Gaining (and Not Betraying) User Trust in WordPress eCommerce
•Transferir como PPTX, PDF•
0 gostou•2,364 visualizações
Trust is extremely important to eCommerce platforms, and is something that is easily lost if not handled correctly.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (19)
Destaque
Destaque (20)
Semelhante a Gaining (and Not Betraying) User Trust in WordPress eCommerce
Semelhante a Gaining (and Not Betraying) User Trust in WordPress eCommerce (20)
Último
Último (20)
Gaining (and Not Betraying) User Trust in WordPress eCommerce
- 1. Gaining User Trust in eCommerce Andrew Wikel - Automattic @slash1andy
- 3. About WooCommerce • We are the #1 e-commerce plugin for WordPress. • We currently power approx. 30% of every online store.
- 4. I Like Legos. And Star Wars. And Star Wars Legos.
- 6. My Background • I love WordPress • I’ve been working with it since 2008 • I worked for a non-profit for 7 years before coming to WooThemes, and then Automattic • I work in Payment Gateways Support for WooCommerce at Automattic
- 7. The #1 tip for people accepting payment online: Respect your users’ data, and treat it as your own.
- 8. – Andrew Wikel “It’s all about trust. Getting your users to trust you, and not betraying that trust by securing their info.”
- 9. User Trust • This is huge. If you don’t have the users’ trust, they won’t give you money. • There are many factors, and not all of them are technical
- 10. Cart Abandonment • Approx. 42% of customer on average never get past the 1st part of checkout • There is a huge barrier in getting customers to checkout
- 11. Optimize Checkout Process • Tear down the “sign-in” barrier - don’t disconnect your customer from giving you money. Customers can resent being forced to create an account. • Provide a progress indicator - just let people know how long the process is, and where they are in it. • Match the checkout with your site’s look and feel • Never send your customer outside the checkout process once they are there. • Visually reinforce all sensitive fields on the payment page
- 12. Smashing Magazine Study • There is a clear divergence between the customer’s mental model of form-field security and the actual security. • Many test subjects didn’t think about security until they had to enter their credit card details. • As one test subject who had just abandoned their purchase said, “It didn’t look safe enough.” Her reaction wasn’t based on the technical security of the website, but rather on the perceived security of the fields. • Source: http://www.smashingmagazine.com/2011/04/0 6/fundamental-guidelines-of-e-commerce- checkout-design/
- 13. Payment Options • I recommend three payment gateways: A. Stripe B. PayPal C. Amazon
- 14. There are a Lot of Implications • Your payment gateway is the place that your customers are trusting to be safe with their info • Not only do you have to be completely trusting that they won’t betray *your* trust, but your user does. • Different gateways have varying security methods some better than others.
- 15. On-Site Processing • One of the methods that I mentioned earlier was Stripe. • Stripe is what we call an On-Site gateway. That just means that it stays on your site, rather than sending your customers to another site to checkout. • Amazon is also an on-site processor, but a bit different than Stripe.
- 16. Off-Site Processing • The other method that I recommended in the beginning was PayPal - an Off-Site Processor • That just means that your customers are sent to another site to complete payment, and then that site sends your store a notification that payment was complete.
- 17. PCI Compliance • Payment Card Industry Data Security Standard (PCI DSS) is a set of rules that ALL companies that process, store, or transmit credit card info have to follow to maintain security. • PCI-DSS SAQ A-EP is where you want to be.
- 18. That is the theory.
- 19. Do • Have a clear, user-friendly privacy policy • Make your email lists strictly opt-in • Use an SSL on EVERY SINGLE PAGE that has a checkout form, log in form, etc. There are no exceptions.
- 20. Don’t • Some people obscure their return policy or privacy policy • It’s a bad idea to mail people without their permission or sell or give their info to others. • One of the worst things you can do is have a credit card form on a plain HTTP page. Please just don’t.
