GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

A roadmap to GS Online


Industry Update

The PA DSS deadline looms

Global anti-fraud tool on the horizon

First Data charts the rise of fraud as a service

Feedback from CAPP exercise proves informative


Guiding merchants toward honest processing partners

Research Rundown

Selling Prepaid

Prepaid in brief

Prepaid's relevancy for mass transit reaffirmed

Perspective on the 'gift' economy

Thom Aldredge
World Gift Card


Could the future of micropayments be Square?

Patti Murphy
The Takoma Group

Margin compression: What's goin' on?

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
What does a merchant get for a PCI fee? - Part 2

Ken Musante
Eureka Payments LLC

Beyond professional courtesy

Dale S. Laszig
Castles Technology Co. Ltd.

Succeeding at PCI compliance - Part 2: Executing an effective pilot program

Dawn M. Martinez
First Data Corp.

Training to go global

Caroline Hometh

Eight keys to a great first impression

Nicholas Cucci
Network Merchants Inc.

Company Profile

Retail Cloud

New Products

Check guarantee on the go


Easy to use, hosted gateway

Elavon Inc.


Dig for gold, revisit your portfolio


10 Years ago in
The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

June 28, 2010  •  Issue 10:06:02

previous next

Succeeding at PCI compliance - Part 2: Executing an effective pilot program

By Dawn M. Martinez

In "Succeeding at PCI compliance - Part 1: Planning the initial rollout," The Green Sheet, May 24, 2010, issue 10:05:02, I suggested that choosing a trusted Payment Card Industry (PCI) Data Security Standard (DSS) compliance vendor was key to a successful rollout, and I outlined the selection criteria we used at First Data Corp.

I also recommended running a pilot program to solidify your choice. Narrowing the field helps you make a good decision on paper, but a pilot program puts all the promises of the vendor to the test. Before you sign a contract, you will know which vendor is the best match for your company, including your systems, people and processes.

Level the playing field

The first step in developing your pilot program is to level the playing field. Make sure you will be evaluating both vendors in the test on an apples-to-apples basis. For example, if you are focusing on restaurant merchants with one vendor, do the same with the other vendor.

Don't forget to include a mix of merchants using software, high-speed Internet and dial-up for credit card processing. Ensure your data is accurate and up-to-date.

Finally, choose enough merchants for each vendor to provide a reliable yet manageable sample. Our chosen size was 500 merchants for each vendor, but you can determine what number will provide the best representation of your merchant base. This will not only test your vendors' ability to scale, but also help manage your expectations of the program.

Payment process and costs

To address merchant concern over the costs of PCI compliance, you may wish to provide quarterly or even monthly payment options instead of annual payments. You may also want the flexibility to pay through the processor rather than pay the vendor directly.

These variables should be represented in your pilot criteria. If the vendors you are evaluating do not offer multiple payment options or have difficulty in delivering on what they claim to offer, you will find out about it in the pilot stage.

Limiting yourself to one option is fine. However, if you are considering multiple options, split up the merchant base in your pilot program. This is the approach we took, and it helped us learn which payment option was more popular among merchants, which was easiest to manage and how each vendor handled the payment options. Some vendors are not as flexible in working within a multiple-payment-option environment.

Time frame

The length of your pilot will be driven by the number of merchants involved, as well as the communication methods you employ. For example, if you are messaging through monthly statements, you may need more time than if you are using email.

Ensure that you allow adequate time to get the results you seek. Start and end the pilot at the same time with both vendors, and stick to your deadlines; you need to base the results on a specific time frame. If the vendor is unable to execute on the program as quickly as you would like, you will learn that immediately. That could affect your choice of partners, based on your internal project deadline.

Evaluating your vendors

Each vendor should provide you with an executive summary of the pilot results, including their own comments. In addition, you should solicit input from all internal team members involved in the pilot, as well as the merchants, to determine their experience with each vendor.

To obtain your merchants' response, consider engaging a marketing company to help produce a short survey. We found this feedback to be essential in evaluating the vendors. Be mindful of your merchants' time by ensuring the survey is short and the questions concise.

Consider the following items during your evaluation:

The pilot lets you actually use the vendor's tools to track merchant response and produce necessary reports. The vendor may look good in boardroom presentations, but the pilot either confirms a vendor's capacity or exposes its weaknesses.

By combining all of this information, you can get a good picture of important variables such as merchant response, the success rate for PCI compliance, your personal experiences with the vendor, program costs, and how quickly the vendor can develop and implement the program.

These are key indicators of the relationship you will experience once you are under contractual obligation with the vendor.

Take your time

As important as the pilot will be in helping you make a decision, don't rush it. Take the time to flush out any potential problems.

Get to know each vendor's systems, support staff and communication processes, especially if you have a large merchant base. Make it easier on yourself; know your vendor well. Test the relationship before the ink dries.

Also, at the conclusion of the pilot, make sure the vendors provide you with thorough reports and a concise analysis of the process and program from their perspective. Regardless of your choice, the vendors' feedback will be helpful to you during your rollout.

The time you spend in your pilot is one of the best investments you will make as you move your merchants toward PCI compliance.

Next you'll be ready to go live with your program. Coming in Part 3 of this series: implementing the rollout.

Dawn M. Martinez is Director of Data Security for First Data Corp. In this role, she oversees PCI compliance and data security initiatives for thousands of bank partners, ISO clients and merchants. Contact her at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios