Ecommerce and Entrepreneurship Blog | About | Contact | Store

Challenges of an Internet Retailer’s VOIP Implementation, Part 2

Posted on March 31, 2009 by Josh

Alright, if you haven't read Challenges of an Internet Retailer’s VOIP Implementation Part 1, please read it first. I think you'll find that the differences between Part 1 and Part 2 of the posts are pretty staggering.

We've finally made the transition from our digital-to-analog-to-digital lines over to full digital. To be clearer, we had eight phone lines coming into an AdTran over T1 that were converted from digital to analog. We then took each line and converted it back to digital using an Audiocodes MP-118 analog gateway. The tweaking required to make it work well was intense and not a project I ever want to repeat. In place of our analog lines, we've added a PRI line with 23 channels (plus one D channel), greatly expanding the number of lines available and drastically improving quality. Surprisingly, this change only increased our monthly bill by a few dollars.

We are still using a trixbox solution and I did a fair amount of research, mostly on the trixbox forums, to determine what PRI card would be best/easiest/least expensive to install and configure. In the end, I decided on the Sangoma A101DE.  The reason I went with Sangoma, and not the, perhaps, more natural selection of a Digium card, was the wide spread vocal support in the VoIP community. Not only did users swear by Sangoma products, but the vendor's presence among the community was also readily apparent; so I knew I would be able to get help when I ran into a snag (which we all knew was going to happen).  I used the same VoIP vendor that I had used in the past as I knew I could depend on them to get me the A101DE I needed.

Since my last phone system post, I have also found a Grandstream GXP-2000 firmware that seems to work well, but we have transitioned most of our call center users over to softphones. While I was waiting for the Sangoma card to arrive, a friend of mine that works for a large multinational corporation dropped off a huge box of Polycom phones. Apparently, his company has a very liberal "dead phone" policy and all of these were going to be junked. Picture this, a user says, "Hey IT! My phone doesn't work!" IT provisions a new phone, brings it to the user, and puts the old phone in the trash pile. He brought me the trash pile. More on this in a minute...

So, I received the Sangoma card within a few days of the order and proceeded to replace the production system with a temp system. I swapped out the systems and proceeded to install the card on the production system. Sangoma had recently posted a very simple installation walkthrough on the trixbox forums, so I just followed instructions found there. Piece of cake, right? Maybe not. At the same time, I was also coordinating with our T1 vendor on the PRI installation. Keep in mind, I have never been involved in a PRI build-out or a trixbox system that consumes PRI. I was flying in the dark, other than community documentation. I had already read a considerable amount about users who had installed this card on similar systems. I spent a fair amount of my time learning to match settings between the Sangoma setup and the PRI. The majority of the rest of my time was spent building out a scalable queuing solution that would support multiple customer service queues for separate ecommerce websites, business queuing for various business functions, and individual user assignments to queues and DIDs (Direct Inward Dial). There was also some up front maintenance in ensuring that the box was secured (no default passwords, alternate ports, etc.) and provisioned for our company's network.

Everything was ready to go, except for one glaring issue... the system could not be truly tested until our T1 was live! The months of research, preparation, planning and building would all come to an exciting "everything works" climax or a dismal "nothing works" thud! When I mentioned the impending go live to our development department team leader, he asked, "How long have you been preparing?" I replied, "A few Months." To which he replied, "Well, nothing ever goes 100% right on a project that you're months deep in without live testing." My confidence was obliterated. Was he right? What would I do if something went wrong? I only had a window of a few days to get it to full functionality once our T1 was live. Would I be able to get the necessary support from Sangoma or from the trixbox community in that short window? Would I be forced to buy really expensive support time from someone much smarter than me? Had I done enough research to have a clear understanding of what I was doing? I panicked a bit. But, I calmed down quickly, since I knew that there was nothing I could do until testing.