- 21. Privacy Policy • *Have* a privacy policy. It’s almost a majority of small business owners that don’t have one. • Use minimal “legalese” and with the user retaining their rights to privacy. • Ask for as little permissions and information as possible. Not only does that improve your chances of getting it, but it limits the info you have to care for.
- 22. Mailing Lists • Mailing lists should be double opt-in, with few exceptions. • There are a lot of guidelines to email marketing that you should look into (laws you have to comply with, etc. • Use a reputable email service to send out your emails. You can get a service like MailChimp at a low cost, and the tools that they have are worth it.
- 23. Why All This Work? • Giving the power to your customer to make decisions based on what information they do and don’t want you to have is always good for business. • You want your customers to feel empowered, able to choose, and know what is happening with their data. • Knowledge and transparency = Trust
- 24. SSL: The tl;dr • Purchase and install an SSL certificate • Update your site URL in WordPress • Force HTTPS throughout the site • Resolve any insecure elements on your pages • Update Google Webmaster Tools and Google Analytics
- 25. Installing an SSL Certificate • Purchase from your host, and have them install it. (hands down the easiest way) • Use https://letsencrypt.org/ (FREE) • Do it yourself (slightly masochistic, but ¯_(ツ)_/¯)
- 26. Forcing over HTTPS • Your blog/site URL in WordPress general settings • Use WordPress Force HTTPS • .htaccess rewrite rules
- 27. Resolving Mixed Content • Use Better Search Replace (replace all http with https in the posts and postmeta tables) • Your theme and/or plugins could also be loading in assets over a hardcoded http call, but you can fix those sometimes with child themes, or you might be better off switching themes/plugins.
- 28. Security
- 29. Probably the Easiest One • Keep *all the things* updated. • Themes • Plugins • WordPress
- 30. General WordPress Security • Use strong passwords. Seriously, stop using your cat’s name. • Change the username from “admin” or easy to guess ones • Your database username and password are also at risk. • Disable file editing from the WordPress admin define( ‘DISALLOW_FILE_EDIT’, true );
- 31. Security Plugins • Prevention • Scans • Backups
- 32. Security Plugins • Jetpack • Wordfence • iThemes Security • Sucuri https://jetpack.me/ https://wordpress.org/plugins/wordfence/ https://ithemes.com/security/ https://wordpress.org/plugins/sucuri-scanner/
- 33. Hosting • Your host plays a critical role in your security. • Never pick a host that starts you out on a PHP version that is lower than 5.4 • They should have firewalls in place, have correct file permissions set up, not allow for connections via plain FTP, etc. • Shared hosting is cheap, but it’s probably not really worth the risk.
- 34. Use Good Code • Pick plugins/themes with good support behind them. • Most times, this means premium code (you have to pay for it)
- 35. Limit External Connections • Sometimes you use 3rd party solutions for parts of your store (shipping, tax, inventory, accounting, etc.) • Even things that don’t relate to your store can potentially have access. • Make sure you investigate who has what of your site’s data, what their security is like, and what their privacy policy is like.
- 36. The #1 tip for people accepting payment online: Respect your users’ data, and treat it as your own.
Notas do Editor
- This is a team photo from our most recent WooTrip. They told us to act like a ninja, but I was already being Batman, so… I just went with that.
- It’s almost an unwritten rule that every tech session has to have at least one lego picture, so here is the required slide.
- It’s also a requirement that you include cat pictures, but that’s not really my style, so here is a picture of my Airedale.
- So, a lot of you are thinking that I am going to be speaking about building up an e-commerce section of your site, and then go from there, but I’m not. There’s more to this than that. I will be speaking on the specifics a bit more in-depth, but I want to make sure that we are doing this justice.
- This chart is from a survey of people on their trust in online commerce. People trust the e-commerce platforms as a whole, but are becoming more tech-savvy and discerning when it comes to where they place their trust.
