eCommerce and

On PlumberSurplus.com we sell an awful lot of Delta Faucets and from time to time we need to gather images or research product data to make sure that our information is correct and up to date.  This means that we occasionally have to resort to using the manufacturer's website, if one is available, and that's where this story begins.

My Database Team Leader was telling me about an issue he was having in using the Delta Faucet Company website and I offered my assistance to see if I might be able to help figure out the problem. While using their search, I ran into the same issue he did, a screen full of gibberish with no search results or useful information in sight.

Recently a fellow coworker sent me a blog about multi channel selling which was basically a "pro niche" piece.

"A highly effective strategy in ecommerce is multiple channel selling. This involves having several niche websites targeting different demographics, displaying specific product ranges. This allows you to create completely focused websites with a high sales conversion rate."

While I understand the niche v. mega site argument (and I also may have my mind set on which I like best both from a customer and retailer perspective) I thought this was an interesting article which highlighted all of the great things about niche websites and none of the bad. I know people say they are great because of the niche SEO value, the ability to really hone in on your marketing campaigns and the ability to focus on a particular product niche. And I agree, those are some great reasons to sell via niche websites. However, I see even more reasons to avoid buying or selling via a niche website. Developing niche SEO campaigns and polishing marketing strategies can be done on a large scale, in a similar fashion to that of niche retailers, by focusing on categories and product types.

I would even go so far as to say that I think that SEO, in particular, can go much further for larger sites.  I say this because a larger site can draw more links, have more authority within an industry and create a community built around an entire market instead of a niche. My next step in the conversation or thought process then usually turns to the ability to cross sell, up sell and convert repeat buyers which is much harder and far less effective on a niche website.  Think about it, how much harder would it be to convince a consumer to buy just one more barstool on a website that only sells barstools, as opposed to a website that sells outdoor furniture who can then up sell on the matching tables, chairs, accessories, and more?

The next thing that goes through my mind, or the next thing I would bring up in a conversation regarding niche v. vertical is operating costs.  Depending on the retailer's level of technological prowess, I also like to bring up the level of overhead with operating several websites v. one. Don't let me convince you, though; several retailers are moving away from niche websites. The Gap recently combined their web properties so that shoppers can simply visit the gap website and shop at all of their stores by means of one shopping cart. There are also several mega sites like, Amazon, QVC, etc. which continue to do well. So, while I lean on the anti-niche selling side of the fence, I believe it can be done in a scalable and profitable fashion. However, both as a buyer and seller, I prefer the larger non-niche sites.

This also brings up a nomenclature issue. I would consider "multi-channel selling" to be either selling through different means (i.e. as a physical store, catalog and online) or through different marketing channels such as shopping engines, marketplaces, and search engine marketing. So the verbiage of the article is also confusing in and of itself. I might consider the means through which products are listed and categorized on a site a "selling channel", but I would probably classify niche websites as a "selling strategy" based upon how the business has decided to sell online.

I thought starting a new regular post discussing what affiliate websites are doing to be profitable and effective, affiliate websites that are downright hilarious, and affiliate websites that fall in between these two ends of the spectrum would be beneficial to our readers. My goal is to point out aspects of publisher websites that are unappealing, and also support those who are doing it right. I don't want anyone to feel ripped on, but I think we can learn from the bad websites just as much as we can learn from the good. Sometimes the sites are funny, like the ones that put pictures of themselves from way back in the day all over the site.  Sometimes there is so much going on with colors, animations that are flashing and making noise, and pop-ups that I wonder if they may cause viewers to have an epileptic seizure.  Still other times I question what the webmaster is thinking, for instance I recently came across an affiliate website that used a 7 year old Drowning Pool song as background music "Let the bodies hit the floor, let the bodies hit the floor" (shudders).  While these examples may be obvious “no no's” to those attempting to create a quality website, there are a few basic rules that I would like to point out this month that may help affiliate marketers make improvements.

Site 1: HydroponicsUSA.com - This website does not have a strong affiliation to our products, unless you really want to classify it as "Home and Garden". From what I'm aware, hydroponics are used frequently to grow illegal substances, and whether or not that is all they are used for, the correlation is strong enough to make me question the website before I even see it. Consider the affiliation between your brand and the connotation of hydroponics.  I guess it depends on who your target market is, but for me a red flag goes up. One of the first things that I notice when I look at an affiliate website is the contact information; it provides a sense of validity to the retailer and potential guests.  What I notice about this website is that there is no contact information or about us so that visitors can find out more about the website. This always makes me concerned about the legitimacy of the website.  