On testing day, I arrived early, checked all systems to ensure readiness for testing and waited for the telecom tech to arrive. I paced nervously, knowing that I was helpless and alone until my hour of glory or defeat... At 7:00AM, on the dot, he arrived, Customer Premises Equipment in hand. He came in straight away and began the work of testing our new PRI. As he tested the equipment that he had provisioned the night before, he noticed something that prevented the go live. So I waited as he called his project manager to ensure that everything was set up appropriately. I hovered over his shoulder to see what was going on. I'm sure I annoyed him enough to make him want to punch me in the face. As I peered into the screen of the battered field laptop he was using to telnet into the gateway, I could see all of the settings used to prepare my connection. I could see everything I need to confirm that my setup was appropriate! So, I continued to hover, elated as I watched him work through all of the settings. Everything I had set appeared to be correct. By 10:00AM, he had worked through his bugs and we were ready to get the party started. So, we did. We plugged it in, turned it on, and I pulled up a softphone on my laptop. I placed my first test call, a local call, to my cell phone... it worked! I placed another test call from my cell phone to my softphone... it worked! I went down the list of test calls, international, emergency, information, toll-free, etc. I tested queues, DIDs, ring groups, caller ID data, reporting... everything worked! The first time! Was I dreaming? Did I escape from this project unscathed? The answer was an assured "YES!"

The only thing that was really left to do was to get a phone for everyone who didn't have one in the past. Thanks to my very generous friend, I had a pile of Polycoms to go through. So, I brought one home, tested it out and used trixbox's endpoint manager to make provisioning the phones a snap. Eight of the first eleven phones were (nearly fully-) functional! A few had non-functional speakers or broken microphones, but they worked well enough for most users. I even spent the three extra minutes it took to build a customized logo.

Gordian Project Logo on new phone

My development team leader had put doubt in me, and I knew he was likely right, that not everything would go as planned. The phone system has been such a thorn in the side of the IT department from our humble beginnings with a two-line Vonage solution, to our analog hunting solution, to our digital-to-analog-to-digital line solution, to this. I did not want to see another half-completed phone system that barely meets the needs of the organization. I wanted to build it out to its fullest potential and I wanted it to be scalable and I wanted it to be inexpensive. I think I accomplished that. This one feels good.


Vanessa’s Variety for the Week of March 20th, 2009

Posted on March 20, 2009 by Josh
  • We are working in an economic climate that requires retailers to be efficient and cut unnecessary costs.  That being said if you offer promotional codes at your cart page you may want to read “How Much is Your Coupon Code Box Costing You?” by Linda Bustos.  This has been a topic of discussion here for a while now, yet we haven’t come to any definite conclusions about what our strategy will be moving forward.  Linda’s article offers valuable insight about how coupon code boxes at the cart page is likely affecting your bottom line.
  • Ever sent out an email that you wish you could take back?  If you are like me, then you are probably a bit clumsy and can totally relate to this question, so I am really glad that I am a Gmail user.  Gmail users can take a deep breath and let out a sigh of relief, as Gmail has added an “undo” feature.  After you send a Gmail message you will have five seconds to change your mind and undo your email, and although the previous message says “message sent” it actually hasn’t until the five seconds is passed and the “undo” feature is no longer available.  You will have to activate the feature in labs to take advantage of it.
  • TechCrunch’s review of Internet Explorer 8 is optimistic when it comes to the improvement of features like tabbed browsing, and search suggestions, but is bleak when it comes to the speed of the browser.  The article points out that IE’s market share has been on a steady decline for a while now.  This begs the question, “Is speed the most important feature when web browsing?”  If so retailers will need to make sure that their websites performance can keep up with consumer expectations.
  • I hope that this doesn’t come as a shock to anyone, but Google knows a lot about you.  Most of us know this, but you may be surprised exactly how much they know.  E-Justice reveals 25 things you may not think Google knows but likely does.
  • Entrepreneur Magazine published an interesting article on how generational differences may be the root problem of work conflicts.  The article states that you should watch for certain red flags, most of which I believe are too generalized, as they may be indicators of a generational conflict.  Even if the red flags mentioned are general and often present in most work environments, it doesn’t mean that generational conflicts aren’t the origin of the problem so, it is worth the read.


The Christmas Retail Season in Review Part 2: Lessons Learned in Resourcing for the Unexpected

Posted on January 14, 2009 by Josh

An interesting thing happened at the Gordian Project this Christmas. We had Christmas shoppers! This may not sound too startling, considering Christmas just passed, but this year's Christmas crowd was different from years passed. In March of 2008, Gordian Project launched This Christmas, with, we've uncovered some really great opportunities for good solutions.