- This number can tie a *lot* of the things that we just mentioned to do or don’t do. People abandon carts based on payment processor, on the price of shipping, of having to pay sales tax, of a myriad of other issues. You can’t stop them all, but you can reduce them. Have you ever left an item in your cart on like Amazon? Then you got an email, right? There’s a really cool WooCommerce plugin called Follow Up Emails that will mail those people that leave their carts in your store.
- There are a lot of ways to do this, but we are going to stick to some really generic tips.
- Stripe will handle all your credit card processing, and then PayPal is that alternative payment method that I mentioned earlier. A lot of people love using PayPal, since it’s accepted in a lot of places, they have their details already saved there, and they trust PayPal to keep their info safe. Stripe is a great method for credit card processing, as it’s a really extendable processor, and integrates in most online solutions. It save their card to Stripe’s servers, enables them to charge the user card without the user having to input it again. This is great for recurring payments, such as subscriptions or monthly donations. Also, some customers already use Stripe to save their payment methods from other sites, and Stripe can remember them.
- Tell the story of the WooCommerce offline payment gateway.
- With any kind of on-site processor, you will NEED an SSL certificate. It’s not optional. If you have a WooThemes extension for an on-site processor, then you will actually be required to have that in place before the gateway will function. Amazon just sends the order to and from Amazon, using the forms from Amazon’s site, and then sending your account info back in an iFrame, so the host store never actually gets to see any of the data except what it needs to fulfill the order (addresses, etc.) Stripe is a bit different from a lot of the other payment processors that work on-site. The stripe extension from WooThemes uses the latest stripe.js solution that offers a bit more security in that your customer’s credit card details never touch your server, helping to eliminate your PCI-DSS compliance burden.
- These are actually the most secure and easiest to implement in your store, typically. You are offloading all the responsibility for securing the payment process to the actual payment processor. The downside to this is the jump that customers have to make to go through the step of paying on another site, rather than yours. Sometimes this can be an issue with cart abandonment. Sometimes the exact opposite is true, and your customer actually trusts the payment processor more than you. PayPal is a perfect example of this. Most people know of PayPal, and a good percentage of your customers likely have an account already. This can help lower the barrier of purchase for new customers, and also helps lend credibility to your store, borrowing off of PayPal’s credibility with the customer.
- PCI DSS Self Assessment Questionnaire A-EP is much less strenuous to go through than other compliance. If you use either of the payment gateways that I mentioned earlier, you qualify for A-EP instead of the strenuous audits, etc. that can come with other gateways that don’t post directly to the processor servers. If you have a credit card breach, you will be fined. That is guaranteed.
- Now we are going to move into a bit more technical things. Things to actually do to increase user security and trust.
- SSL stands for Secure Sockets Layer. It provides a secure connection between internet browsers and websites, allowing you to transmit private data online. Sites secured with SSL display a padlock in the browsers URL and possibly a green address bar if secured by an EV Certificate For the SSL, you can have it running on your entire site, and that is a good thing. Make sure that you don’t have any errors about mixed content when your customer goes to checkout.
- Tell them the Cliff Original story about no SSL.
- Don’t ask for random unnecessary info, like gender, income levels, etc. Our privacy policy, like most everything else in our company, is open source for you to use. The FTC has a lot of resources on Privacy policies and privacy in general. Tell users why you are collecting this information and describe how your business will use the information collected. Specify what information you collect about a user and state what portion, if any, is personally identifiable. Explain your data collection process. For example, let people know if the website sets cookies or maintains weblogs. Also inform people how long you will store the information. If you run third-party ads or services that may collect user data, be sure to mention it in your document and link to the third-party provider’s own privacy policy. Ensure that people can consent to the information collection (e.g. note it on a sign-up form or other collection page) and also ensure they can opt-out without hindering their site experience. Provide contact details right in the document for people who might have a question or concern about your privacy policy. State any applicable laws used to govern your policy (e.g. the Privacy Act).
