBS World Pay RBS World Pay
RBS World Pay
guestadcf699
 
Credit card processing highrisk gateways
Credit card processing highrisk gatewaysCredit card processing highrisk gateways
Credit card processing highrisk gateways
highrisk gateways
 

Recently uploaded (20)

Google News Consideration for SEO | Google Search NYC
Google News Consideration for SEO | Google Search NYCGoogle News Consideration for SEO | Google Search NYC
Google News Consideration for SEO | Google Search NYC
Primary Position
 
Create a Beautiful Terminal for Windows 🚀
Create a Beautiful Terminal for Windows 🚀Create a Beautiful Terminal for Windows 🚀
Create a Beautiful Terminal for Windows 🚀
Chris Wahl
 
Step-Into-the-Game-Augmented-Reality-Gaming-Explained.pptx
Step-Into-the-Game-Augmented-Reality-Gaming-Explained.pptxStep-Into-the-Game-Augmented-Reality-Gaming-Explained.pptx
Step-Into-the-Game-Augmented-Reality-Gaming-Explained.pptx
BR Softech
 
Cloud Computing The Future of Technology
Cloud Computing The Future of TechnologyCloud Computing The Future of Technology
Cloud Computing The Future of Technology
joelmcapg
 
From native code gems to Java treasures with jextract
From native code gems to Java treasures with jextractFrom native code gems to Java treasures with jextract
From native code gems to Java treasures with jextract
Ana-Maria Mihalceanu
 
The Best of Both Worlds: Hybrid Clustering with Delta Lake
The Best of Both Worlds: Hybrid Clustering with Delta LakeThe Best of Both Worlds: Hybrid Clustering with Delta Lake
The Best of Both Worlds: Hybrid Clustering with Delta Lake
carlyakerly1
 
Mastering NIST CSF 2.0 - The New Govern Function.pdf
Mastering NIST CSF 2.0 - The New Govern Function.pdfMastering NIST CSF 2.0 - The New Govern Function.pdf
Mastering NIST CSF 2.0 - The New Govern Function.pdf
Bachir Benyammi
 
Making GenAI Work: A structured approach to implementation
Making GenAI Work: A structured approach to implementationMaking GenAI Work: A structured approach to implementation
Making GenAI Work: A structured approach to implementation
Jeffrey Funk
 
Emancipatory Information Retrieval (Invited Talk at UCC)
Emancipatory Information Retrieval (Invited Talk at UCC)Emancipatory Information Retrieval (Invited Talk at UCC)
Emancipatory Information Retrieval (Invited Talk at UCC)
Bhaskar Mitra
 
Comprehensive Guide to Ansible Application Roles.pdf
Comprehensive Guide to Ansible Application Roles.pdfComprehensive Guide to Ansible Application Roles.pdf
Comprehensive Guide to Ansible Application Roles.pdf
RHCSA Guru
 
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
All Things Open
 
UiPath Automation Developer Associate Training Series 2025 - Session 7
UiPath Automation Developer Associate Training Series 2025 - Session 7UiPath Automation Developer Associate Training Series 2025 - Session 7
UiPath Automation Developer Associate Training Series 2025 - Session 7
DianaGray10
 
Ansible Vault Encrypting and Protecting Secrets - RHCE.pdf
Ansible Vault Encrypting and Protecting Secrets - RHCE.pdfAnsible Vault Encrypting and Protecting Secrets - RHCE.pdf
Ansible Vault Encrypting and Protecting Secrets - RHCE.pdf
RHCSA Guru
 
Windows Client Privilege Escalation-Shared.pptx
Windows Client Privilege Escalation-Shared.pptxWindows Client Privilege Escalation-Shared.pptx
Windows Client Privilege Escalation-Shared.pptx
Oddvar Moe
 
Unleash the Power of Symfony Messenger
Unleash the Power of Symfony MessengerUnleash the Power of Symfony Messenger
Unleash the Power of Symfony Messenger
Kris Wallsmith
 
CSUN 2025 - Interactive Charts for Everyone.pptx
CSUN 2025 - Interactive Charts for Everyone.pptxCSUN 2025 - Interactive Charts for Everyone.pptx
CSUN 2025 - Interactive Charts for Everyone.pptx
Øystein Moseng
 
Comparative Analysis of Reasoning Techniques
Comparative Analysis of Reasoning TechniquesComparative Analysis of Reasoning Techniques
Comparative Analysis of Reasoning Techniques
HoussemEddineDEGHA
 
Think Like and Architect Series: Session 1 of 9 Declarative Design
Think Like and Architect Series: Session 1 of 9 Declarative DesignThink Like and Architect Series: Session 1 of 9 Declarative Design
Think Like and Architect Series: Session 1 of 9 Declarative Design
Walter Spinrad
 
Designing for Multiple Blockchains in Industry Ecosystems
Designing for Multiple Blockchains in Industry EcosystemsDesigning for Multiple Blockchains in Industry Ecosystems
Designing for Multiple Blockchains in Industry Ecosystems
Dilum Bandara
 
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdfPrecisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely
 
Google News Consideration for SEO | Google Search NYC
Google News Consideration for SEO | Google Search NYCGoogle News Consideration for SEO | Google Search NYC
Google News Consideration for SEO | Google Search NYC
Primary Position
 
Create a Beautiful Terminal for Windows 🚀
Create a Beautiful Terminal for Windows 🚀Create a Beautiful Terminal for Windows 🚀
Create a Beautiful Terminal for Windows 🚀
Chris Wahl
 
Step-Into-the-Game-Augmented-Reality-Gaming-Explained.pptx
Step-Into-the-Game-Augmented-Reality-Gaming-Explained.pptxStep-Into-the-Game-Augmented-Reality-Gaming-Explained.pptx
Step-Into-the-Game-Augmented-Reality-Gaming-Explained.pptx
BR Softech
 
Cloud Computing The Future of Technology
Cloud Computing The Future of TechnologyCloud Computing The Future of Technology
Cloud Computing The Future of Technology
joelmcapg
 
From native code gems to Java treasures with jextract
From native code gems to Java treasures with jextractFrom native code gems to Java treasures with jextract
From native code gems to Java treasures with jextract
Ana-Maria Mihalceanu
 
The Best of Both Worlds: Hybrid Clustering with Delta Lake
The Best of Both Worlds: Hybrid Clustering with Delta LakeThe Best of Both Worlds: Hybrid Clustering with Delta Lake
The Best of Both Worlds: Hybrid Clustering with Delta Lake
carlyakerly1
 
Mastering NIST CSF 2.0 - The New Govern Function.pdf
Mastering NIST CSF 2.0 - The New Govern Function.pdfMastering NIST CSF 2.0 - The New Govern Function.pdf
Mastering NIST CSF 2.0 - The New Govern Function.pdf
Bachir Benyammi
 
Making GenAI Work: A structured approach to implementation
Making GenAI Work: A structured approach to implementationMaking GenAI Work: A structured approach to implementation
Making GenAI Work: A structured approach to implementation
Jeffrey Funk
 
Emancipatory Information Retrieval (Invited Talk at UCC)
Emancipatory Information Retrieval (Invited Talk at UCC)Emancipatory Information Retrieval (Invited Talk at UCC)
Emancipatory Information Retrieval (Invited Talk at UCC)
Bhaskar Mitra
 
Comprehensive Guide to Ansible Application Roles.pdf
Comprehensive Guide to Ansible Application Roles.pdfComprehensive Guide to Ansible Application Roles.pdf
Comprehensive Guide to Ansible Application Roles.pdf
RHCSA Guru
 
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
All Things Open
 
UiPath Automation Developer Associate Training Series 2025 - Session 7
UiPath Automation Developer Associate Training Series 2025 - Session 7UiPath Automation Developer Associate Training Series 2025 - Session 7
UiPath Automation Developer Associate Training Series 2025 - Session 7
DianaGray10
 
Ansible Vault Encrypting and Protecting Secrets - RHCE.pdf
Ansible Vault Encrypting and Protecting Secrets - RHCE.pdfAnsible Vault Encrypting and Protecting Secrets - RHCE.pdf
Ansible Vault Encrypting and Protecting Secrets - RHCE.pdf
RHCSA Guru
 
Windows Client Privilege Escalation-Shared.pptx
Windows Client Privilege Escalation-Shared.pptxWindows Client Privilege Escalation-Shared.pptx
Windows Client Privilege Escalation-Shared.pptx
Oddvar Moe
 
Unleash the Power of Symfony Messenger
Unleash the Power of Symfony MessengerUnleash the Power of Symfony Messenger
Unleash the Power of Symfony Messenger
Kris Wallsmith
 
CSUN 2025 - Interactive Charts for Everyone.pptx
CSUN 2025 - Interactive Charts for Everyone.pptxCSUN 2025 - Interactive Charts for Everyone.pptx
CSUN 2025 - Interactive Charts for Everyone.pptx
Øystein Moseng
 
Comparative Analysis of Reasoning Techniques
Comparative Analysis of Reasoning TechniquesComparative Analysis of Reasoning Techniques
Comparative Analysis of Reasoning Techniques
HoussemEddineDEGHA
 
Think Like and Architect Series: Session 1 of 9 Declarative Design
Think Like and Architect Series: Session 1 of 9 Declarative DesignThink Like and Architect Series: Session 1 of 9 Declarative Design
Think Like and Architect Series: Session 1 of 9 Declarative Design
Walter Spinrad
 
Designing for Multiple Blockchains in Industry Ecosystems
Designing for Multiple Blockchains in Industry EcosystemsDesigning for Multiple Blockchains in Industry Ecosystems
Designing for Multiple Blockchains in Industry Ecosystems
Dilum Bandara
 
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdfPrecisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely
 

E-commerce & WordPress: Navigating the Minefield

  • 1. E-commerce & WordPress: Navigating the Minefield Jonathan Davis, Ingenesis Limited @jonathandavis
  • 2. $165.4 billion total e-commerce sales in 2010
  • 3. merchant accounts payment gateways fulfillment systems e-commerce is hard! SEO PCI compliance Security SSL certificates shopping carts
  • 5. Navigating the Minefield not so much! ‣ Offsite/Onsite payments ‣ Encryption certificate easy buyers guide ‣ Processing payments with gateways ‣ PCI Compliance ‣ Merchant Account ‣ Security Tips for shopping tips Ecommerce on WordPress ‣ Ecommerce Tools for WP
  • 6. Onsite or Offsite? Offsite Payments Onsite Payments • Extra checkout steps • Extra setup steps • Can be more confusing • Seamless (easy) checkout experience • No SSL certificate • Website requires • No PCI-compliance SSL certificate certification required • Merchant required to certify • Examples: PayPal Standard or PCI compliance Google Checkout • Requires a Merchant Account
  • 7. payment gateway • a service to process payments online • it’s a kind of PoS
  • 8. PayPal Standard Express Checkout WebsitePaymentsPro Customer leaves Customer jumps to Seamless checkout the website to PayPal to enter onsite. Customer enter payment payment details, never leaves the details and does returns to complete store. Extra setup not return to the the order. Not work. site. No setup work. much setup work.
  • 10. Credit Card Payments Secure authorize & capture Payment Gateway Web Server response co e nfi r ns de rm po or s re re s po ns e Customer Banks d re fer ns tra n ds fu Merchant
  • 11. merchant account • a special type of bank account for accepting payments from debit or credit cards (payment cards) • an agreement between the merchant, the bank and payment processor
  • 12. Merchant Accounts | Costs Discount Rates • 3-Tiered pricing • 6-Tiered pricing • Qualified Rate • Interchange Plus Pricing • Mid-qualified rate • Bill Backs • Non-qualified rate
  • 13. Merchant Accounts | Costs Fees • Authorization fee • Customer Service fee • Statement fee • Annual fee • Monthly minimum fee • Early termination fee • Batch fee • Chargeback fee
  • 14. Merchant Accounts | Tips • Some merchant account providers have their own payment gateways • Plan time to get approval • Find out about your monthly limits to prevent shutdowns • Find out about the reserve amount • Beware the chargeback
  • 15. encryption • the process of making information unreadable to anyone without “special knowledge” • “special knowledge” is the key
  • 16. TLS/SSL Encryption Transport Layer Security/Secure Sockets Layer • Some seriously scary • Browser uses the public key technical voodoo magic found in the certificate to • Garbles browser to server encrypt information before communication over the sending it to the server Internet • Server uses a private key to • No one else can access the decrypt information from the information browser
  • 17. Customer 4111 1111 1111 1111 encrypt web browser public f37b13464e451a214b39 507061af9c9a2613fbab public internet 4111 1111 1111 1111 decrypt private Secure Web Server server side
  • 18. secure (SSL) certificate • a specialized electronic document certifies a public encryption key to an identity