For a few years, with, we had successfully navigated Christmas shopping without too much disruption to normal work and without the need to significantly augment our staffing or resources in customer service. With the addition of, however, we were facing an entirely new animal. I have worked in retail before. I remember the days when I worked at the Gateway Country store selling computers to people who lined up like cows at Christmas. It was busy, it was crazy, and gifts flew out the door. But customers that came into our store at least knew that when our door was closed, we couldn't be much help to them. Even though Gateway was, at the time, a multichannel retailer, I didn't see much in the way of integration of the different customer bases (online vs. walk-in traffic). The customers’ expectations were, I'm sure, very different about how Christmas gift orders should be handled. This year, with, we learned about the customer expectation during a busy holiday on a site that offers more gift-oriented wares. gets busier in November and December with folks dressing up their homes to be ready for Christmas. We also sell some items that could be gift items, like a nice shower head, a towel warmer or a nice drill/saw combo.  But, for some reason, customers seem to plan really well for the holiday. customers, on the other hand, have a very different up front expectation. Customers want a really great deal, they want to know what is in stock or what the lead time is going to be.  They want to know when it will ship and how long it will take to get to them, they want tracking information when it ships, or a backorder update when it doesn't ship.  They want it to be guaranteed because it's a Christmas gift. These are completely reasonable expectations and, for us, really great opportunities to improve. If you control 100% of your inventory and fulfillment, envisioning solutions to these customer needs are easily in focus. If, however, you control only some or none of your inventory and fulfillment and rely on strategic partners, and you haven't worked out solutions to the above customer pains, you may be due for some lumps around Christmas.

Also, our volume of inquiries for our property easily quadrupled for the six weeks leading up to Christmas. It was not unexpected that our volume would balloon, but we didn't expect the kind of volume we were getting in terms of customer inquiries. It's a week into January 2009 and I can see our inquiry volume back at October levels. Concurrent with our unexpected explosion of the volume of inquiries were some staffing issues. We had some personnel changes for various reasons. A number of factors contributed to a poor staffing situation and we ended up providing a poor customer experience to a number of customers who had to wait extra time for a reply to voicemails and emails (this is my public apology... I am truly sorry to any and all that were forced to wait.). We did come together as a team and even pulled some resources from other departments to get the job done, but it's no excuse for not properly resourcing the customer service department during the busiest time of year. It's not easy to find and train qualified reps in a short amount of time, so we should have done this long before.

We found that when working with customers whose orders were filled by one of our strategic partners, we hadn't planned well enough for meeting the above customer needs on those orders. This coupled with our poor resourcing of the customer service department and we had not prepared well for a busier-than-expected Christmas season. I will chalk it up to "lesson learned" and plan for the extreme rush for our next Christmas season. This is going to be especially important as we expand our offering and even launch new sites with more gift-oriented products.


Life in the Cloud: Beginning the Journey with Google Apps

Posted on December 12, 2008 by Josh

Something is going to happen this week at the Gordian Project that I didn't expect when I started work here three years ago. We are beginning our transition to "The Cloud".
That's right, we're testing a transitioning of our users over from the clunky and resource intensive (and expen$ive) Microsoft Outlook, Word, Excel, Powerpoint, MSN Live Messenger, etc over to Google's cloud model of Google Apps, Gmailesque email, Google Docs, Google Talk, and Google Sites.

So, this week, I will be "living in the cloud" and completing 100% of my work on email, documents, spreadsheets, and presentations from Google Apps. This may not sound too revolutionary, since Apps has been around for awhile now. But, it's a challenge to transition your daily life away from what you're used to and what's comfortable to you. Over the next several weeks I'll also be transitioning our departments over to Google Apps, one at a time. The initial test is mostly about me ensuring that no individual user will be without key features for which they currently have a critical business need.
With any major software or interface change, there will be some user soreness. I fully expect moans and groans from a number of users that don't know what to expect. So, we're going to try to make the transition as painless as possible, by adding a function (email, calendar, chat, etc) by individual departments first, then, once all departments have transitioned to a new function of Apps, we'll move on to the next function.
We've used Google Apps for some time, but I am curious to see how others have fared in cloud computing for an entire organization. I'll have an update with thoughts and challenges once we're fully deployed.



Is There Room for Textspeak in the Workplace?

Posted on November 26, 2008 by Josh

chat will brb thx 4 ur p8ience 

I recently read a blog post by Frank Reed at Marketing Pilgrim called "R U 2 Casual w Your Biz Talk?"  In the article, Frank is reacting to a WSJ article that discusses the casual use of the abbreviated shorthand, textspeak. I understand that, for Gen Y, textspeak is a clear and concise means of communication. They live in a world where they have unlimited (or hundreds of) texts, but maybe not unlimited calling minutes with friends. A world where it may be easier and cheaper to send an IM or a text than to pick up the phone to call, not only that, people can't hear what you are texting, so it's potentially more private than a voice conversation. Truly, there are some great reasons that Generation Y prefers texting to calling.  For the professional world, textspeak is not considered to be...well...professional; and when it comes to Live Chat for our customers, it definitely does not fly.

Customers want to know that the person that they are dealing with is both competent and capable, and the use of textspeak can diminish the customer’s confidence in the abilities of the representative. The use of textspeak in a service environment is unprofessional and can reflect negatively on your company and its staff. It diminishes the customer's expectations of what your company can do for them. Perhaps a company that sells "really cool" products might find it acceptable to use loose language with sales clientele. However, when dealing with a support issue, where a customer has a potential problem, they need clear language that isn't left to their interpretation. Textspeak can also come off to a customer as smug. Do not presume that a customer is ok with textspeak if they use it during a conversation. They are counting on you to be professional, especially if there is an issue that needs resolving.

If your business uses Live Chat as a communication option, be sure to review "speaking" guidelines with your staff. Additionally, review transcripts of chats to ensure that your service reps are representing your company in a pleasing way, and that they are not communicating with your customers in a way that is confusing or juvenile. According to LivePerson in face-to-face communications "55% of what we communicate is through our tone of voice, 38% of the message is by our appearance or body language, and only 7 % is by the words we use". Clearly, live chat is does not present a face-to-face option, so the words we use become much more important. LivePerson recommends paying attention to spelling and grammar as part of your basic “netiquette”. They have provided a rather useful list of basic rules to follow:

  • Use correct punctuation.
  • Use proper capitalization.
  • Use of exclamation marks are okay, e.g. "Sure! I'll be glad to help you."
  • Maintain a friendly, but professional tone.
  • Write complete sentences.
  • Use articles (a, an, the) and sentences with subjects and verbs.

Talk to your reps about professional language and what that means for your company. Let your people know, when they are hired, that your office is not a place for "OMG" and "brb" and "ROFL"; especially not with customers!


Watch Out For The PayPal Acceptable Use Policy Takedown!

Posted on September 15, 2008 by josh

Recently, one of the Gordian Project properties,, faced a frustrating and probably unnecessary conundrum with PayPal. Launched in 2008, is a pure play online retailer offering a tremendous assortment of outdoor products. In June of 2008, after months of negotiation, launched PayPal as a payment option. At no time during our initial exchange with PayPal did they ever mention that a portion of our offering may be in violation of the PayPal Acceptable Use Policy.

Then, on August 6, 2008, we received an email from with a subject that read “Notification of Limited Account Access”. In the body of the email:

“Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for firearms, firearm parts or accessories, ammunition, weapons or knives.”

According to the email, the rug had been pulled from our account and we were prevented from accepting PayPal as a payment option because we sell items that are in violation of the PayPal Acceptable Use Policy. I will quote Adam Sandler, “Information that would have been helpful YESTERDAY!” The email continues:

“To appeal the limitation on your account, you will need to:

1.  Remove those items from your website that violate PayPal's Acceptable Use Policy.  For example, <All Batons, & All Training Batons>; and

2.  Submit the online Acceptable Use Policy affidavit.

This is not intended to be an all-inclusive review or list of your Internet sites in violation.  Furthermore, the violations of the Policy described above are not intended to be an all-inclusive list.  It is the responsibility of the user to ensure that all transactions comply with the Acceptable Use Policy.   

For more information about the status of your account and for instructions on how to restore full use of your account, please login to your PayPal account.  We encourage you to log in and restore full access as soon as possible. Should access to your account remain limited for an extended period of time, it may result in permanent limitation.”

We sell tens of thousands of products. Now the data team here has to filter out products that violate the PayPal Acceptable Use Policy by removing any firearms, firearm parts or accessories, ammunition, weapons or knives. Oy! We have an entire top level category dedicated to cutlery! Did we need to take down all of our knives and swords?

We emailed our PayPal rep and asked this very question. He contacted the PayPal Acceptable Use team and discovered that we needed to remove all guns, batons and butterfly knives. That’s simple. Except that we don’t sell guns or butterfly knives! We do, however sell training products  (red plastic weapons for duty training purposes) and balisong training knives (like butterfly knives, but they have blunt edges and are only used to learn to use the knife properly). So we asked PayPal again and found out that our training products did not need to be removed.

To PayPal’s credit, they did give us a much more detailed response the second time we asked. They let us know that we needed to remove all batons and automatic knives (switchblades) that do not visibly contain a ‘thumb screw’ or ‘thumb hole’ on the blade. Also, our United Cutlery UC702 Eight Piece Ninja Warrior Sword would need to be removed as it includes throwing stars in the package. They also included the following (not a fun read, but at least someone is publishing the information):

Question :
What types of weapons and knives does PayPal prohibit?
Answer :
PayPal prohibits transactions for certain hand weapons or knives that may be illegal or restricted in some jurisdictions.

"Weapons – PayPal generally prohibits transactions for these types of weapons:
•    Nunchaku
•    Brass or other metal knuckles
•    Leaded canes, staffs, crutches, or sticks
•    Zip guns, shurikens or throwing stars
•    Hand grenades or metal replica hand grenades
•    Billyclubs or batons, sandclubs, sandbags, or slungshots (also known as saps or blackjacks)
For other hand weapons, sellers must ensure the weapon is lawful in both the buyer's and seller's jurisdiction before completing the sale.

Knives – PayPal generally prohibits transactions for switchblade knives and disguised knives. A switchblade is any knife resembling a pocketknife with a blade that can be released automatically or by use of a trigger. Other names for switchblades include spring-blade knives, snap-blade knives, gravity knives, and butterfly knives.

A disguised knife is a knife designed to look like a harmless item. Examples of disguised knives include belt buckle knives, cane swords, shobi-zue, lipstick case knives, air gauge knives, and writing pen knives.

Other Related Items – PayPal prohibits transactions for destructive devices and the sale of military equipment or supplies that violate laws or regulations in the buyer's or seller's jurisdiction."

Well, that is much clearer, but would have been beneficial to know during negotiations. However, the PayPal Acceptable Use Policy is much more broad in its scope of unacceptable products, citing “…PayPal may not be used to send or receive payments for firearms, firearm parts or accessories, ammunition, weapons or knives.” If we followed PayPal’s very broad policy, we would be forced to take down a large portion of our offering. If we don’t take the products down, and someone buys a violating item, our PayPal account may be permanently disabled. If we don’t follow the broad policy, but rather use discretion with regard to the items offered (based on their further recommendations) we risk listing an item that PayPal may decide violates their policy. We have taken a relatively conservative approach based mostly on the more detailed information we received via email. But we still needed to decide whether or not we should completely take down products that could be identified as violators.

To solve this dilemma, we proposed that we continue to offer the products that are in violation of the PayPal Acceptable Use Policy, but not offer PayPal as a payment option for those products. We suggested that we programmatically identify products that are flagged by PayPal as violators of the PayPal Acceptable Use Policy and remove PayPal as a payment option from the payment flow entirely where those products are concerned. Surprisingly, PayPal responded with the following:

"In regards to disabling PayPal as a method of payment for the violating items, this is acceptable however; you must also remove any PayPal logos from these items and place a disclaimer stating that PayPal cannot be used for this product. Also, if a potential buyer wishes to send you a payment for any violating item via PayPal, you must ensure that this is not done as any payment received into the account for a violating item will result in further action being taken on the account."

