By Dawn M. Martinez
First Data Corp.
In "Succeeding at PCI compliance - Part 1: Planning the initial rollout," The Green Sheet, May 24, 2010, issue 10:05:02, I suggested that choosing a trusted Payment Card Industry (PCI) Data Security Standard (DSS) compliance vendor was key to a successful rollout, and I outlined the selection criteria we used at First Data Corp.
I also recommended running a pilot program to solidify your choice. Narrowing the field helps you make a good decision on paper, but a pilot program puts all the promises of the vendor to the test. Before you sign a contract, you will know which vendor is the best match for your company, including your systems, people and processes.
The first step in developing your pilot program is to level the playing field. Make sure you will be evaluating both vendors in the test on an apples-to-apples basis. For example, if you are focusing on restaurant merchants with one vendor, do the same with the other vendor.
Don't forget to include a mix of merchants using software, high-speed Internet and dial-up for credit card processing. Ensure your data is accurate and up-to-date.
Finally, choose enough merchants for each vendor to provide a reliable yet manageable sample. Our chosen size was 500 merchants for each vendor, but you can determine what number will provide the best representation of your merchant base. This will not only test your vendors' ability to scale, but also help manage your expectations of the program.
To address merchant concern over the costs of PCI compliance, you may wish to provide quarterly or even monthly payment options instead of annual payments. You may also want the flexibility to pay through the processor rather than pay the vendor directly.
These variables should be represented in your pilot criteria. If the vendors you are evaluating do not offer multiple payment options or have difficulty in delivering on what they claim to offer, you will find out about it in the pilot stage.
Limiting yourself to one option is fine. However, if you are considering multiple options, split up the merchant base in your pilot program. This is the approach we took, and it helped us learn which payment option was more popular among merchants, which was easiest to manage and how each vendor handled the payment options. Some vendors are not as flexible in working within a multiple-payment-option environment.
The length of your pilot will be driven by the number of merchants involved, as well as the communication methods you employ. For example, if you are messaging through monthly statements, you may need more time than if you are using email.
Ensure that you allow adequate time to get the results you seek. Start and end the pilot at the same time with both vendors, and stick to your deadlines; you need to base the results on a specific time frame. If the vendor is unable to execute on the program as quickly as you would like, you will learn that immediately. That could affect your choice of partners, based on your internal project deadline.
Each vendor should provide you with an executive summary of the pilot results, including their own comments. In addition, you should solicit input from all internal team members involved in the pilot, as well as the merchants, to determine their experience with each vendor.
To obtain your merchants' response, consider engaging a marketing company to help produce a short survey. We found this feedback to be essential in evaluating the vendors. Be mindful of your merchants' time by ensuring the survey is short and the questions concise.
Consider the following items during your evaluation:
Customer service and support: Compare and contrast the vendors' service and support.
Tracking and reporting tools: Analyze the vendors' tracking and reporting capabilities.
The pilot lets you actually use the vendor's tools to track merchant response and produce necessary reports. The vendor may look good in boardroom presentations, but the pilot either confirms a vendor's capacity or exposes its weaknesses.
By combining all of this information, you can get a good picture of important variables such as merchant response, the success rate for PCI compliance, your personal experiences with the vendor, program costs, and how quickly the vendor can develop and implement the program.
These are key indicators of the relationship you will experience once you are under contractual obligation with the vendor.
As important as the pilot will be in helping you make a decision, don't rush it. Take the time to flush out any potential problems.
Get to know each vendor's systems, support staff and communication processes, especially if you have a large merchant base. Make it easier on yourself; know your vendor well. Test the relationship before the ink dries.
Also, at the conclusion of the pilot, make sure the vendors provide you with thorough reports and a concise analysis of the process and program from their perspective. Regardless of your choice, the vendors' feedback will be helpful to you during your rollout.
The time you spend in your pilot is one of the best investments you will make as you move your merchants toward PCI compliance.
Next you'll be ready to go live with your program. Coming in Part 3 of this series: implementing the rollout.
Dawn M. Martinez is Director of Data Security for First Data Corp. In this role, she oversees PCI compliance and data security initiatives for thousands of bank partners, ISO clients and merchants. Contact her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next