

Are you ready to ring in a New Year with the new PCI QIR requirements?: Steps integrators and sellers of PA-DSS validated POS systems can take to comply by the end of January.
Vendors who install or support Payment Application Data Security Standard (PA-DSS) validated point of sale (POS) systems face a January 31, 2017 deadline to become QIR certified under the new program developed by Visa. Applicable integrators and sellers must participate in a Payment Card Industry Qualified Integrators and Resellers (PCI QIR) certification program aimed at reducing the number of breaches of POS systems. The program provides integrators and sellers with sufficient knowledge to securely install POS systems. Failure to achieve certification can result in exclusion from Visa’s list of qualified providers and could lead to lost clients as the program is adopted.
The QIR certification program consists of two parts: (i) a 7-hour online course and (ii) an in-person exam that can be taken at any Pearson VUE Testing Center. Participants must complete both parts within 90 days of registering to take the course. To register, a company must first complete a registration form and the company application. Companies can then enroll professionals in the training program. The course covers the more general PCI DSS and the fundamentals of the payment industry, as well as the specifics of PA-DSS implementation and QIR quality assurance.
Certification lasts for 3 years for each professional who also completes 30 Continuing Professional Education (CPE) hours over a rolling 3-year period. The initial course costs $395 and recertification costs $350 for trainees who are not part of a Participating Organization. Every provider must have at least one QIR-qualified employee to be included on Visa’s qualified provider list.
Before beginning the course, the PCI Security Standards Council (SSC) recommends that vendors familiarize themselves with the PCI Glossary, PCI DSS and PA-DSS. All of these documents can be found in the PCI SSC’s document library.
Adoption of the new program has been slow based on information released by Visa at the RSPA Retail Now conference. Diana Greenhaw, Senior Director of Global Data Security and Third-Party Risk told attendees at the RSPA meeting “Visa has no intention of proactively enforcing these requirements. There are millions of merchants in the U.S. and it’s not about us trying to measure if every individual merchant who uses an integrator that that integrator is QIR-certified.” Ms. Greenhaw also stated, “in the event of a compromise, we absolutely will enforce our requirements.”
Visa subsequently clarified this information, explaining “in the event of a compromise linked to a merchant’s non-compliance with Visa rules or PCI DSS, acquirers may be subject to non-compliance assessments for not meeting these or other data-security requirements.” While the QIR program will not be proactively monitored and enforced, if a data breach occurs and Visa determines that a QIR-certified system was not utilized, the fines and related costs for the data breach could be higher than these costs in the past due to the new QIR requirements.
You can confirm that you qualify for the program by referring to Appendix B of the QIR Qualification Requirements and can find more detailed registration instructions here. If you would like more information on QIR certification or if you have other questions related to electronic payments systems please contact John Romer.