With PayPal’s acceptance of our solution, we set out to update the website appropriately. Below are screenshots of our solution with a comparison between a Pay-Palalbe and a non-PayPal-able product:


Product Detail 



With PayPal Logo with PayPal Logo


Without PayPal Logo without PayPal Logo

Shopping Cart





With PayPal as a Payment Option shopping cart with PayPayl


Without PayPal as a Payment Option Cart without PayPal

This solution allows us to continue to sell all of the products in our offering and helps us to continue to conform to PayPal’s Acceptable Use Policy. There is still some worry that new products may violate PayPal’s Policy. However, our data team has added a “PayPal Acceptable Use Filter” to our data entry process. This will mean that new products that are questionable will have to be submitted to PayPal’s Acceptable Use team for preapproval. We would have preferred that PayPal contact us proactively (before taking our account down) when an item was found to be a violation, but they advised us that they would not be able to do this, which is understandable, since they want us to be proactive in preventing the sale of disapproved items.

In the end, I was surprised that PayPal was flexible enough to allow us to build a mutually beneficial solution. Thanks PayPal.


About the time I finished writing this blog post we received an email from the Google Checkout team. Lo and behold! Google Checkout has a content policy similar to PayPal’s. The portion that we’ve focused on is:

"Weapons    Firearms, ammunition, and other items including but not limited to firearms, disguised, undetectable or switchblade knives, martial arts weapons, scopes, silencers, ammunition, ammunition magazines, BB guns, tear gas or stun guns."

Google Checkout’s terms are less ambiguous than PayPal’s and Google Checkout contact us proactively to request that we remove violating items. They didn’t yank our account and prevent customers from using Google Checkout. They let us know. They have formed a payment partnership with and we’re, consequently, more inclined to be happy to oblige their requests (Thanks John).

So, what did we do about Google Checkout products? We have expanded our filter to include all products that should be filtered by both PayPal’s and Google Checkout’s terms of use. We have also removed Google Checkout as a payment option where violating products are concerned. It was really quite easy to piggy-back Google Checkout onto our PayPal solution.



The eCommerce Customer Service Checklist

Posted on September 10, 2008 by josh

I came across a list of 50 things every business should be doing in eCommerce Customer Service at the blog. Christina Laun, the author, does a good job of putting together the list (which can be found here). There are a few things that I would add to her relatively comprehensive list:

51.  Look for easy and scalable solutions. You will hear us say this a lot. Given our mission, it’s critical that we find solutions that are relatively easy and inexpensive to implement (in terms of dollars and resources) and solutions that do not require a complete retooling every time we copy and paste our ecommerce platform into a new vertical market.

52.  Don’t reinvent the wheel.  Examine what others have done. Very few internet retailers can afford to create or monetize bleeding edge technology. Don’t be too creative. Do what you know works based on the experience of others.

53.  Look at your competition. Evaluate what industry leaders are doing in your market space. Certainly, you will want stay in the confines of your means and capabilities (see #51 and #52).

54.   Take time to understand customer expectations and where you may fall short. Evaluate what you do poorly and focus on opportunities to improve where you fall furthest short of expectations. This goes beyond treating problems as opportunities. This means you are constantly looking for and recognizing a problem (especially chronic problems), taking a global view, and creating an easy and scalable solution.

I disagree with # 33 from Christina’s list, “Don’t pitch to unhappy customers”. I say sell to all customers. I don’t mean in the Glengarry Glen Ross, Always Be Closing kind of way. I mean let customers know that you’re serious about earning their business. If you have an unhappy customer, chances are that customer still has a need. Look for ways to fill that need in a way that is both satisfactory for the customer and profitable for your company.

Also, listings 51 through 54 don’t necessarily only appeal to the customer service department. These can be applied to every department in your organization.


The iPhone 3G Saved My Life

Posted on August 6, 2008 by josh

So, usually I'm the guy who is doing his best to champion the cheaper technology solution. Even though the iPhone 3G is not the cheapest cell phone solution, I was so excited that this device was worth every penny and I had to share...

So, I’ve been using my new iPhone 3G for nearly 3 weeks now…I am a believer.  

I remember when I got my first, first-generation TiVo.  I tried to explain to friends, family, and colleagues why it was so amazing and invaluable. I got the standard response; mostly, “I don’t watch that much TV.” This is a terrible reason not to get a TiVo. You watch TV so much more efficiently and the experience of watching TV goes through a paradigm shift that makes one never desire to watch TV in any other way. This is how I feel about the new iPhone 3G. Not since TiVo has a piece of technology so enriched my life and fundamentally changed the way I do stuff.

