IMAGINE THIS: You are at the top of your PCI compliance game. Your payment application is PA-DSS compliant. You completed your PCI self-assessment questionnaire. Above all, you treat compliance like the continuous process that it is. Thieves and hackers don’t stand a chance.
BUT WAIT. Who installed your point-of-sale system? Who set up your network and provides your business with IT support? Do they take PCI DSS compliance as seriously as you? For example, did they use unique and strong passwords when creating accounts for you? Is the remote access always available or activated only when needed? Do they apply all security patches and updates to all software when it’s available?
The PCI Security Standards Council shares your skepticism. For good reason. Cybercriminals are targeting Value Added Resellers (VARs), dealers and solution providers who implement, configure and support payment applications on behalf of small businesses. So in 2012, the PCI Security Standards Council created the Qualified Integrators and Resellers Program (“QIR Program”) to ensure that payment applications support compliance with the PCI DSS.
For businesses like yours, the QIR program allows you to easily identify and engage a qualified professional to install and support PA-DSS validated payment applications such as point-of-sale systems. You can rest easier knowing that your PCI-certified QIR professional is playing by the same rules as you regarding PCI compliance.
The once-optional program is now a requirement. As of March 2016, Visa started requiring all new small businesses (Level 4 merchants) to use only PCI-certified QIR professionals.
The deadline for existing small businesses was January 31, 2017, to make the switch to a PCI-certified QIR professional or for their existing provider to become QIR certified.
ABOUT THE PCI QIR PROGRAM
The QIR program focuses on two core objectives:
Installing and configuring PA-DSS validated payment applications into customer environments in a manner that supports PCI DSS compliance.
Ensuring that the installations facilitate businesses’ PCI DSS compliance efforts.
According to the official QIR Program Guide available to download from this page, a QIR company or professional is responsible for:
Ensuring installations and configurations of PA-DSS validated Payment Applications are in accordance with the applicable PA-DSS Implementation Guide in a manner which supports PCI DSS compliance.
Providing the customer with a completed QIR Implementation Statement after installation and configuration of a PA-DSS validated application. (Note: this should be provided to you within 10 business days after the installation is complete).
Documenting any potential risks to PCI DSS compliance identified by the QIR Employee in the QIR Implementation Statement.
Maintaining a quality assurance program that includes vetting of employees involved in Qualified Installations, personnel training and education on PCI DSS and applicable PA-DSS Implementation Guides.
Protecting confidential and sensitive information.
Supporting any PFI forensic investigations in which the application the QIR installed at a customer environment may be involved.
Servicing the payment applications (for example, troubleshooting, delivering remote updates and providing remote support) if engaged to do so, according to the PA-DSS Implementation Guide and PCI DSS.
Solution providers become certified by registering and paying for the program on the PCI Security Standards Council’s website, studying the course material that includes videos, guides, checklists, etc., and passing the exam at an on-site training center. Companies and professionals must re-qualify every three years. You can search for a PCI QIR here.