- Double opt-in means that they sign up on your site, and then are emailed another “permission request” that they have to respond to. It’s a lot more arduous process to go through to get a subscriber, but your customers will appreciate it, and you will have the knowledge that these people really want to hear from you, and will reduce the rate your emails are not opened, or marked as spam, which hurts you in the long run. Most reputable email services provide what you are going to need to comply with the laws governing mailing, as well as best practices (double opt-in, etc.)
- This is by no means a comprehensive guide on SSL certificates or anything like that, but I do want you to understand a bit about them. This will tell you how to force the entire site over HTTPS I got a lot of this info from the Give guide on this.
- having your host do it for you is the best/easiest way. Let’s Encrypt is a brand new venture that is free and open to use, and is basically a push from a group of companies, including the Linux Foundation, Mozilla, Cisco, and Automattic to get more people encrypting and securing their sites. Doing it yourself: If you want to do this, have fun. Call me when you are done, and tell me how it went.
- No talk on keeping your users’ trust would be complete without talking about security. Needless to say, a breach of your site that discloses user info is not good for business. It’s a complicated topic, and there’s no magic silver bullet to take care of all your needs. I’m going to take the next few slides to talk about some easy ways to implement a higher security standard for your site.
- There really isn’t a reason to not running the latest and greatest. A lot of hacks happen through old software with patches available that people just don’t update.
- Passwords typically are the weakest link in the security chain, since most people use the same stupid ones. Brute forcing attacks can guess many passwords within a few hours of random guessing. Having a unique username and password greatly increases the time needed to crack your credentials via brute forcing. WordPress 4.3 comes with a tool to help with making better passwords, so it might be time to revisit those. Also, password managers can really help with generating secure passwords. It sounds cliche and kind of stupid, but the best password is the password that you can’t remember. If you can remember it, it’s typically way too easy for someone to guess.
- There are a few different categories for security add-ons for WordPress. A lot of plugins do some or all of these things. Prevention is what it sounds like; they typically do things like block brute force attempts and lock out the IP addresses that a lot of login attempts come from, help you lock down your settings and things to make sure you are secure, etc. Scans can look for file changes (from malicious bots/people) or actively scan for known malware, etc. Backups are pretty straight forward - they backup your site, and store it either off-site or on your server. I greatly prefer an off-site service to an on-site one, as there is a chance that if you are compromised, your backups could be too.
- Jetpack - Brute force protection, site monitoring for downtime, managing updates across multiple sites in one dashboard, and security scans and off-site backups (with a VaultPress subscription; you can try free) Wordfence - Scans your site initially to check for infection, then provides prevention security, login security, firewall, and then scheduled scans, etc. with a premium license. iThemes Security - Provides much of the same as above, with some nice features like Strong Password enforcement; offers paid version Sucuri Scanner - Same types of things as the others, but one stand out feature from them is the CloudProxy Firewall (need a subscription) which offers some cool things like DDOS protection, access control, and then some speed features
- If your host is terrible, then you can build a rock solid site on top of a pile of quicksand, and end up sunk. Shared hosting is one of the unsung dangers in eCommerce, as your security is only as good as the worst secured site on that server.
- This is fairly broad, and I’m really not going to get a whole lot into this, but use good code. The most important part of this is making sure that the plugins are supported well, and especially have regular updates. If a plugin is not updated regularly, then you run risks with security, as well as compatibility. Premium code means that the authors have a very good reason (money) to provide support/updates, and stay on top of security vulnerabilities, etc. This is not disparaging the many awesome themes and plugins out there that are free, but just make sure that you vet the code.
- Your weakest link is the weakest link that has access to the site data. It might be a site management system, or a dropshipper, but they have access to parts of your customer’s info, and as such, need to have their security and privacy policies reviewed. Tell the T-Mobile story: 15 million T-mobile subscribers had their data breached when Experian was hacked over the last few weeks. They handled credit reviews and checks for T-Mobile Moral of the story: Be careful who you trust with your user’s data, as ultimately, it comes back on you if anything happens.
- Well this is about the end of the presentation. Thanks for joining me.