So, it’s a phone…so what?!  

True. It is a phone. However, it also breaks whatever has tethered you to your phone, phonebook, map, photo album, radio, TV, clock, flashlight, newspaper, calendar, game console, …the list goes on.

What’s more, it isn’t just that the iPhone 3G does all of this, it’s that it does it in a way that changes the way you feel about what you’ve previously experienced with each of the features and tools.  It’s not only that I have everything in one place; it’s that the experience for each of the features is usually fluid, intuitive, and frankly somewhat sexy. Also, my experience of browsing over 3G has been very positive. One of the managing partners here at Gordian Project has a first-gen iPhone and told me before I got one that browsing certain sites on the web (such as flash based sites) isn't always practical on the iPhone. I have found this to be the case when on the Edge network, which boasts an experience like dial-up. However, 3G has been more like a low-end DSL connection. I have been very impressed.

How did you justify the cost?

True, the iPhone 3G costs a bit more money than the standard phone. Similarly, TiVo costs a bit more than someone just watching regular TV. But, the additional cost of the iPhone, like TiVo, is eclipsed by its tremendous value. Here are 10 reasons that the iPhone has so much value for me:  

  1. I didn’t have to buy an iPod. 
  2. I didn’t have to buy a TomTom
  3. I will save money by having notifications right at my fingertips.
  4. I didn’t have to buy a Light Saber.
  5. I don’t have to rush home or to the office if there is an online emergency; I can work remotely if needed.
  6. I can clear unread posts in Google Reader during my commute (I usually don’t drive in my carpool).
  7. I never waste time waiting in lines.
  8. Gen Y’ers won’t make fun of me anymore for my antiquated brick.
  9. Every time someone mentions something that sounds interesting, I don’t have to try to remember it or write it down…I can just look for that something.  
  10. I quit smoking (cold turkey) the moment I got an iPhone 3G.


iPhone Application Quitter


The idea to quit smoking came to me when I was trying to convince my wife that I absolutely had to have the new iPhone. The fact that the iPhone may actually save my life is what sold her.

I probably wouldn’t do all that stuff with it… 
OK. So maybe you aren’t a “power user”. However, like TiVo, I can’t think of a single profile or demographic that wouldn’t be able to use the iPhone to improve their lives. Everywhere you go, you’re fully connected. If someone could figure out Flash on iPhone’s Safari and if AT&T would allow users to make the iPhone an access point, this device would be near perfect. Of all the technology I have consumed, the iPhone 3G is easily my favorite device so far.



Updated PCI Data Security Standards (DSS) Requirements

Posted on July 1, 2008 by josh

Effective June 30, 2008, the PCI Security Standards Council (SSC) has mandated that merchants must comply with Requirement 6.6. You know the one. It's the final requirement listed in Requirement 6: Develop and Maintain Secure Systems and Applications. It says:

6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

  • Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
  • Installing an application layer firewall in front of web-facing applications.
    • Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.


Changes in eCommerce 

What does this mean for us in eCommerce? Well, it means that you have a decision to make about how to secure your web-facing applications. Do you perform a manual code review or install an application layer firewall? How about both? Both are considered best practices for eCommerce security at this point and the PCI DSS standard will only grow to become more stringent, more specific, and likely extend beyond minimal security standards. So you may as well start now. There are four options for application code review, as outlined by the PCI SSC:

  • Manual review of application source code
  • Proper use of automated source code analyzer (scanning) tools
  • Manual web application security vulnerability assessments
  • Proper use of automated web application security vulnerability assessment (scanning)

If you don't have control over your source, make sure you're working with software packages/vendors that meet the new requirements.


