The processing world will change in January 2017. Businesses considered “Level 4” must comply with new Visa data security regulations, including the use of Qualified Integrators and Resellers (QIRs) for installing equipment and validating PCI compliance yearly. But as Digital Transactions notes, there’s still confusion about who must be certified, and what the new requirements actually are. Here’s what you need to know.
This article focuses on the new QIR requirements. For details about PCI compliance and validation, including Visa’s Technology Innovation Program (TIP) validation exceptions, please visit: PCI Compliance is Required.
- Visa’s Notification
- Who does this affect?
- Why are QIRs required?
- Finding Qualified QIRs
- Non-Compliance Penalties
- What to Do
You’ve likely received a notice similar to this: “In a broader effort to mitigate small merchant breaches, Visa has established new data security requirements for U.S. and Canadian merchants. Effective January 31, 2017, merchants processing less than 1 million annual Visa transactions and using third parties for POS application, terminal installation and integration must engage Payment Card Industry (PCI) Qualified Integrator Reseller (QIR) professionals. POS systems requiring a third party to install are typically complex systems used in restaurants, gas stations and multi-lane retailers. This requirement does not apply to standalone devices such as those sold and maintained by X Company.”
Who does this affect?
The QIR requirements affect Level 4 Merchants. What is a Level 4 Merchant? Visa defines Level 4 Merchants as merchants that process fewer than 1 million Visa transactions in-person or 20,000 ecommerce Visa transactions per year. According to Digital Transactions, 90% of card-accepting businesses in the US are Level 4 Merchants.
If you’re a Level 4 Merchant and use a POS provider to install your system or provide remote tech support, that company must be QIR certified.
Note that if your POS system is installed and maintained by your payment processor, you may not need to do anything differently. Contact your processor to confirm.
Visa considers businesses using terminals that aren’t connected to the internet to be low risk, so they are excluded from the new requirements. Businesses that don’t use third parties for POS applications or terminal installations, maintenance, or integration do not have to use a QIR.
While any service provider who configures a terminal and supports it remotely after installation must qualify as a QIR that is not the case for providers who simply sell “plug and play” terminals that do not allow remote access. It also does not include businesses that use only mobile or cell phone payment solutions.
Acquirers (who are already subject to stringent PCI requirements) may also be exempt from QIR certification requirements.
Why are QIRs required?
Data breaches and security gaps are extremely common among small businesses. While hacks that occur at large retailers (like the Target and Home Depot breaches) make headlines, Visa maintains that 93% of breaches actually occur in small operations. Of that number, 80% are said to be associated with “insecure POS implementation and servicing by integrators and resellers.”
These businesses usually depend on third-party tech vendors who include payments as part of the POS installation. From now on, these third parties must be QIR certified to ensure installations and integrations are handled properly to help reduce the risk of payment data breaches.
Scammers don’t care about the size of the business – they care how easy it is to get access to the information they want. Visa states that investigators discovered a link between security data breaches and POS applications that are not correctly installed.
Related Article: Is data breach insurance worth the cost?
Finding Qualified QIRs
Level 4 merchants can check whether an integrator or reseller is QIR-certified online. When you work with a QIR-certified vendor, you’ll receive a QIR Implementation Statement, which verifies the installation and application is PCI compliant. This statement is sent to you within ten business days of installation.
Currently, there are fewer than 250 vendors certified to perform installations as part of the QIR program. Visa expects the numbers to grow rapidly, but it is unclear how many will qualify by the January deadline. If you want to stay with your current POS provider, ask them when they expect to receive QIR certification.
Visa states that third-party POS/terminal installers and services include, “Vendors involved in the implementation, configurations, support, and/or maintenance of POS applications on behalf of merchants or service providers.” That includes those, “Configuring and/or installing POS software or payment applications or terminals for merchants” and, “Supporting or servicing POS software or payment applications for merchants – including accessing these systems remotely for troubleshooting, delivering system updates, or offsite support.”
Visa clarifies that vendors who aren’t subject to PCI QIR certification include:
- Ancillary applications (such as inventory management systems)
- Vendors providing a plug-and-play device that will not remotely access the POS
While acquirers aren’t required to be QIR certified as they are already subject to stringent PCI requirements, Visa does suggest that acquirers become QIR certified as a best practice.
Visa is clear that it won’t directly penalize businesses that are non-compliant. In this screenshot from the QIR information sheet, the company addresses penalties by stating, “In the event of a compromise linked to a merchant’s non-compliance with Visa requirements, acquirers may be subject to non-compliance assessments.”
That means that if your business has some type of security breach and you’re found to be non-compliant with Visa requirements, Visa may impose penalties and costs on your processing company. However, it does not necessarily prohibit your processing company from fining you. Processors aren’t trying to lose money, so if they get a fine from Visa because of your non-compliance, they may be able to fine you in turn to recoup their costs.
Just because you won’t be penalized directly by Visa doesn’t mean that you can’t be penalized by your processor.
Small businesses likely view the new Visa requirements as a burden, but there’s another way to look at it. You are improving your systems and utilizing security that protects your business and your customers. These short-term difficulties should prove beneficial in the long run, as they’ll help shield you from costly security breaches.
For integrators or resellers, becoming certified is now a necessity, as not having a QIR certification is detrimental to future business opportunities.
What to Do
- Work with your payment processor to ensure that you only use QIR-certified vendors when dealing with your POS system. (Including installing a new system and updating existing systems, including software updates or other support.)
- Know whom to contact.
Write down the name and number of your credit card processing company and the POS company that provides equipment support, if applicable. Only talk with those companies about your POS system.
You may see questions about QIR compliance as part of your PCI self-assessment questionnaire (SAQ.) If you choose your processor through CardFellow, we can help you connect with the right people. If you’re looking for a service or provider that meets the new requirements, try our free quote request tool to get pricing from processors.
Even if you QIR requirements don’t apply to you, PCI compliance and validation will. All businesses must be PCI compliant, and as of January 31, 2017, all businesses will need to verify compliance or participate in an exemption program, like Visa’s TIP. For more information on PCI validation requirements, click here.
Thank you to the following companies for assisting with this article: