Keeping up with the ever changing security requirements of the payment industry.

If you’ve been in business for a while you are probably well aware of your PCI compliance requirements as a business and that you have to verify them annually. But the laws and requirements are in constant update mode and it can be difficult to keep up. In case you didn’t know, there are new security requirements that took effect at the end of January that most likely will affect your business and who you choose as your service providers.  During ongoing research into security issues and data breaches Visa found that 93% of total payment data breaches occurred among smaller business operations and not in all of the huge business hacks you’ve heard about on the news of recent.

Moreover, they found that most of the data breaches that occur within the small business realm or due to what they deem “Insecure POS implementation and servicing by integrators and resellers.” Specifically, they were able to find a link between improperly installed POS applications and payment data breaches within the merchant environment. This is because the resellers and integrators provide monitoring and software support through remote access services.  A lot of times these remote access services will have shared access IDs, won’t utilize two-factor authentication or even regular password changes, which were found to lead to significant gaps in security protocol. These gaps allow exposure to malware putting the merchant at serious risk of payment data compromise.

Are your Service Providers QIR Certified?

In a concerted effort to mitigate the opportunity for scammers to easily breach a faultily installed system the Payment Card Industry Security Standards Council (PCI SSC) created a certification course for all integrators and resellers and established new data security requirements to require these smaller businesses to utilize only sellers that have become certified and are members of the organization.

The program, Visa states, “outlines guiding principles and procedures for the secure installation and maintenance of validated payment applications in a manner that supports PCI DSS compliance”. It is designed to give them a better understanding of the transactional process of the payments industry, knowledge of the compliance programs of the various card brands, as well as how to prepare and perform a qualified installation.

Once certified the company becomes part of the Qualified Integrators and Resellers organization and is then authorized by the PCI Security Standards Council to “implement, configure and/or support” PA-DSS payment applications.

Choosing the perfect POS system is daunting enough in and of itself without having to be worried about who is installing in and if they are qualified. As a business that processes payments you are subject to PCI DSS. These are the Payment Card Industry Data Security Standards. You must abide by the rules and verify with the company that you are compliant every year.

The new Visa data security regulations that went into effect on January 31, 2017 require all “Level 4” businesses to use Qualified Integrators and Resellers (QIRs) to install all of their equipment and verify their PCI compliance each year. The new requirements state that any “level 4” business that uses 3rd party POS installers must only use those that are QIR certified. Making sure that these 3rd party tech vendors are QIR certified before they do any installations means they will properly handle integrations which in turn will reduce the amount of data breaches.

90% of U.S. businesses have QIR requirements

Level 4 is a term that applies to “small” business and actually includes about 90% of all businesses in the US. Any business that processes less than 1 million annual Visa transactions, or 20,000 e commerce, would fall under a Level 4 business. If you fall under this category than your POS salesman who sold you and then installed your system and provides your tech support must now be QIR certified.

However, if your POS system was installed, and is maintained, by your payment processor/merchant service provider, you may not need to do anything differently.

Visa describes third-party POS/terminal installers and services as, “Vendors involved in the implementation, configurations, support, and/or maintenance of POS applications on behalf of merchants or service providers.”

Furthermore, PCI Security Standards Council defines a” service provider” as any “business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.”

You can find out whether your current integrator is QIR certified by checking the online database.

If yours is not yet certified, it is very likely they are working on it, although it is a costly and time consuming endeavor for the service provider.  Make sure you call them and ask when they will become certified. Also, if they have become certified since your installation make sure that they give you their certification number for you to keep on file. You will be required to report this information  to your credit card processor and/or merchant account provider.

When you have new equipment installed by a QIR-certified vendor, they will provide you with a QIR Implementation Statement within ten business days of installation. This statement verifies the installation and application is PCI compliant.

If your 3rd party provider is not qualified it could end up costing you.

While Visa will not be fining businesses who are found to be non-compliant, it still may end up costing you. If you do end up having some sort of fraud, or payment data breach, and Visa finds that you are not compliant with the new data security requirements you may get slapped with fines and assessments by your merchant service provider for not making the effort to follow the requirements.

The are a few situations where the new requirements do not apply:

  • If your system was installed by your merchant service provider or payment processor. They already have such stringent requirements to abide by that they are not required to become QIR certified.
  • If you have a plug and play terminal that came directly from the acquiring bank that was programmed and you just plug it in and it’s ready to go.
  • If you have a stand alone terminal that does not allow remote access.
  • If you log into a secure website- a virtual terminal, to securely process credit cards
  • If mobile and cell payment solutions are the only solution you use.
  • If you are not purchasing your POS, or any maintenance integration or tech support from a 3rd party than you do not have to use a QIR
  • Ancillary applications, such as inventory management systems do not have QIR requirements

While QIR requirements may not apply to everybody the PCI compliance does. Your PCI Self Assessment Questionnaire will include questions pertaining to QIR so if you are unsure as to whether this applies to your business, call your merchant service provider for more information.

As of last November there were  659 certified QIR professionals, representing 281 companies. Make sure that you are  working with qualified service providers and let them know that you take security and remaining PCI compliant seriously and that is what you expect from them. As more merchants become educated on the requirements and realize they need to be working with certified integrators and resellers they will help to put the pressure on their existing service providers to become certified.

It is in your best interest to only work with QIR certified vendors. Your service providers have a direct impact on the security of your business and your customers information. It is important to know all of your service providers and know that they are QIR certified and PCI compliant as you are. You can rest easy that you are doing what you can to reduce your chance of fraud and protecting your business and your customer.