The Green Sheet Online Edition
February 08, 2016 • Issue 16:02:01
Visa says Level 4 merchants must use PCI-accredited QIRs
Visa Inc. is ratcheting up the focus on POS data security. Beginning in January 2017, small (Level 4) merchants may use only integrators and resellers for POS application and device implementation and installation that have been certified by the PCI Security Standards Council (PCI SSC), Visa stated. Acquirers must convey the new requirement to their small business clients by no later than March 31, 2016, Visa said in a bulletin released in December 2015.
The new Qualified Integrator and Reseller (QIR) certification is a three-year, renewable credential awarded by the PCI SSC. It's an assurance that these third-party service providers can meet the Payment Card Industry (PCI) Data Security Standard (DSS) and related security standards managed by the council. A list of certified QIRs can be found on Visa's web site.
Visa first set a March 31, 2016, deadline for Level 4 businesses to use only certified QIRs, but moved the deadline out to January 2017 in the December bulletin updating its Small Merchant Security Program Requirements.
Troubling breach stats for Level 4
In a post to Visa's blog, Eduardo Perez, Senior Vice President for Payments System Risk at Visa, said the move was prompted by analysis indicating that 95 percent of data breaches investigated by Visa in 2015 involved small and midsize businesses and that these businesses are more likely to use resellers and integrators than larger businesses. "Visa has found that cyber criminals are exploiting basic vulnerabilities in these vendors' remote access controls in order to gain access to a merchant's systems and install malicious code," Perez wrote.
PCI SSC General Manager Stephen Orfei, noted that in the more than 400 breach investigations undertaken by the U.S. Secret Service in 2014, "the Service found improper payment platform setup and system maintenance to be a common point of attack and compromise." And it's not just in the United States; it's a global problem, Orfei said.
Hacks can be devastating to small businesses. Among small businesses that are hacked, at least 60 percent are forced to go out of business as a result, Chuck Danner, Vice President of Integrated Payments at Vantiv Inc., noted in an interview.
Vantiv, through its Mercury Payment Systems and Element Payment Services units, has been working overtime to drive adoption of enhanced security protocols among integrators and resellers working with its merchants.
The acquirer launched the Security Pays program in the summer of 2015 that provides resources to POS developers to accelerate security software integration with the Mercury platform. It also includes incentives for developers and dealers to build and sell secure solutions, including those that support end-to-end encryption, tokenization and Europay, MasterCard and Visa (EMV) technologies. More than 500 integrators and resellers that, together, work with "tens of thousands" of card-accepting business are enrolled in the program today, Danner said.
EMV not enough
Vantiv also offers education, training and financial assistance to clients, added Pam Galligan, the company's Vice President for Compliance and Industry Relations. "We know it's not easy for merchants," especially with the new requirement coming so soon after the October 2015 EMV compliance mandate, she stated during an interview.
In conjunction with imposing the new requirement that Level 4 merchants use only PCI Council certified QIRs, Visa said it was also expanding its Technology Innovation Program (TIP) to Level 4 merchants. Under TIP, businesses that secure at least 75 percent of card payments using EMV chip-reading terminals or PCI-validated end-to-end encryption techniques are exempt from otherwise mandatory PCI annual validation testing.
Of course, EMV is not a cure-all. "EMV only offers protection against the use of fraudulent cards," Danner noted. That's why PCI compliance still matters. PCI standards are intended to protect card and transaction data captured by merchants during payment transactions.
"Even as we move toward advanced technology platforms such as EMV chip, tokenization and point-to-point encryption, data security is foundational and must be part of any payment system," Sonia Sng, Senior Director of Data Security and Third Party Risk at Visa, said in a Vantiv press release when Vantiv launched its Security Pays program.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.