Guest Column | June 23, 2016

PCI QIR Q&A With Visa

Visa Developer

Much of the talk around the proverbial POS Industry “water cooler” has been around the now more than six month old announcement about the new Visa requirement for all Level 4 merchants. As a refresher: the card brand is requiring that merchants in this tier must use only PCI QIR professionals for POS application and terminal installation and integration. This requirement will go into effect in January 2017. It marks Visa’s effort, in their words, to establish requirements “for acquirers to ensure their small merchants are taking steps to secure their payment environment.”

The Visa requirements not only hold Tier 4 merchants responsible for the security of their payment environments, but place additional responsibility on acquirers and VARs. It’s those additional responsibilities on VARs, in particular, that have many RSPA members losing sleep. Achieving the QIR certification takes additional time, dollars, and effort, resources that resellers of a certain size—especially those who serve Tier 4 merchants—cannot spare very easily.

RSPA has received many questions from members about the impact of Visa’s requirements—including, questions that go beyond the answers outlined in Visa’s bulletin on the subject (originally published in October 2015, and updated in January 2016). Recently, we took some of the questions we’ve received directly to the source, Visa.

How will this [mandate] affect remote installs?

If we stage a POS system, then ship it to the site and have the customer unbox and plug in the terminals, are we operating under the QIR guidelines?

Visa: The QIR certification is a training to ensure that companies are using secure practices when managing the merchant’s POS environment. If the integrator in this instance does not have access to the POS after it is shipped, then they are not required to go through the training.

Or does a QIR Certified technician have to be on site to do the complete install, including unboxing, and plugging in system?

Visa: QIR does not require integrators to be onsite or to perform any specific function for a merchant. The program trains those companies that do this kind of work to do it in a secure manner that facilitates the merchant’s compliance with PCI DSS.

If a VAR installs but the customer does the day to day support, how does that affect the VISA/QIR requirement? How much of that responsibility falls to the VAR?

Visa: The QIR certification is a training to ensure that companies are using secure practices when managing the merchant’s POS environment. If the integrator in this instance does not have access to the POS after it is shipped, then they are not required to go through the training.

A scenario where a QIR Company does the install however another provider does the day-to-day remote support that is not QIR certified, how would that be handled?

Visa: The second provider should also go through the QIR certification.

What would the repercussions be if the QIR guidelines were not adhered to? Are there any standard fines or procedures?

Visa: Visa mandates that merchants use QIRs, if applicable, effective January 31, 2017. In the event of a compromise linked to a merchant’s non-compliance with Visa requirements acquirers may be subject to non-compliance assessments.

Is VISA or the PCI council going to monitor for sites that are installed/serviced by non-QIR Certified technicians? Or, does an unfavorable event such as breech or something of the nature have to occur before anyone will notice?

Visa: The QIR certification is a training to ensure that companies are using secure practices when managing the merchant’s POS environment. If the integrator in this instance does not have access to the POS after it is shipped, then they are not required to go through the training.

For a Merchant to be PCI DSS compliant, does the POS System have to be installed by a QIR Certified Technician?

Visa: No.

In Canada, the processors do the service and replacement of pin pads, without (or limited) intervention from the VAR?

Visa: Any organization that is performing functions of an integrator should go through the QIR certification.

How much of that responsibility falls to the acquirers/processor?

Visa: Acquirers are responsible to ensure their merchants comply with Visa requirements. Any organization that is performing functions of an integrator should go through the QIR certification.

How much of that responsibility falls to the VAR?

Visa: Acquirers are responsible to ensure their merchants comply with Visa requirements. Any organization that is performing functions of an integrator should go through the QIR certification.

Does the QIR VAR need to be on site to have the processor replace the pin pad?

Visa: The QIR certification does not define when an organization has to perform any function. Regardless of business model, the QIR certification is a training to ensure that companies are using secure practices when managing the merchant’s POS environment. It applies to any organization performing the functions of an integrator.