This is page 3 of:
Questions To Ask Your System Vendor Or Reseller
How will the vendor or reseller maintain, troubleshoot and update the system, including installing security patches? If they maintain the application remotely (which is common), PCI requires both two-factor authentication for all remote access by staff or vendors (Requirement 8.3) and that the merchant control access (Requirement 12.3.9). These requirements mean the retailer needs some basic understanding of the specific remote access and two-factor authentication technologies to be implemented.
Does the vendor offer a hosted (i.e., outsourced) option? In case it is not abundantly clear from the above questions, running your own payment application requires you to take an active role. If firewalls, security patches, upgrades and two-factor authentication scare you, then maybe you should look to outsource your payment processing to a PCI-compliant service provider instead.
Both Visa and MasterCard maintain lists of the larger (Level 1) service providers on their Web sites. Many service providers specialize in a particular industry, so there may be a third-party hosted solution that can work for your business.
Outsourcing is not a panacea; it does not make PCI go away. The retailer is still ultimately responsible, but PCI compliance is simplified and your security is increased greatly with careful outsourcing.
Lastly, get everything in writing. Any promise, any extra feature or customization, any claim, any guarantee, any special deal only counts if it is in the contract. Promises made in meetings by E-mail or on the golf course are fine, but they don’t count unless and until they are in writing.
If you encounter resistance to putting a particular promise in the contract, you may want to escalate to a more senior person at the vendor. Failing that, get up and leave the room (and take anybody you like with you).
Small and midsize retailers and merchants of all types are at a disadvantage in the world of payment applications and PCI compliance in general. They focus on what they know best: serving their customers and building sales. Most neither want nor have the ability to manage a technical infrastructure. The bad guys, however, are technically sophisticated, and they increasingly target these same small and midsize merchants.
Events like the NRF show provide great opportunities to meet with competing vendors, learn the latest developments and find solutions that can improve your business. It is also a great opportunity to ask questions.
Do you rely on third parties like value-added resellers and service providers? What has been your experience? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
January 10th, 2012 at 9:53 am
These are great pointers. Vendors will hawk retail solutions with buzzwords like mobile POS, loyalty and RFID inventory to grab attention, but can they deliver?
My experience early on was the majority of vendors could not follow up after the purchase order was generated. I ended up burnt dealing with firms I met at a conference who had nothing more than a nice brochure and a free memo pad with their logo on it.
I won’t be able to make it this year but if anybody is going to the NRF, can they please follow up?