How to navigate the e-commerce minefield so you can launch the best site possible. The presentation goes over payment gateways, how credit card processing works, merchant accounts, SSL certificates, PCI compliance, WordPress security tips and (briefly) some of the more popular e-commerce plugin solutions for WordPress.
3. merchant accounts
payment gateways
fulfillment systems
e-commerce is hard!
SEO
PCI compliance
Security
SSL certificates shopping carts
4.
5. Navigating the Minefield
not so much!
‣ Offsite/Onsite payments ‣ Encryption certificate
easy buyers guide
‣ Processing payments with
gateways ‣ PCI Compliance
‣ Merchant Account ‣ Security Tips for
shopping tips Ecommerce on WordPress
‣ Ecommerce Tools for WP
6. Onsite or Offsite?
Offsite Payments Onsite Payments
• Extra checkout steps • Extra setup steps
• Can be more confusing • Seamless (easy) checkout
experience
• No SSL certificate
• Website requires
• No PCI-compliance
SSL certificate
certification required
• Merchant required to certify
• Examples: PayPal Standard or
PCI compliance
Google Checkout
• Requires a Merchant Account
7. payment gateway
• a service to process payments online
• it’s a kind of PoS
8. PayPal Standard Express Checkout WebsitePaymentsPro
Customer leaves Customer jumps to Seamless checkout
the website to PayPal to enter onsite. Customer
enter payment payment details, never leaves the
details and does returns to complete store. Extra setup
not return to the the order. Not work.
site. No setup work. much setup work.
10. Credit Card Payments
Secure authorize & capture
Payment Gateway
Web Server
response
co
e
nfi
r
ns
de
rm
po
or
s
re
re
s
po
ns
e
Customer Banks
d
re
fer
ns
tra
n ds
fu
Merchant
11. merchant account
• a special type of bank account for accepting
payments from debit or credit cards (payment
cards)
• an agreement between the merchant, the bank
and payment processor
14. Merchant Accounts | Tips
• Some merchant account providers have their
own payment gateways
• Plan time to get approval
• Find out about your monthly limits to prevent
shutdowns
• Find out about the reserve amount
• Beware the chargeback
15. encryption
• the process of making information unreadable to
anyone without “special knowledge”
• “special knowledge” is the key
16. TLS/SSL Encryption
Transport Layer Security/Secure Sockets Layer
• Some seriously scary • Browser uses the public key
technical voodoo magic found in the certificate to
• Garbles browser to server encrypt information before
communication over the sending it to the server
Internet • Server uses a private key to
• No one else can access the decrypt information from the
information browser
17. Customer
4111 1111 1111 1111 encrypt
web browser
public
f37b13464e451a214b39
507061af9c9a2613fbab
public internet
4111 1111 1111 1111 decrypt
private
Secure
Web Server
server side
18. secure (SSL) certificate
• a specialized electronic document certifies a
public encryption key to an identity
20. PCI
PCI SSC PCI-DSS PA-DSS
Payment Card The PCI Data The Payment
Industry Security Security Standard Application Data
Standards Council Security Standard
The security
The body standards Security standards
responsible for merchants are for payment
managing the required to follow applications such as
security standards and certify their payment gateways
for the industry compliance & shopping carts
22. PCI-DSS
Build and Maintain a Secure Network
Requirement 1: Requirement 2:
Install and maintain a firewall Do not use vendor-supplied
configuration to protect defaults for system passwords
cardholder data and other security parameters
23. PCI-DSS
Protect Cardholder Data
Requirement 3: Requirement 4:
Protect stored cardholder data Encrypt transmission of
cardholder data across open,
public networks
24. PCI-DSS
Maintain a Vulnerability Management Program
Requirement 5: Requirement 6:
Use and regularly update Develop and maintain secure
anti-virus software systems and applications
25. PCI-DSS
Implement Strong Access Control Measures
Requirement 7: Requirement 8: Requirement 9:
Restrict access to Assign a unique ID Restrict physical
cardholder data by to each person with access to
business need-to- computer access cardholder data
know
26. PCI-DSS
Regularly Monitor and Test Networks
Requirement 10: Requirement 11:
Track and monitor all access to Regularly test security systems
network resources and and processes
cardholder data
29. PCI Compliance
Assess Remediate Report
Assess your network and IT resources for vulnerabilities.
Constantly monitor access and usage of cardholder data. Log
data must be available for analysis
30. PCI Compliance
Assess Remediate Report
Remediate (fix) vulnerabilities that threaten unauthorized
access to cardholder data
31. PCI Compliance
Assess Remediate Report
Report compliance and present evidence that data protection
controls are in place
32. SAQ
Self Assessment Questionnaire
• A checklist for the requirements with nice little yes/no boxes
• You “assess” with it
• Get it here: http://j.mp/pcisaqs
41. WP eCommerce
getshopped.org
The oldest & most widely used
Physical & digital products
A variety of payment options
Several shipping options
Marketing tools
Free + paid add-ons ($10-195)
42. Cart66
cart66.com
Newest solution
Uses [shortcodes]
7 payment solutions
Subscriptions & Membership
Free Lite Version or
$89-399/year
43. Shopp
shopplugin.net
A popular solution
18 payment gateways
10 shipping options
200+ template tags
$55 or $299
$25 add-ons