To help you find the best outsourcing solution for your B2C implementation, we created an RFI based on a fictional company we called Mountain Doozy Donuts, or MDD (see "RFI Scenario"). We sent the RFI to eight vendors: Digitas, Electronic Data Systems (EDS), Grand Central Networks, IBM Global Services, KPMG, LoudCloud, NaviSite and Scient. IBM simply ignored our calls and e-mail, while Scient and KPMG said "no thanks." Grand Central, a newcomer to the game, was initially enthusiastic but then got cold feet. In the end, Digitas, LoudCloud and NaviSite took part.

In the course of determining which of the trio offers the best B2C outsourcing solution for Mountain Doozy Donuts, we settled on a set of "must-have" criteria. Today's outsourcing market has changed drastically from the real-estate and instant-Web-site brokers of a few years ago. Outsourcing vendors are consolidating and attempting to provide a wide variety of services to keep current customers and attract new ones. But don't be blinded by these bells and whistles. In reality, the list of essentials is short and simple. If the company you're considering hasn't addressed even one of these areas, move on to your next candidate. And don't look back.

What Do Readers Think? Check out our e-poll results on outsourcing.

The 'Must-Have' Criteria

We conducted an e-mail poll among readers as part of this package and discovered that security and vendor viability are two major concerns in choosing an outsourcer for B2C sites. Content management is also important.

>> Security. The vendor must provide a detailed description of both physical and network security models. Third-party assessments are invaluable as proof that the provider takes network and systems security seriously.

Ask for a copy of the provider's last external security assessment. If the provider tells you it doesn't have one, just say thank you and move toward the door. Any reluctance to share the data in the report should raise a red flag. Chances are that if the provider doesn't want you to see it, it isn't good.

Hire a reputable third party to perform a security assessment. Yes, it's expensive, but the potential cost of a security breach to your reputation and your revenues will be higher.

Above all be firm in your requests. Don't let the prospective outsourcer squirm out of answering these points.

>> Vendor Viability. Not only should the vendor have a strong financial future, but any partners used to provide development, hosting or bandwidth should also be examined for financial stability and long-term viability. Ask questions such as: How long has the vendor been in business? Who are its primary backers -- what investors (individual or corporate) or venture capitalists are holding it up if it's in the red? What's its burn rate? How long before it's expected to reach profitability? Does the vendor rely on a single partnership for some services? If so you could be in a sticky situation if that partner drops out of the game (see viability chart).

>> Content Management. Control of content is a divisive topic. You must have ultimate control. You must take responsibility for ensuring timeliness of changes and deployment schedules -- even if they're handled through the provider. Hash out how this process will work in the event of a disaster.

Some providers offer a content-management system through which content can be remotely managed by the customer. In this case, you would be directly responsible for updating and maintaining your site's content. The provider merely agrees to provide a working system to let you perform content management. This is often acceptable, but in our scenario we wanted to wash our hands of the entire process and leave it in the hands of the provider. We chose this option because we expected to have infrequent changes to the content. And we didn't envision the need for additional staff to handle this change-management process.

If you want the outsourcer to be in control of your data, have detailed SLAs (service-level agreements) for content management in place. Agree up front on how long a submitted change will take to be processed and include a detailed synopsis of the procedure. Make it clear who holds the responsibility for approval in your organization as well as on the provider's side.

In case of unscheduled changes, ensure that a chain of approval is available even when the responsible parties are not. If content management is provided as a service by the vendor (hosted applications), you should require proper access to submit and approve those changes. Insert a clause that provides for some sort of recompense if the chain of approval is violated.

>> Dedicated Staff. The number of staff members on your project can change depending on the phase of development. You'll need developers and additional management before deployment, and extra network and operational support postdeployment. Make sure there is an understanding in place before signing on the dotted line. An SLA detailing the required turnaround for support and general communications between your staff and that of the provider would be wise.

>> Performance/Availability Monitoring. The vendor should provide you with remote access to performance-monitoring software (and regular reports covering an agreed-on period) or be willing to work with a third-party service offering to provide this service. Without the resulting data, monitoring and enforcing SLAs are impossible. Agree up front on both the service-level guarantees and the compensation due to you if the guarantees are not met. Also, SLAs must be in place and met for third-party services, such as bandwidth and hosting services offered as a part of the package by the vendor.

>> Availability/Redundancy. Make sure the provider's infrastructure can handle the traffic and number of transactions you expect to receive. Backups should be done on a regular basis. Set a schedule for backups to ensure that the impact of any possible problems is minimized. Think through the issues regarding backups: Where are they stored, how are they disposed of? The contract should include a detailed view of all hardware and software that will be used for your outsourced site. Consider visiting the vendor's data center to check that it has the goods to back up its infrastructure claims. While you're there, observe physical security policies to see if they live up to the vendor's promises.

In the course of your due diligence, you'll find that most B2C service providers offer a slew of additional services, including Web analytics or a VRM (visitor relationship management) system. These are nice to have, but they're not must-haves. Concentrate on the essential requirements first. Don't be distracted by shiny toys in the vendor's display window.