Independent sales organizations that choose to offer their merchant clients data security from third-party vendors should evaluate closely which vendors best match their needs, observers note. ISOs create a "deadly combo" if they force merchants to pay for a service and then give them a vendor that does not provide value, says Doug Klotnia, general manager of the compliance division at Trustwave, a Chicago-based payment-security company. "You made the merchant do something, did not give them a choice and gave them a subpar vendor. It is not a good situation," he says. Some ISOs resell security services from third-party vendors to help their merchants comply with the Payment Card Industry data-security standards. ISOs typically charge merchants for such services, but the fees vary by company. Working with a vendor often is the best choice for small ISOs because they do not have the resources to staff a help desk or call center to handle merchants' security questions, says Joan Herbig, CEO of ControlScan Inc., an Atlanta-based provider of PCI compliance and security products for small and midsize merchants. Avid Payments began searching for a security vendor by looking at their reputations in the industry and at what they could provide merchants, says Valissa Kelly, vice president of sales and operations at the Birmingham, Mich.-based ISO. It was important for the ISO to find a vendor that could "provide everything our merchants possibly could need" and allow Kelly and her team to focus on sales and client service, she says.