What’s new at the PCI Council?
The PCI Council has come out with their long-awaited changes to the Qualified Integrators & Resellers (QIR) program. The PCI QIR program was launched in 2012 to ensure that payment systems integrators and resellers know how to support a secure merchant environment, and that merchants have access to these trusted resources.
Here are the two big issues the Council has addressed with this update:
- Expand QIR applicability to any payment application, not just those that have PA-DSS validation.
- Focus in on the three most common contributors to data breach events, which are insecure remote access, weak passwords, and outdated and/or unpatched software.
One other significant change is that the three-year renewal cycle has been shortened to an annual renewal. I am sure this is due to the concern over fast-evolving threats.
How can merchants take advantage of the PCI QIR program?
As I mentioned above, a goal of the QIR program is to give merchants easy access to trusted resources for their business.
Here’s how your business can get the most benefit from the PCI QIR program, in two easy steps:
- Identify and list the organization(s) responsible for integrating and/or servicing your payment system, along with a description of the specific services they provide.
- Look for the identified organization(s) on the PCI Qualified Integrators and Resellers List. If your provider is on the list, add the name of the Primary Contact to your document. Conversely, if they’re not on the list, contact them immediately to verify that they are working toward PCI QIR validation—and if they are not doing so, begin seeking out a validated QIR to perform that service in the future.
Here are a couple of links to additional reading on the payment security topics I’ve discussed above: