GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Cash: tomorrow's currency or yesterday's paper?

Dale S. Laszig


Industry Update

Visa says Level 4 merchants must use PCI-accredited QIRs

TransFirst finds new home: TSYS

Blackhawk, an omnichannel force in prepaid

NRF celebrates mobile, EMV milestones


Many benefits to incorporation

Selling Prepaid

NEAA delivers again in Boston

More enterprises stepping into mobile


Expanding possibilities with pocket banking

Patti Murphy
ProScribes inc.


Street SmartsSM:
Essential thoughts on 'additional' services

Jeffrey I. Shavitz
TrafficJamming LLC

The one man show: W-2 versus 1099

John Tucker
1st Capital Loans LLC

The autobahnen, autoroutes and motorways of European payments

Christoph Tutsch
Onpex GmbH

Make 2016 the year of the profit

Jeff Fortney
Clearent LLC

2015 Acquiring Mergers and Acquistions in Retrospet

Company Profile

Lead Tracking Systems LLC

New Products

Leave a perfect voicemail every time

Voice Mail Drop
Integrated Reporting is Simple LLC

Next-generation touch screen tablet POS

SP-2500 POS PC, EM-300 tablet
Partner Tech Corp.


Tune up your presentation


Letter From the Editors

Readers Speak

Boost Your Biz: Verbal appeal

ISO Metrics: What's up in banking and payments?

Resource Guide


Skyscraper Ad

The Green Sheet Online Edition

February 08, 2016  •  Issue 16:02:01

previous next

Visa says Level 4 merchants must use PCI-accredited QIRs

Visa Inc. is ratcheting up the focus on POS data security. Beginning in January 2017, small (Level 4) merchants may use only integrators and resellers for POS application and device implementation and installation that have been certified by the PCI Security Standards Council (PCI SSC), Visa stated. Acquirers must convey the new requirement to their small business clients by no later than March 31, 2016, Visa said in a bulletin released in December 2015.

The new Qualified Integrator and Reseller (QIR) certification is a three-year, renewable credential awarded by the PCI SSC. It's an assurance that these third-party service providers can meet the Payment Card Industry (PCI) Data Security Standard (DSS) and related security standards managed by the council. A list of certified QIRs can be found on Visa's web site.

Visa first set a March 31, 2016, deadline for Level 4 businesses to use only certified QIRs, but moved the deadline out to January 2017 in the December bulletin updating its Small Merchant Security Program Requirements.

Troubling breach stats for Level 4

In a post to Visa's blog, Eduardo Perez, Senior Vice President for Payments System Risk at Visa, said the move was prompted by analysis indicating that 95 percent of data breaches investigated by Visa in 2015 involved small and midsize businesses and that these businesses are more likely to use resellers and integrators than larger businesses. "Visa has found that cyber criminals are exploiting basic vulnerabilities in these vendors' remote access controls in order to gain access to a merchant's systems and install malicious code," Perez wrote.

PCI SSC General Manager Stephen Orfei, noted that in the more than 400 breach investigations undertaken by the U.S. Secret Service in 2014, "the Service found improper payment platform setup and system maintenance to be a common point of attack and compromise." And it's not just in the United States; it's a global problem, Orfei said.

Hacks can be devastating to small businesses. Among small businesses that are hacked, at least 60 percent are forced to go out of business as a result, Chuck Danner, Vice President of Integrated Payments at Vantiv Inc., noted in an interview.

Vantiv, through its Mercury Payment Systems and Element Payment Services units, has been working overtime to drive adoption of enhanced security protocols among integrators and resellers working with its merchants.

The acquirer launched the Security Pays program in the summer of 2015 that provides resources to POS developers to accelerate security software integration with the Mercury platform. It also includes incentives for developers and dealers to build and sell secure solutions, including those that support end-to-end encryption, tokenization and Europay, MasterCard and Visa (EMV) technologies. More than 500 integrators and resellers that, together, work with "tens of thousands" of card-accepting business are enrolled in the program today, Danner said.

EMV not enough

Vantiv also offers education, training and financial assistance to clients, added Pam Galligan, the company's Vice President for Compliance and Industry Relations. "We know it's not easy for merchants," especially with the new requirement coming so soon after the October 2015 EMV compliance mandate, she stated during an interview.

In conjunction with imposing the new requirement that Level 4 merchants use only PCI Council certified QIRs, Visa said it was also expanding its Technology Innovation Program (TIP) to Level 4 merchants. Under TIP, businesses that secure at least 75 percent of card payments using EMV chip-reading terminals or PCI-validated end-to-end encryption techniques are exempt from otherwise mandatory PCI annual validation testing.

Of course, EMV is not a cure-all. "EMV only offers protection against the use of fraudulent cards," Danner noted. That's why PCI compliance still matters. PCI standards are intended to protect card and transaction data captured by merchants during payment transactions.

"Even as we move toward advanced technology platforms such as EMV chip, tokenization and point-to-point encryption, data security is foundational and must be part of any payment system," Sonia Sng, Senior Director of Data Security and Third Party Risk at Visa, said in a Vantiv press release when Vantiv launched its Security Pays program.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | Humboldt Merchant Services | Impact Paysystems