If you missed the QIR deadline, you need to act fast.
At last month’s Northeast Acquirers Association (NEAA) Conference, I joined the Legislative Panel to speak on the subject of the Visa Qualified Integrators & Resellers (QIR) program. My talking points were timely, given the January 31, 2017 QIR deadline had just passed.
Just a bit of background for some context…
The QIR program is operated by the PCI SSC as part of their role as the standards body. The idea is to get companies that are involved with the installation, integration and support of validated payment applications (PA-DSS) to get certified as a QIR. This is because many breaches can be tied back to issues with the installation/integration process or the support aspects, where remote access is often the source for intrusion.
Visa has made its QIR requirement a very integral part of their new PCI compliance initiatives for small (i.e., level 4) merchants. Merchants using validated payment applications in a POS environment must also utilize QIRs for their installation, integration and support.
The QIR deadline generated a great deal of questions and concern among NEAA Conference attendees, especially when I asked the audience how many had notified their merchants of the new Visa requirements around QIR. Only a few raised their hands!
Start by peeling back the layers of QIR.
The responses I received during the NEAA event, as well as other recent acquirer conversations, got me thinking that the QIR issue can be best described as a pretty good-sized onion with lots of layers.
Why do I say this? Here are just a few examples:
- Visa indicates that they currently only require merchants to use a QIR when POS systems are involved, but the Council maintains a broader definition which may include e-commerce scenarios where shopping carts could come into play. We all know that there are many unique processing scenarios that can arise. As soon as you think you have seen it all, new scenarios come to light. The scenario with an integrated POS system is the most likely one to apply, and where many of the breaches continue to emanate from.
- Visa indicates that standalone terminals do not require QIRs to be involved, as long as remote access is not in place.
- QIR is not just at the company level but is also at the individual level. If you have ten people going out to configure POS systems, they all need to go through the QIR program.
- Even if a merchant does not need a QIR based on eligibility, there is still an expectation from the card brands that service providers and vendors will utilize best security practices.
ControlScan, and I personally, are continuing to educate and assist acquirers in their efforts to fully comply with the Visa QIR mandate. To that end, I will be speaking on “Peeling Back the QIR Onion” at the upcoming Merchant Acquirers’ Committee (MAC) Annual Conference, March 21-23 in Las Vegas.
Hope to see you at MAC 2017! Can’t make it? Feel free to reach out to ControlScan at 800-825-3301, ext. 2. We’re happy to help.