According to recent statistics from Visa, 80% of small-business data breaches are associated with insecure implementation and/or servicing by point-of-sale (POS) integrators and resellers.
The activities leading to these breaches are in direct violation of the PCI DSS, and Visa has taken action by issuing a QIR mandate that impacts merchant acquirers and the Level 4 merchants they serve.
So what’s a QIR?
A Qualified Integrator & Reseller (QIR) is an organization that is authorized by the PCI Security Standards Council to “implement, configure and/or support” PA-DSS payment applications. The PCI Council lists all QIRs on its website and the number of companies that are QIR Validated is growing very quickly.
The PCI DSS requirements do not include the use of a QIR; however, Visa now requires its merchant acquirers to:
- Verify that all Level 4 merchants acquired since April 1, 2016 are using QIR providers for POS application and terminal installation and servicing; and
- Verify that, by January 31, 2017, all of the Level 4 merchants within their portfolios are using QIRs.
As of this writing, the other card brands do not have similar requirements.
Regardless of your merchant level, be prepared to answer Yes to the following question in the PCI DSS v3.2 Self-Assessment Questionnaire (SAQ): “Does your company use a Qualified Integrator & Reseller?”
What does your business need to do? Here are the important steps to take as you prepare:
1. Identify and list the organization(s) responsible for integrating and/or servicing your POS system, along with a description of the specific services they provide.
2. Look for the identified organization(s) on the PCI Qualified Integrators and Resellers List.
- If your provider is on the list, add the name of the QIR individual to your document
- If your provider is not on the list, contact them immediately to verify that they are working toward PCI QIR validation—and if they are not doing so, begin seeking out a validated QIR to perform that service in the future.
3. Review this blog post, which takes a holistic view of the security-related impact service providers can have on your business.
Want to learn more about how the PCI DSS applies to your business, or even ways in which you can reduce your business’s scope of compliance? Give us a call at 1-800-825-3301, x2.
Be sure to subscribe to this blog for additional tips and webinar announcements.