January 31, 2017 marks changes to security requirements for small businesses. Specifically, you’ll need to validate PCI compliance and ensure that you’re only using qualified companies (QIRs) to install and provide tech support for your POS system. Not meeting the requirements has many possible repercussions. In addition to opening your business up to security breaches and hacks, you could be fined by your processor or lose your merchant account.
Let’s look at what the requirements are, and how you can become and stay compliant.
When it comes to credit card security, a dizzying list of acronyms like PCI, QSA, and QIR have even the most savvy business owners confused about what they need to do. You’ll see several acronyms when it comes to payment security. Here are the most common.
PCI or PCI-DSS: Short for “Payment Card Industry” or more fully, “Payment Card Industry Data Security Standard,” PCI refers to security guidelines for businesses that accept credit cards. The guidelines help minimize the risk of data breaches and protect cardholders. Additionally, the card brands and security councils require businesses to be “PCI compliant” or they can face fines or account closures.
PCI SSA: The Payment Card Industry Security Standards Council (PCI SSA) is responsible for creating security standards and for certifying the assessors who verify that businesses are PCI compliant.
QSA: Short for “Qualified Security Assessor,” QSAs are authorized by the PCI SSA to validate PCI compliance. Qualified employees must not only adhere to and satisfy all QSA requirements, but must continue to do so via requalification testing every three years.
SAQ: This stands for “self-assessment questionnaire” and verifies that your business is PCI compliant.
QIR: Short for “Qualified Integrators/Resellers,” QIR is a certification for companies that install POS systems and provide technical support for those systems.
Level 4 Merchants
According to Visa guidelines, a “Level 4 Merchant” is a business that processes fewer than 20,000 ecommerce Visa transactions per year or fewer than 1 million in-person Visa transactions per year. In fact, many of the businesses currently operating in the United States are Level 4 merchants.
New Visa QIR and PCI Validation Requirements
Visa is behind the new requirements regarding PCI validation and QIRs. As of January 31st, all businesses that are considered “Level 4” must do two things:
- Validate PCI compliance (or participate in the Technology Innovation Program)
- Use QIR-certified integrators and resellers for POS equipment installation
Previously, while Visa required Level 4 merchants to comply with PCI standards, they did not require using Qualified Security Assessors (QSAs) or validating compliance. Now, Visa will require validation. However, Visa does offer an exemption to proving compliance – the Technology Innovation Program (TIP.) With TIP, if you meet certain requirements and Visa approves your application, you will not have to validate your compliance. You still need to meet PCI requirements, Visa just won’t require you to validate it.
Your processor may also have their own requirements for PCI validation.
This is a completely new requirement from Visa. The credit card company states that a large number of data and security breaches occur at small businesses and are often a result of improperly installed or maintained POS systems. In an effort to fix that, Visa will now require businesses to use certified companies for installing and maintaining POS systems.
Requirements in Detail
Both of these topics are complex, so we’ve divided the information into smaller sections.
For information on validating PCI compliance, QSAs, or the TIP program, visit: Understanding PCI – Compliance is Required
For information on QIR-certified resellers, visit: Qualified Integrator and Reseller (QIR) Requirements
Remember, all businesses must comply with PCI security standards. Only businesses that use third parties for POS system installation or support will need to use QIRs.