My partner and I launched our site in February and hired a MN-based company that ended up farming the work out to a team in Pakistan. Though everything started off well, every time we asked for a little something extra, the extra "effort" they quoted us for seemed to be way longer and more expensive than we could have guessed. I believe this was because they knew we were not very familiar with web development and coding, and especially Magento. However, for a while, we acquiesed and paid the extra.
But one day, I had asked about blocking certain BIN numbers and/or prepaid cards from being accepted through Stripe and we were quote for something crazy like 15 hours, so I decided to ask about it in the Stripe node, and I was basically laughed at, with everyone telling me that my request was "trivial at best" and should never, ever take more than an hour!
So long story short, things just progressively got worse from there...
Anyway! Getting to my question:
For small businesses that are both super limited in budget and web development know-how, what tips can you provide for avoiding a similar situation and getting taken advantage of? I feel like an appropriate analogy, is how many auto-mechanics gained a bad reputation for taking advantage of unknowing consumers by saying they needed "to change the blinker fluid" and other ridiculous (and obviously exaggerated) charges.
And finally, I wanted to ask one quick specific and time-pressing question:
What is a reasonable amount of time/cost to expect from installing a security patch like SUPEE-5994?
Since unfortunately it's not like a Macbook's autoupdate (I wish), we had to hire someone to do our last patches (SUPEE-5344 and SUPEE-1533) and I kind of feel like we got robbed at $175...
Thank you so much for your time in reading this!
These are great questions!
Regarding your pressing matter of the security patches: At Creatuity we usually quote an hour, but its frequently much less actual billable time (like 10-15 minutes). It's time/money well spent, as we have seen situations where sites where attacked through known security holes. Being proactive is a worthwhile expense. Keep in mind that establishing a long-term relationship with a company will ensure they can do work faster on your site, since they aren't having to 'get up to speed' each time. So an initial quote from someone new might be higher.
Regarding how to feel confident in your developer/agency when you aren't technical: Let me begin by saying that I'm not a developer myself. So I absolutely understand being in your situation. I think that its important to try to establish a long-term relationship built on trust, open communication, and fairness. This is a two-way street - I've been on both sides and can tell you that trusting a developer/agency takes both parties active participation in the relationship. Open communication is critical to establish realistic expectations, and ensure you are 'on the same page' about what a successful relationship looks like. Everyone values different things - some clients are solely cost-centric, others need things delivered super quickly, and like in your case, sometimes trust is the most important factor. Naturally you can vet the partner through references and/or other community members, and definitely ensure that the actual developer performing the work is a Magento Certified Developer (via the Certification Directory). But beyond that, it becomes "fuzzy" on how to know if you can trust someone. It's almost like dating - you have to take an initial leap, but take it slow, while communicating very clearly and openly about expectations.
You should expect clear communication back from the developer about why things are complex, or whatever you particular concern is. If you aren't getting enough information to feel informed, ask again. You shouldn't be afraid to ask direct questions- I find honest people are usually very eager for you to be direct, so that they don't have to try to 'guess' the real concern. When someone asks me "Does Creatuity outsource development?" I am eager to say "Absolutely not." It's the truth, and we have nothing to hide. If you fail to ask the questions that are important to you, no matter how awkward, then you are missing a critical opportunity to save yourself some surprises later. Now if they iie to you, then of course that's an entirely different scenario. If that is what happened here, I am so sorry, and truly hope you can find someone that is more honest. There are certainly "lots of fish in the sea", so don't let one bad experience ruin it for you.
If you have ever made hiring decisions, you know how difficult it is to judge integrity from a job application. That is essentially what you are trying to do looking websites, portfolios, and partner directories. It will take a lot of extra work to get to the point where you actually feel like you can trust each other. Sometimes it also just takes time working together slowly, cautiously, and openly. Almost like what you would do a probationary period for a new employee. There's absolutely nothing wrong or impolite about being cautious - we all understand how tough it is to build trust.
By the way, I wrote a blog article awhile back about questions that I would recommend asking a potentional Magento developer or agency: http://creatuity.com/2014/04/09/questions-potential-magento-development-firm/
Let me know if I can answer any other questions. I hope this helps in some way, and really do wish you the very best in finding a partner you can trust.