Site 2: BurberryCoatReview1234.blogspot.com - If your website listed in the program is a blog named BurberryCoatReview with a string of numbers, you are probably spam. I wish there was a way to block affiliates based on their URL, or words within their URL. Spammer affiliates will create hundreds of free blog websites about a particular product or brand in order to try and gain massive exposure to visitors. You'll also notice that such sites will have 1-2 posts that are likely very old. The publisher writes an article or two, then moves on to create another blog website account. If blogger affiliates are signing up for your program, verify their start date and look to see how many posts they have in their history. If there are only a few posts, most of which are older, and there is a good chance that this is the case, the publisher will not likely be a quality affiliate as most blogs fail when they are abandoned by their owner. 

Site 3: CouponCactus.com - This is an example of a wonderful effort by David Fitterman to collect and organize coupons from merchants. With a strong offering of exclusive coupons, Coupon Cactus has over 800 stores and 2,000 coupons to check out. The site provides visitors with the ability to browse by store, category, size of discount, new and expiring, as well as site favorites. Coupon Cactus incentivizes its users to sign up and register to earn cash back to their account, similar to Jellyfish cashback. While there has been much talk about coupon sites and whether or not they should be part of a merchant's affiliate program, I believe with the right approach and management a coupon affiliate site can be a positive addition in an affiliate program, and I think this is a good example of a publisher that is doing it right.

Site 4: Homeincomeportal.com/... - If your site is about how to make $$$$ from home in just minutes a day, you will get declined, at least by our affiliate management team. The quality of these sites is generally terrible, packed with false/questionable statements and gimmicky software solutions for sale, such as "traffic magnet" or "banner fiesta". This specific example has dozens of different topics including software ads, recipes, testimonials (with a picture of a man with no shirt on), and ten plus links to products called "Buy this here". The page was so long, I seriously had to scroll for quite a long time to review all the content (if you can even call it that). Such a long page is poor design and ineffective at generating conversions for your program.  This design structure and get rich quick type of marketing is not something I consider to be beneficial to the retailer, or all eCommerce for that matter.

Let's recap and look at the key takeaways for both publishers and affiliate managers this month:

1. Don't use animated gifs (especially ones of flames touting "Hot Deals!"), tiled/repeating background images, mouse cursor effects, useless sound effects and background music. 
2. Don't use free hosting site urls like tripod, geocities (yes, I still see applicants with these), etc. Spend $7 and purchase a domain, it will be worth it in the long run. 
3. Provide links for retailers to contact you for recruitment purposes or other reasons. 
4. Don't get nasty with the affiliate manager. Yes we have received, such distasteful replies to our publisher decline emails as "your loss", "it's your money (aka your company's) that you're losing" or "I don't know what your problem is". Let's act like responsible, grown up, mature professionals. We are trying to do business together to benefit both parties.  
5. Do include your affiliate ID in email communications, as it helps pull up your account instead of hunting you down by domain. 
6. Don't use free templates for affiliate sites. I usually get about a dozen applications a week that use some sort of pre-configured template. 
7. Avoid creating a page full of 468x60 banners that takes several minutes to load even on broadband. No one, I mean no one, will wait to see all the banners to load. 
8. Build a site that the merchant would be proud to link to and be associated with. 

Look for next month's edition with more reviews and tips. 

Like other online retailers, we have a presence on the Amazon Marketplace. Amazon has a great model that allows quality sellers to make their products available to millions of buyers. However, their integration model for Marketplace sellers is kind of like the Bejing Olympics; dirty and dirtier.

We began with a smaller offering of some of our most popular products, and gradually increased the offering (and sales) on Amazon. Recently we were offered the chance to become an Amazon Gold Seller, meaning among other things that we’d offer more products for sale on Amazon. More products listed on Amazon = more sales from Amazon. A good thing, to be sure; however, we were currently manually entering Amazon orders into our site, and this was about to flood our customer service department.

Never fear, IT would come to the rescue (I left the cape at home though). As we had successfully integrated with PayPal and Google Checkout over the past year, I was pretty confident that the Amazon integration would be pretty straight-forward. After all, we are talking about the world’s largest online retailer. Why, they probably had a team of monkeys on standby to help with my every need, sample code to do the work for me, and color coded, easy to follow documentation that would point me right where I needed to go. Heck, I may put this one on autopilot and go golfing with my son.

So I began this integration the same way as always – looking for documentation online. Hmmm… that’s funny, I can’t seem to find what I’m looking for. No, that’s not it. No, I don’t want Amazon Web Services.

After a couple fruitless hours of searching, I finally just emailed our Amazon representative...

Matt: “Hi, can you email me the documentation to integrate with Amazon so we can process orders programmatically” 

Amazon: “Let’s schedule a call with your technical team and we can discuss the options.  We currently don’t have a formal document that describes this process.” 

Say what?!?!? The world’s largest online retailer and Marketplace to thousands of merchants doesn’t have documentation for integrating with them? Turns out no, they don’t. 

Some key paraphrases from that call and subsequent emails:

Matt: “Can you tell me how to access our orders?”

Amazon: “In order to download your orders, you have to use this tool (AMTU) that is open source. We wrote it, but we don’t support it at all. You have to download it from somewhere else”.

Matt: “I see online that you have a sandbox for testing this integration. Can you set me up with access to that?”

Amazon: “We no longer have a test environment. You have to test it live.”

Matt: “How can I push our order ID back into Amazon’s system?”

Amazon: “That option is not supported using flat file or manual fulfillment.” (The method they recommended we use)

This story does have a mostly happy ending. In a matter of a couple of days, we were able to integrate with Amazon and import our Amazon orders into our order management solution, relieving a large burden from our awesome customer service team and freeing them up from data input to actually helping our customers.

If you are interested in more information regarding integrating with Amazon, PayPal, or Google Checkout, feel free to comment. I’m here to help!

The presenter for this session was Raul Vazquez, President and CEO of Walmart.com
(Paraphrased)

Raul was one of the most engaging speakers I have seen at a conference.  I wasn't able to post this right away because thanks to California traffic I missed the beginning of the session.  Through some contacts that I was able to make I gathered others notes and combined them with mine to bring our readers the nuggets of wisdom that Raul was able to impress upon the crowd.

The main focus of Raul's presentation was the 4 things that can be done to improve our websites.  

• Invest in a Key Performance Indicator 
• Be true to your brand and what you have promised your public 
• Be true to your vision 
• Invest in platforms that will support the brand and the vision
  

Walmart.com

The walmart.com team consists of 700 people stationed in Brisbane, CA.  Of the 700 employees 12 are dedicated to merchandising the websites over 100 categories.  The content created for the site is based and centered on site merchandising.  Raul reminds the crowd that “there are no shortcuts”.  The team focuses on improving the site by following a process similar to that of the scientific method.  The process is: Hypothesis, test, measure, optimize and repeat.  This is important because Raul states that continuous improvements will yield results that are not always immediate.

Invest in a Key Performance Indicator

According to Raul and his experience the people that seem to get the most accomplished with the best results get their KPI/KPM score card every day.  KPM refers to dashboards designed to track Key Performance Metrics.  Raul reminds the crowd that when looking at this data it is important to look at it from three different perspectives: Absolute values, relative values, and trends.  He shares that walmart.com tracks a few key metrics: 

• Revenue 
• CTR 
• Conversion 
• Revenue/Page views
  

Under his direction and the direction of the merchandising team leader Mike Simas, he believes that his team is efficient, but admits that they can't do all of the things they want to do, they have to be selective.  He notes that in order to eliminate noise that can skew the KPI data it's important to look at the comps separately.  Some of the comps that walmart.com looks at are: Sales comps, traffic comps, and conversion comps.

Be True to Your Brand and What You have Promised Your Public 

This will be different by retailer, for walmart.com it is “Save money. Live better”.  He uses an example of how they pay attention to this by their use of “from pricing”.  They have to be careful not to violate the trust of the customer, which can happen when using this tactic; it is referred to as bait and switch.  He reiterates this point by giving the example “we don't show a picture of a Rolex and say priced from $119.00, then send the customer to the Seiko section when they click on the ad”.  They also try to bring the store experience online.  They replicate best practices seen in the store like showing more product features, multiple images, plus price and content.  He admits that they are tinkering with going back to single images for certain products, but he believes that if you can show an image that highlights the product features, or the product in use that it makes the online experience more like that of the store.   

Be True to your Vision 

Like the brand promise this will be different for retailers.  For them it is “to be the most visited and valued online retail site”.  He admits that this isn't easy to measure, because value itself is defined by the customer's use of the website features or frequency of returns.  He also reveals that this plays in to his recurring fear of not being able to measure.  He adds that he likes the quote “In God we trust.  Everyone else bring data”.  

Invest in Platforms that will Support the Brand and the Vision 

A key component of this is the ability to “highlight the best and make it easy to find the rest”.  He explains this by explaining the “long tail” side.  The products with the highest velocity and mass appeal fall at the head of the curve with their assortment at the tail end of the curve.  Some of the things that they are currently working on and planning on implementing in the near future support this claim.  They are rolling out a digital asset management system that is linked with in store assets, in order to guide the customer throughout the decision “tree” what we call the buying cycle.  This will also help with access to the “rest” and improve additional browse and search capabilities.  Next they will be investing in a more personalized shopping experience, but doesn't jump on every new technology as he is apprehensive about being able to operationalize the technology.  One of the barriers they have seen to adding this technology and others because of the limited amount of team members.  This is true of MVT testing for this team, they found that it turned out to be too complex to utilize in mass with their over 2-3 million visits per day, hence it has been dumped for A/B testing.  To support the brand promise and vision they invest in rich content which ensures information needed for purchases, ratings, reviews, and product availability for both online and in store purchases.  One of the key values they believe needs to be featured on the product detail page is the value to the customer for them it is the price in big red letters.  In order to be the most valuable and visited store assortment is essential, this is where the “Highlight the best.  Make it easy to find the rest”, he adds “if easy to find it will be easy to buy”.