Increased Vulnerability 

That's not all! I also received an email from McAfee, our Approved Scanning Vendor (ASV), letting us know that also effective June 30, 2008, the PCI SSC is requiring ASVs to change from version 1 to version 2 of the Common Vulnerability Scoring System (CVSS). What does the change mean for you? Well, it changes the way certain vulnerabilities are scored. Consequently, some low priority vulnerabilities from version 1 will now be scored as higher risk vulnerabilities and could cause a failing PCI network scan score, resulting in non-compliance until you can fix the issue. They pointed out that the top 5 vulnerabilities, statistically, are as follows:

  • SSL Protocol Version 2 Detection -- Don't use SSLv2.
  • Weak Supported SSL Ciphers Suites -- Don't use ciphers < 128bit encryption.
  • Default Microsoft IIS Files and/or Frontpage Extensions Found -- Don't.
  • OpenSSL Multiple Vulnerabilities < 0.9.8d -- Don't use OpenSSL below 0.9.8d; it's got a number of serious vulnerabilities.
  • OpenSSL PKCS Padding RSA Signature Forgery Vulnerability -- Could allow an attacker to forge and RSA signature and pose as a trusted party.

You should work directly with your ASV if a vulnerability risk is uncovered. 


PCI Keeps us on our Toes 

Don't get comfortable once you've knocked these new requirements out. By October 2008, the PCI SSC will have released/required version 1.2 of the PCI DSS. The same 12 core requirements will apply. Supposedly, however, the newer version will "enhance the clarity of its technical requirements, offer improved flexibility..." (Thank God).

One last note: The PCI SSC website is Does anyone else think it's funny that when you visit (sans "www"), that you get a security error? It's such an easy fix... security error security error


Is the Customer Always Right?

Posted on June 25, 2008 by josh

The short answer is “Yes?”. Your customer is the reason you’re able to stay in business, especially in these tight times. This does not, however, definitively mean that “the customer is always right”. Harry Gordon Selfridge, founder of Selfridges department stores in the UK in 1909, is credited with coining the phrase “the customer is always right”. Mr. Selfridge likely did not intend to be taken literally. Rather, he used it to change the psychology of his customers and employees. Customers would, perhaps, feel that a company cared for them. Employees would be continually exposed to the notion that a customer could not be wrong. Presumably, this would result in a prevailing attitude among employees to treat customers positively, regardless of how the customers treated employees.

The unfortunate thing is that customers have latched onto a widespread disposition that they cannot be wrong. Even more unfortunate, as a privately held, small business, we are not able to afford the Nordstrom customer service model. We have customer complaints. But, we were unable, financially, to accommodate every customer request. It may sound terrible to think that a company would take the stance that the customer isn’t always right, but it’s true. Please do not misunderstand. We love our customers and we absolutely want everybody to be delighted with their shopping experience. However, there are situations where a customer’s expectations are not met, but we have made every effort to build clear expectations for the customer before they buy.

I’ll give you an example. A customer buys a valve with low profit margin from without contacting our customer service team, thinking that the valve will work with their existing plumbing. The specifications for the valve are clearly stated on the product detail page. The customer must read and agree to our web site’s terms of use, including our returns policy, before they are able to create an account or place an order. The customer receives the valve that they ordered in good condition and their plumber tells them that this is not the right valve. The customer immediately contacts and tells us that they received the wrong product. In researching the issue, we discover that the product that the customer ordered was the product that was sent. The customer simply did not order the correct valve. No problem. We are able to accept the product in return. However, the customer feels that should make it more clear that the valve does not support all types of plumbing and does not want to pay to ship the product back to or pay a restocking fee. The customer has already read and agreed to the returns policy which makes both clear. has made every effort to stipulate what type of plumbing this valve will accommodate. So we say “No. Your order is subject to the policies that you agreed to upon buying”.

The customer then files a dispute with their credit card company. is charged a processing fee for the dispute that is greater than the profit margin of the valve. ultimately wins the dispute and we receive our money for the sale, but we still have to pay the processing fee for the dispute. You may ask yourself, “Why don’t you just change the returns policy?” We thought of that. The cost to pay to return the item to and the cost associated with processing the return is potentially even greater than the cost of the credit dispute processing fee! Either way, we lose.  On the flip side happy customers come back and we may be able to make up the costs then.

So, to recap, we set an expectation of what product the customer was buying and how the customer would have to return it, should they elect to do so. The customer agreed. The customer changed their mind when they discovered that they made a poor buying decision and asked to pay for the mistake. In this case, the customer was not “right”. At this point, has to evaluate whether or not it is valuable to lose money on this customer. For various reasons, it may be valuable to lose money on a given customer, but not “always”.