  • 19. Secure Certificate | Buyers Guide • Ongoing costs in the range Vendors $50–$1500/year • Verisign (Costly) • 3-4 certificate types: www.verisign.com • Single-domain • Comodo (Moderate) • Multiple sub-domains instantssl.com • Wildcard sub-domains • GoDaddy (Cheap) • Extended Validation (EV) godaddy.com • Network Solutions (Cheap) networksolutions.com
  • 20. PCI PCI SSC PCI-DSS PA-DSS Payment Card The PCI Data The Payment Industry Security Security Standard Application Data Standards Council Security Standard The security The body standards Security standards responsible for merchants are for payment managing the required to follow applications such as security standards and certify their payment gateways for the industry compliance & shopping carts
  • 21. PCI-DSS 12 requirements for any business that stores, processes or transmits cardholder payment data
  • 22. PCI-DSS Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall Do not use vendor-supplied configuration to protect defaults for system passwords cardholder data and other security parameters
  • 23. PCI-DSS Protect Cardholder Data Requirement 3: Requirement 4: Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
  • 24. PCI-DSS Maintain a Vulnerability Management Program Requirement 5: Requirement 6: Use and regularly update Develop and maintain secure anti-virus software systems and applications
  • 25. PCI-DSS Implement Strong Access Control Measures Requirement 7: Requirement 8: Requirement 9: Restrict access to Assign a unique ID Restrict physical cardholder data by to each person with access to business need-to- computer access cardholder data know
  • 26. PCI-DSS Regularly Monitor and Test Networks Requirement 10: Requirement 11: Track and monitor all access to Regularly test security systems network resources and and processes cardholder data
  • 27. PCI-DSS Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
  • 28. PCI Compliance Assess Remediate Report
  • 29. PCI Compliance Assess Remediate Report Assess your network and IT resources for vulnerabilities. Constantly monitor access and usage of cardholder data. Log data must be available for analysis
  • 30. PCI Compliance Assess Remediate Report Remediate (fix) vulnerabilities that threaten unauthorized access to cardholder data
  • 31. PCI Compliance Assess Remediate Report Report compliance and present evidence that data protection controls are in place
  • 32. SAQ Self Assessment Questionnaire • A checklist for the requirements with nice little yes/no boxes • You “assess” with it • Get it here: http://j.mp/pcisaqs
  • 33. WordPress Security in a Nutshell
  • 34. Use a Strong Password The first line of defense against would-be hackers
  • 35. Avoid the ‘admin’ account Setup a different admin account with another name
  • 36. Salt your keys define('AUTH_KEY', 'el1%+7]b}R._7jj|fZ{XSG]Yh8#>s,qjnD}%x?w~H-y99Hk5+#+wON7=$L8iqgm-'); define('SECURE_AUTH_KEY', '-)pv+c~$2[6O|TBobgd+n#8H8`|QcJD6`nML+vax52a+Rn9H[$e4`v8a ->1P){-'); define('LOGGED_IN_KEY', ']MoH-Sj+pxMk2,-]^RPr^)^i#5E}r~8Bu3AoFVbl9-WS|)l-R9%or/?W!]VVp~du'); define('NONCE_KEY', 'p2?y4<?z3NwtC>=|kwv#Qqx|12q~4hg?/?!`MvR+Z%pXSyj01nUBvJkm02{z0*}z'); define('AUTH_SALT', '4{]-;WEc,fEc]10RG< YhlO(7+HP-I,BS3!7GlE_-GXwsrS*cx}e}/]tne+pX+X '); define('SECURE_AUTH_SALT', 'X6@IARBL/cY-U:34s:Mw|v0{r:h`ti-I,Shm<dFxc}7goavd?zWO!6%7Xgel~^3S'); define('LOGGED_IN_SALT', '&>,SOL-.7cwk*Wf|&JV$hnvF/fI><]VobM2@8^Z:*_X,P=qVf>6X,p>9i!-:C`fA'); define('NONCE_SALT', 'Tk_RGSGz4CBtvzdeFT7KRLP>Vc$y$2VqC3@+l[iQ!h`aq[4G)^9CVwZOI,7lWd0a');
  • 37. Hide your database tables Change the table prefix: $table_prefix = ‘wp_’; $table_prefix = ‘g5a21R_’;
  • 38. Update Everything Keep WordPress, your theme and plugins up-to-date
  • 39. Backup Everything Always, always, always make regular backups: files & db
  • 40. E-commerce Tools for WordPress What’s out there?
  • 41. WP eCommerce getshopped.org The oldest & most widely used Physical & digital products A variety of payment options Several shipping options Marketing tools Free + paid add-ons ($10-195)
  • 42. Cart66 cart66.com Newest solution Uses [shortcodes] 7 payment solutions Subscriptions & Membership Free Lite Version or $89-399/year
  • 43. Shopp shopplugin.net A popular solution 18 payment gateways 10 shipping options 200+ template tags $55 or $299 $25 add-ons
  • 44. Jonathan Davis Twitter: @jonathandavis Email: jon@shopplugin.net shopplugin.net