Visual Examples 

Raul showed the audience screen shots of the site to further illustrate the points he has made throughout the presentation.  They use a POV approach; this is what they call the largest product placement on the screen, or the point of view.  The “site to store” function is featured across the site, not only highlighting ease to the customer but the ability to have products shipped for free.  He values consistency in navigation from page to page but explains that it is important to separate attributes by category.  Some interesting attributes that they use by category are: Shop by age for toys, shop by attributes for electronics, shop by ratings, and shop using the television product advisor.  Features like comparison shopping for customers, the top 50 in any category are highlighted and promoted, and savings all play a part in the walmart.com shopping experience.  In addition to the up and coming improvements they plan to improve checkout, localize, personalize, and creating an in store experience that is equaled online. 

The presenters for this session were Laura Evans, Executive Director of Retail, Resource Interactive and Steve Kahn, Vice President Internet Marketing, DSW (Paraphrased)

Laura Evans of Resource Interactive spoke first.  She explained that she would be taking us through some of the innovations that retailers have had to make over the last year to improve their eCommerce experience.  They recently did this such thing with DSW.com.  In launching the new DSW website the two companies partnered to make this site more engaging to customers.

Some of the key features they wanted to use in building the DSW website were:

• New and successful merchandising trends
• Solution selling
• An engaging product story
• Customer generated assortments
• mCommerce capabilities for on demand selection

Solution selling is all about providing results to a consumer in whatever fashion they may be looking for it. This can be done in many ways, one of which is grouping complementary products so a complete solution is created for the customer.  Use lifestyle photos to convey the usage or the category of the product.  Give detailed product descriptions and when appropriate take the information from the product package and use it in the description.  An engaging product story refers to bringing a product to life this can be done with 3-D images and videos.  She gives an example of how RalphLauren.com does a good job of utilizing videos throughout categories, and the videos are used to inspire the customer and educate them.  She adds that we should merchandise by product attributes so that customers have multiple ways of finding the products they are searching for.  She then challenges us to think about how customers shop when they go in to a store, she adds "they don't see a list of products when they walk in, they see products and merchandised entries" she explains that we should be giving customers the option of finding their products through visual wayfinding and not just words.  Customer generated assortments are ways in which the customer can become the merchandiser and product advisor.  She gives examples like kaboodle.com which allows "self proclaimed product connoisseurs" to choose a few product options and then ask the community which product they should purchase.  She also features PolyVore.com which allows consumers to pull together their own outfits.  They wanted all of these things to be present in the DSW.com website and she is going to let Steve Kahn take over to explain what they did.

The DSW Story

DSW had very little (in fact Steve said no) direct business.  They found that 70% of sales came from their customers already in their loyalty program.  They took the information and presented it to the board so they could get funding for a website.  The board agreed to meet but they wanted to know what DSW thought they could do better than current online shoe retailers.  They decided that because of their ability to listen to current and non-current customers, their ability to focus and utilize their current members, their brand, their business partners and their industry expertise they could do a few things better than other current online shoe retailers.  They came up with 7 different things they could do better and mapped it out to the board, but he focused on 3 during the session.  They also presented their aptitude for understanding their current business, competitive analysis and potential vendors.  The last piece before presenting to the board was the detailed financial plan.  The three items they decided they could do better and focus on were:

• Presentation
• Channel Integration
• Loyalty

These differentiators are key components to the new website.  Presentation and immaculate images are found on every product detail page (in fact I think I heard the crowd aaahhhhhed when he did a demonstration of the images on their product detail pages, they really were fantastic).  Channel Integration deals with their ability to partner with vendors, warehouse, and use current relationships to add the online channel.  Loyalty comes with the program that they already have in place with members.

Two Caveats to this Presentation

1. He gave everyone in the audience a coupon code to save on a purchase on the website or in store (very cool).
2. I was brazen enough to ask him about the Zappos lawsuit at the cocktail party and he was kind enough to answer openly and honestly, but asked for the respect in not blogging about his response so that is all I am going to say!

I’m a huge fan of web applications.  Moreover, I’m a huge fan of Google’s web applications.  The less dependent we are on applications tethered to computers, operating systems, licenses, and updates, the better.   The more we can share, network and collaborate, the better.  And of course, the free-er, the better.

At the Gordian Project, we’ve been taking interesting steps recently in an effort to capitalize on the value associated with web applications, especially Google’s web applications.  One product that we continue to integrate more and more into our environment, is Google Docs and Spreadsheets.  Google Docs and Spreadsheets is a great web based application for small and medium sized business.

Google Docs is Great, Great, Great

The features and functionality of Google Docs are great: Create new documents, upload existing documents, familiar desktop feel, easy editing, sharing tools, choose who can edit or view files, everyone sees the most updated version of your file, a record of who added and deleted what and when, all you need is a web browser, secure online storage, save a copy to your computer to work on documents offline or distribute them as attachments, invite people to your documents, make changes together at the same time, sharing tools are integrated with your Gmail contact list, and, last but not least, the Coup de grâce… its free!

Great, great, great.  Google Docs is great.

This assumes, of course, that Google docs is up, working and isn’t holding my documents hostage.

If I can’t access Google Docs, then I can’t receive any of those great benefits.  Even worse, if I can’t get to any of the documents I’ve already created in Google Docs, then I can’t get any value out of those documents, until they release the hostages.  Although Google gives me the ability to save my documents offline, saving my documents offline as a defense to Google going down defeats most of the reasons one would use Google Docs in the first place.

Um, Google Docs is Down, No Longer Great 

Yesterday, Google Docs & Spreadsheets appeared to be down.  I needed to work on a document that I created in Google Docs and that my team was collaborating on.  I went to the Google Apps Start Page and clicked Google Docs & Spreadsheets under the Google Apps Links section. 

Here is a screenshot of the error I received:
 

Then, I went to the Google Docs home page, to try my luck there.

Here is a screenshot of the next error I received.

Hmmm.  That’s not good.  Now I can’t work on the project I started in Google Docs.  Neither can my team.  We don’t have the document saved on anyone’s system, since, again, that would defeat the purpose of using Google Docs in the first place.  Now that I’m stuck, frustrated, and wondering when Docs will be back up, I’m wishing I hadn’t used Google Docs at all for this project.

Now what? 

I know!  I’ll blog about the negative consequences associated with becoming dependent on free web applications supported by third party vendors.  Oh crap.  I usually write blogs in Google Docs so that I can receive all the benefits enumerated above.  Now I have to use Microsoft Word.  No collaboration!  No sharing!  No web browser access!  No secure online storage!  Well, at least Word isn’t down. 

A Dependency on Web Applications and the Cost Benefit Analysis

So what’s the lesson here?  Earlier, I ranted and raved about web applications by implying that the less dependent we are on non web based applications, the better.  However, today’s circumstances exemplified the other side of the coin.  The more dependent you become on third parties and web based applications, the more opportunity for failure you introduce, such as having documents taken hostage.  The more critical the area is that you outsource, the more painful the consequences are when they arise.  The free-er the product, the less support you’ll receive at all, let alone in an emergency.

• What if your business utilizes Google Apps for email and Gmail goes down?
• What if your eCommerce site uses Google Checkout as its payment method and Checkout goes down?
• What if your Search Engine Marketing ROI is calculated based on data pulled from Google Analytics and Analytics goes down?
• What if your videos are hosted on YouTube and YouTube goes down?

As sophisticated businesses continue to charge down the path of web applications, Software-as-a-service, cloud computing, outsourcing almost all features and functionality to third party vendors, and free everything (sans AdWords), we must understand the consequences associated our decisions every step of the way.  The Google Docs web application has a plethora of benefits that are absent from Microsoft Word.  For those reasons, I use Docs every chance I get.  However, the costs associated with the worst case scenario, when and if that scenario plays out, are high, very high (think disappearing documents, not just temporarily inaccessible).  As businesses charging forward, and making strategic decisions associated with the web and the future of our companies, a cost benefit analysis is critical every step of the way.  Every decision that introduces a benefit while introducing a dependency must be made with that dichotomy in mind: buy v. build, outsource v. inhouse, web application v. stand alone, SaaS v. hosted.  Google Docs isn't really free, it's costs are just difficult, if not impossible, to quantify.  However, if you understand that this cost exists, you know that the cost benefit analysis equation isn't one sided, which means your headed toward a good decision.

Hey, Google Docs is back up!  Web App Hostage Negotiators = 1, Google Docs = 0…

Now, I’m going to import this blog post to Google Docs, so that I can share it with a colleague, who can collaborate online using only a Web browser, edit it quickly at the same time, and make sure it’s stored securely online!!!  Hmmm, I’m having Déjà vu.

To give you an idea of where I currently am on the cost benefit analysis, I’m not going to back up the original before I import.  Let’s see if I regret my decision…
 

Effective June 30, 2008, the PCI Security Standards Council (SSC) has mandated that merchants must comply with Requirement 6.6. You know the one. It's the final requirement listed in Requirement 6: Develop and Maintain Secure Systems and Applications. It says:

6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications.
  • Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.

Changes in eCommerce 

What does this mean for us in eCommerce? Well, it means that you have a decision to make about how to secure your web-facing applications. Do you perform a manual code review or install an application layer firewall? How about both? Both are considered best practices for eCommerce security at this point and the PCI DSS standard will only grow to become more stringent, more specific, and likely extend beyond minimal security standards. So you may as well start now. There are four options for application code review, as outlined by the PCI SSC:

• Manual review of application source code
• Proper use of automated source code analyzer (scanning) tools
• Manual web application security vulnerability assessments
• Proper use of automated web application security vulnerability assessment (scanning)

If you don't have control over your source, make sure you're working with software packages/vendors that meet the new requirements.

Increased Vulnerability 

That's not all! I also received an email from McAfee, our Approved Scanning Vendor (ASV), letting us know that also effective June 30, 2008, the PCI SSC is requiring ASVs to change from version 1 to version 2 of the Common Vulnerability Scoring System (CVSS). What does the change mean for you? Well, it changes the way certain vulnerabilities are scored. Consequently, some low priority vulnerabilities from version 1 will now be scored as higher risk vulnerabilities and could cause a failing PCI network scan score, resulting in non-compliance until you can fix the issue. They pointed out that the top 5 vulnerabilities, statistically, are as follows:

• SSL Protocol Version 2 Detection -- Don't use SSLv2.
• Weak Supported SSL Ciphers Suites -- Don't use ciphers < 128bit encryption.
• Default Microsoft IIS Files and/or Frontpage Extensions Found -- Don't.
• OpenSSL Multiple Vulnerabilities < 0.9.8d -- Don't use OpenSSL below 0.9.8d; it's got a number of serious vulnerabilities.
• OpenSSL PKCS Padding RSA Signature Forgery Vulnerability -- Could allow an attacker to forge and RSA signature and pose as a trusted party.

You should work directly with your ASV if a vulnerability risk is uncovered. 

PCI Keeps us on our Toes 

Don't get comfortable once you've knocked these new requirements out. By October 2008, the PCI SSC will have released/required version 1.2 of the PCI DSS. The same 12 core requirements will apply. Supposedly, however, the newer version will "enhance the clarity of its technical requirements, offer improved flexibility..." (Thank God).

One last note: The PCI SSC website is www.pcisecuritystandards.org. Does anyone else think it's funny that when you visit http://pcisecuritystandards.org/ (sans "www"), that you get a security error? It's such an easy fix...
 

Last night (late last night) we temporarily (very temporarily) took our eCommerce properties down for maintenance. The downtime lasted about two minutes. Since not being down is, obviously, absolutely necessary for a pure play Internet retailer to function at all, staying up is of the utmost importance to success.  In order to gain some perspective as to the cost associated with downtime, this morning we performed an exercise to calculate how much revenue we lose a minute while we're down.  Although that number makes me sick to think about, we had no idea what we were in for today, or how timely our exercise really was.

Amazon.com Goes Down

This morning, while I was researching our competition on Amazon, I was shocked to see that none of the links were working.  I tried best sellers, a different category and then finally the homepage.  It was such a surprise to me that Amazon was down that my first instinct was to think that it was my connection, my computer, or something I typed wrong in the url.  So I asked a colleague to try to connect to Amazon.  Unexpectedly it wasn't me, my connection, or my computer, it really was that Amazon was down.  I can't yet tell how long they went down, however this article was published at 11:02 AM Pacific Standard Time and our team saw that they were back up by 12:11 PM Pacific Standard Time, so maybe an hour or so. 

Om reports that it was two hours:

"A word from Amazon’s spokesperson: 

The Amazon retail site was down for approximately 2 hours earlier today (beginning around 10:25) - and we’re bringing the site back up.

Amazon’s systems are very complex and on rare occasions, despite our best efforts, they may experience problems. We work to minimize any disruption and to get the site back as quickly as possible.

Amazon’s web services were not affected nor were our international sites."

An Unfriendly Error Message

Currently I get a Http/1.1 Service Unavailable which is a fairly generic and unhelpful error when visiting one of the largest ecommerce properties on the Internet. It seems that nothing is being done to update users of the issue or note when the site will be back up. Even though we have two Amazon accounts we sell through, no e-mails or contact has been made mentioning the outages.

Here is a screen shot of the error page.

We wanted to make sure the issues was not location based or an issue on our end so we tested Amazon utilizing a proxy service.  Here is a screen shot of the error page through the proxy service.

Every Minute Amazon Loses $37,947.78 

Since it's infancy, Amazon.com has had it's share of tough times.  The weathering of the dot-com-bomb, perpetual uber lean margins, massive growing competition, an ever growing infrastructure, and now a softening economy, In order to survive, Amazon has been forced to innovate in a myriad of ways.  Everything from longstanding and aggressive free shipping promotions to the Amazon Seller Central Marketplace to Amazon Web Services have helped the retailing giant push forward.  Interestingly, recent metrics have hinted that the mega retailer has swung the pendulum.  Amazon's first quarter results were stronger than expected, thanks in part to strong sales in electronics and general merchandise.  Moreover, Amazon issued a forecast for the current quarter and year that indicates a stronger outlook than Wall Street's current estimates.  During the first quarter, revenues increased 37 percent to $4.13 billion, verses the same period last year.

Jeff Bezos, Amazon.com's CEO, stated that "Our sales growth this quarter was driven by low prices and millions of in-stock items available for immediate shipment."  He added "We're grateful to our customers."

I wonder if what Bezos really meant say was, "Our sales growth this quarter was driven by NOT BEING DOWN.  We're grateful that we AREN'T DOWN."

Let's do some rough math see what Amazon.com might be losing during every minute of downtime.  Amazon expects to generate between $19.1 billion and $20 billion in revenue this year.  Wall Street's projections are on the lower end of that spectrum, at $19.3 billion.  Let's go the optimistic route and say that Bezos will figure out how to reach $20 billion.

($20,000,000,000 projected annual revenue / 366 days in a leap year) / 1,440 minutes in a day = $37,947.7838 Amazon loses every minute of down time

My stomach just fell out of my stomach.

Now, of course, this math is a bit dirty.  They might not reach their projected revenue high.  They obviously sell more during certain times of the day, week, month, and year.  They generate a significant portion of their revenue during the run up to the holidays.  Their international sites may not have been affected.  They generate revenue via other channels, such as Amazon Web Services, that might not have gone down.  Many, many unknown variables could affect this math.  However, we do know this, the number is big.

Let's see how much they lost, assuming they were down for only one hour (Om's post indicates two hours) using the math above.

$37,947.78 Amazon loses every minute of down time x 60 minutes in an hour = $2,276,866.80 lost due to this morning's downtime

Holy freaking crap!  My stomach already fell out.  Nothing is left to fall out.

Let's say it was only half of that.  It's still seven figures.  Wow.  In the word's of Tommy Boy, "[Tommy running into a glass wall] Ow, That's gonna leave a mark."

I don't know what takes Amazon.com down for an hour, but I hope it was something big and something new.  I think our downtimes are inexcusable and our revenue per minute pales in comparison to Amazon's.  Around the Gordian Project we're always talking about scalability.  One of the issues we think about is as pertains to scaling is, if we find a hole, a bleeder, an inefficiency, and we don't plug, bandage, or efficient-ize it, and then we grow, how does that issue or problem scale with the company.  If the hole grows at least linearly with the growth of the company, then we could be in trouble, depending on the size of the issue, relative to the size of the company.

For whatever reason Amazon.com went down today, I wonder if they went down for the same reason when they were just a "tributary".  If so, maybe back then, when the company was smaller, the dollars lost didn't seem so extraordinary, and as such, the issue one that didn't make the top of the "plug, bandage, or efficient-ize" list.  Now that the company has grown up, the issues relative size, although maybe not bigger as a percentage of the size of the company, means that the dollars lost have much more of an impact.

Maybe Wall Streets more conservative revenue estimates had issues like this built into them.

As Goes Amazon, So Goes Ecommerce... 

Retailers can and do use Amazon's marketplace as their sole internet sales channel or as an additional sales channel to their own website. Amazon's brand and traffic drive sales for the less known retailers and in return Amazon takes a commission of the sale.  Obviously sales were not coming in like they normally do via our Amazon marketplaces.  I would hate to think what we would do if Amazon was our one and only way of selling products on the internet.  Not only did this issue cause Amazon to lose money but it also caused tons of other retailers to lose money, including us.

Alas, the company, "remains the leader among e-tailers" according to the American Customer Satisfaction Index's fourth-quarter 2007 survey.  This shouldn't surprise anyone considering the numbers referenced above.  I guess the bigger they are, the harder they fall.  Not that we would mind having the problem of generating $37,947.78 per minute...

