The Green Sheet Online Edition
June 28, 2010 • Issue 10:06:02
Succeeding at PCI compliance - Part 2: Executing an effective pilot program
In "Succeeding at PCI compliance - Part 1: Planning the initial rollout," The Green Sheet, May 24, 2010, issue 10:05:02, I suggested that choosing a trusted Payment Card Industry (PCI) Data Security Standard (DSS) compliance vendor was key to a successful rollout, and I outlined the selection criteria we used at First Data Corp.
I also recommended running a pilot program to solidify your choice. Narrowing the field helps you make a good decision on paper, but a pilot program puts all the promises of the vendor to the test. Before you sign a contract, you will know which vendor is the best match for your company, including your systems, people and processes.
Level the playing field
The first step in developing your pilot program is to level the playing field. Make sure you will be evaluating both vendors in the test on an apples-to-apples basis. For example, if you are focusing on restaurant merchants with one vendor, do the same with the other vendor.
Don't forget to include a mix of merchants using software, high-speed Internet and dial-up for credit card processing. Ensure your data is accurate and up-to-date.
Finally, choose enough merchants for each vendor to provide a reliable yet manageable sample. Our chosen size was 500 merchants for each vendor, but you can determine what number will provide the best representation of your merchant base. This will not only test your vendors' ability to scale, but also help manage your expectations of the program.
Payment process and costs
To address merchant concern over the costs of PCI compliance, you may wish to provide quarterly or even monthly payment options instead of annual payments. You may also want the flexibility to pay through the processor rather than pay the vendor directly.
These variables should be represented in your pilot criteria. If the vendors you are evaluating do not offer multiple payment options or have difficulty in delivering on what they claim to offer, you will find out about it in the pilot stage.
Limiting yourself to one option is fine. However, if you are considering multiple options, split up the merchant base in your pilot program. This is the approach we took, and it helped us learn which payment option was more popular among merchants, which was easiest to manage and how each vendor handled the payment options. Some vendors are not as flexible in working within a multiple-payment-option environment.
The length of your pilot will be driven by the number of merchants involved, as well as the communication methods you employ. For example, if you are messaging through monthly statements, you may need more time than if you are using email.
Ensure that you allow adequate time to get the results you seek. Start and end the pilot at the same time with both vendors, and stick to your deadlines; you need to base the results on a specific time frame. If the vendor is unable to execute on the program as quickly as you would like, you will learn that immediately. That could affect your choice of partners, based on your internal project deadline.
Evaluating your vendors
Each vendor should provide you with an executive summary of the pilot results, including their own comments. In addition, you should solicit input from all internal team members involved in the pilot, as well as the merchants, to determine their experience with each vendor.
To obtain your merchants' response, consider engaging a marketing company to help produce a short survey. We found this feedback to be essential in evaluating the vendors. Be mindful of your merchants' time by ensuring the survey is short and the questions concise.
Consider the following items during your evaluation:
Overall experience: Describe the overall relationship/experience with the process and vendor.
- Can you imagine yourself in a successful day-to-day working relationship with one of the vendors?
- How successful were the vendors in obtaining results?
- How would you describe the communication process between you and the vendor as well as between the merchants and vendor?
- Were the vendors in constant communication with you throughout the pilot, or did they address their concerns at the end?
Customer service and support: Compare and contrast the vendors' service and support.
- Which vendor provided better customer service to both you and your merchants?
- Who came closest to delivering what was promised?
- Request a satisfaction report on the support representatives if they called the vendor support line. Were the support representatives polite, well spoken and friendly on the phone? Were they knowledgeable and able to resolve issues with minimal phone transfers?
- Is the customer support unlimited and always accessible? Is unlimited support and service an additional cost to the program?
- Do you have the ability to refer back to recorded calls to assist with issue resolution?
Tracking and reporting tools: Analyze the vendors' tracking and reporting capabilities.
- Did one vendor offer more functionality in its tool set than the other?
- Was the online enrollment effective?
- Did you have the ability to customize the tools?
- How easy were the tools for the merchants and your internal team members to use?
- Were the tools flexible?
- Were you able to query to produce reports needed within your organization?
- Were the tracking functionality and results accurate?
The pilot lets you actually use the vendor's tools to track merchant response and produce necessary reports. The vendor may look good in boardroom presentations, but the pilot either confirms a vendor's capacity or exposes
By combining all of this information, you can get a good picture of important variables such as merchant response, the success rate for PCI compliance, your personal experiences with the vendor, program costs, and how quickly the vendor can develop and implement the program.
These are key indicators of the relationship you will experience once you are under contractual obligation with the vendor.
Take your time
As important as the pilot will be in helping you make a decision, don't rush it. Take the time to flush out any potential problems.
Get to know each vendor's systems, support staff and communication processes, especially if you have a large merchant base. Make it easier on yourself; know your vendor well. Test the relationship before the ink dries.
Also, at the conclusion of the pilot, make sure the vendors provide you with thorough reports and a concise analysis of the process and program from their perspective. Regardless of your choice, the vendors' feedback will be helpful to you during your rollout.
The time you spend in your pilot is one of the best investments you will make as you move your merchants toward PCI compliance.
Next you'll be ready to go live with your program. Coming in Part 3 of this series: implementing the rollout.
Dawn M. Martinez is Director of Data Security for First Data Corp. In this role, she oversees PCI compliance and data security initiatives for thousands of bank partners, ISO clients and merchants. Contact her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.