Courtney Rogers Perrin
Visa’s new rules regarding the requirement for small (Level 4) merchants to use Qualified Integrators and Resellers (QIR) takes effect January 31, 2017. The program’s objective is to combat the increasing number of breaches of point-of-sale (POS) systems by ensuring merchants only use system integrators and dealers that have received training on ways to securely install POS systems to help prevent system breaches. Payment Card Industry (PCI) data breach investigations have identified that incorrect application installation and system configuration, including passwords, system settings, router configurations, and physical security, is often the cause of system breaches and exposure of credit card and other sensitive client data information.
The new QIR certification program, developed by the PCI Security Standards Council (SSC), was designed to make system integrators and resellers more aware of PCI Data Security Standard (DSS) requirements related to the installation and support of POS systems. This certification, which is valid for 3 years, is a 7-hour online course that can be taken at home or in the office and requires an in-person exam at a local Pearson VUE Testing Center.
Level 4 merchants using a system integrator, system reseller or dealer should contact their local representatives to confirm their personnel will be earning a QIR certification to ensure compliance with Visa’s requirements. Merchants are advised to contact their payment processor for more information on QIR and compliance with their processor’s reporting and tracking requirements.
Level 4 merchants are those that process fewer than 20,000 Visa or MasterCard e‑commerce transactions or 1 million Visa or MasterCard transactions per year. Under the new rules, small merchants must use PCI-certified QIR professionals for POS application and terminal installation and integration. Merchants must validate PCI DSS compliance annually unless they participate in the Visa Technology Innovation Program (TIP). Merchants who do not use a third party for POS operation or maintenance are exempt from the rules and merchants with single-use terminals without Internet connectivity may be exempt from the rules.
Merchants who participate in TIP do not need to validate PCI DSS compliance because additional precautions have already been taken. Such precautions include investing in EMV technology (cards equipped with computer chips and accompanying authentication systems) or PCI SSC-validated point-to-point encryption (P2PE) solutions. To qualify for the program, merchants must ensure that sensitive payment data, such as information from the magnetic strip, is not stored after a transaction is authorized and that at least 75 percent of transactions use secure acceptance channels.
Though the onus is on acquirers and processors to inform their merchants of these new rules, proactive compliance could make your systems more secure. Since 80 percent of small merchant breaches stem from POS weaknesses like remote access systems without individual IDs or regular password updates, ensuring your POS systems are installed with suitable security precautions, such as those reviewed as part of the PCI QIR program, could increase your system’s security. Visa maintains a growing list of PCI SSC QIR companies to help merchants choose an acceptable professional.
Information on steps POS integrators and resellers can take to comply with PCI QIR requirements will follow soon. If you would like to get a head start on updating your security protocols or if you have other questions related to electronic payments systems, please contact John Romer.