Sometimes Google creates guidelines for webmasters that Google doesn't follow itself.  Let me elaborate.  Last night, I went to Google Docs and was pleasantly surprised with a 404 error.  It was only pleasant because it's nice to know that even Google can't always satisfy Google standards, so I'm in good company.

For our non-nerds, in general, a 404 error is what users receive when they attempt to access a non existent page on a website.  This can happen for several reasons: the user may have incorrectly typed a URL, the page may no longer exist because it has been deleted, the page may have been moved to another location, the page may have been renamed, the link they followed may be broken or outdated, or a URL redirect, such as a 301 or 302, may have problems.

Google's 404 Error Page

I triggered the error by typing in the URL www.google.com/docs which redirected to http://docs.google.com/.  By the way, don't worry mankind, one browser refresh lead me to a working Google Docs home page.  Earth's productivity as we know it will have to halt another day.

Here is a screen shot of Google's 404 error, as presented to me:

Now, although I was surprised to have seen a 404 error from Google at all, this isn't what really surprised me.  Even Google's army of data centers can't get it right all of the time.  Also, I don't know of any uptime guarantees that come with Google Docs or any of Google's free services for that matter.  Some of Google's paid products or services do offer uptime guarantees, such as Google Apps Premier Edition, which includes a 99.9% uptime guarantee for Gmail.

What really surprised me, what really "pleasantly" surprised me, was the 404 error's presentation.

The text on the error page was extraordinarily simple, stating "Not Found Error 404".  The text was black on a white background.  Similarly, the title tag read "Not Found".  Also, the Google Docs favicon appeared in the FireFox browser tab.

However, Google's 404 page was not customized to provide help to Google's users.  Now, a non helpful 404 page is no epiphany.  Plenty of sites have 404 error pages as unwelcoming and unhelpful as Google's and plenty of great, free custom 404 error page recommendations are out there just waiting to be implemented.

Based on Google's definition of a "good custom 404 page", Google does not have a good custom 404 page

The irony in this example is that Google Webmaster Help Center provides Guidelines for creating useful custom 404 pages which recommends that webmasters create a custom 404 page.  The guidelines state "If you have access to your server, we recommend that you create a custom 404 page. A good custom 404 page will help people find the information they're looking for, as well as providing other helpful content and encouraging them to explore your site further."
Google's 404 page didn't do any of these things.  It didn't help people find the information they were looking for (Google Docs), was not customized to provide other helpful content (no other content was provided) and did not encourage them to explore their site further (no exploration opportunities existed).

So, based on Google's definition of a "good custom 404 page", Google does not have a good custom 404 page.

Based on Google's definition of an "effective 404 page", Google does not have an effective 404 page

Google's guidelines go on to describe how to create an "effective 404 page".  The guidelines state:

"Because a 404 page can also be a standard HTML page, you can customize it any way you want. Here are some suggestions for creating an effective 404 page that can help keep visitors on your site and help them find the information they're looking for:"

Then, the guidelines provide a bulleted list of suggestions.  Let's see how well Google does, in implementing their suggestions:

• Tell visitors clearly that the page they're looking for can't be found. Use language that is friendly and inviting.

Well, although the text doesn't say "what" isn't found, the page certainly presents the text "Not Found" loud and clear.  Obviously, the text "Not Found Error 404" is neither friendly nor inviting.

• Make sure your 404 page uses the same look and feel (including navigation) as the rest of your site.
  

Google's 404 page doesn't use any look and feel, or navigation, let alone a look and feel that is the same as the rest of Google.

• Consider adding links to your most popular articles or posts, as well as a link to your site's home page.
  

Google's 404 page doesn't contain any links to anywhere.

• Think about providing a way for users to report a broken link.

Google's 404 page doesn't provide a way for users to report anything.

• No matter how beautiful and useful your custom 404 page, you probably don't want it to appear in Google search results. In order to prevent 404 pages from being indexed by Google and other search engines, make sure that your webserver returns an actual 404 HTTP status code when a missing page is requested."

I didn't check the HTTP status code on Google's 404 page to see if Google's webserver returned an actual 404 or not.  Currently, it doesn't look like the 404 page appears in Google search results.

So, based on Google's definition of an "effective 404 page", Google does not have an effective 404 page.

Is Google a Google-friendly site?

What's really funny, is that Google's "Guidelines for creating useful custom 404 pages" are found under Googles' "Creating a Google-friendly site", which naturally begs the (very long) question:

If Google does not have a "good custom 404" page based on Google's definition of a good custom 404 page, and if Google does not have an "effective 404 page" based on Google's definition of an effective 404 page, which means that Google does not have a "useful custom 404 page" based on Google's "Guidelines for creating useful custom 404 page", and these guidelines are an element of "Creating a Google-friendly site" then...

Is Google a Google-friendly site?