Today's payment compliance environment is growing to address the increase in security issues and the need for standardization to enable a global payments environment. For your small business, that means you need to stay on track with the evolving set of requirements set by card brands, including Visa, Mastercard, American Express and Discover. QIR qualification is one of the newest types of compliance additions put in place by Visa that impact some businesses. Here's what’s involved, who it impacts, and how it can be addressed by your business if affected by this payment compliance for credit card processing.
QIR stands for Qualified Integrator & Reseller. It is a qualification program that helps all types of POS providers in the U.S. and Canada, including VARs and ISVs, by giving them training of installing PA-DSS validated payment applications. Once they are trained, these POS providers then receive qualification that shows they have completed enough training to be considered qualified to help merchants maintain their PCI compliance and avoid the data breaches of the recent past.
Since most of those breaches have been attributed to payment application and merchant network installation, it's important to get the best training possible and only work with a POS provider who can prove their QIR qualification.
Businesses Impacted by QIR Qualification
Businesses that are impacted by the need to get QIR qualification include every POS provider in the United States. They are obligated to help small business merchants to be able to implement and oversee the most secure point of sale (POS) environment. These complex POS systems are typically found in restaurants, larger retailers, and gas stations.
While your business may not be directly impacted in terms of having to become QIR qualified, you want to make sure that you select a POS provider that can show they have earned this qualification. Those that have not could be putting your business in a vulnerable position, attracting hackers who are intent on getting payment data. When a POS application is not installed properly, these hackers can exploit the gaps in security. You don't want to be responsible for one of those breaches because it will be costly in the forms of fees, penalties, the loss of brand reputation, and a decrease in business.
In fact, Visa's data security program requires that small businesses and merchants using third party providers for POS application and terminal installation and integration to engage only IT professionals that have achieved Payment Card Industry Qualified Integrator and Reseller (PCI QIR) compliance.
To date, Visa has noted that they will not directly penalize anyone that has not complied with QIR qualification, but that there may be some type of assessment. While they might fine your business in the future, it is your processing partner company that could decide to penalize now if you are not compliant.
Current Exceptions to the New Requirements
Any business that does not have their terminals connected to the Internet or that do not use third parties for POS applications are excluded from the QIR requirement. Others that are exclude from this requirement are providers who sell the plug and play type terminals where there is no remote access included. Businesses that rely on mobile payment solutions also do not have to be concerned with the QIR requirement.
How to Ensure QIR Compliance
While the requirements took effect January 31, 2017 for all Level 4 merchants, not every merchant has complied. Now is the time do so if you process less than 20,000 Visa or Mastercard e-commerce transactions annually, as well as all other merchants that process up to one million Visa or Mastercard transactions annually. When using third parties for POS application and terminal installation and integration, you can be compliant by only working with PCI-certified QIR professionals.
Be sure to have the name of the organization responsible for installing and serving your POS system, including what they have done for you. If you don't see that they have QIR qualification, you will need to find a different POS provider to ensure you are complying with the new requirements.
You must also annually validate your PCI DSS compliance or participate in the Technology Innovation Program (TIP). Further requirements include that you must confirm that sensitive authentication data is not stored after a transaction is authorized. You must also make sure that over three-fourths of all transactions are done through enabled and operating EMV chip-reading terminals or some type of PCI SSC-validated P2PE solution.
If you are a POS provider you will want to ensure that you are QIR qualified because Visa is requiring that merchants only use these qualified providers. Therefore, if you want to maintain your business or even gain more customers, you will want to get qualified as quickly as possible to leverage these benefits.
A Benefit, Not a Burden
While it may seem that any additional requirements are a burden to your small business, look at it a different way. With each of these requirements, there is a greater opportunity to protect your customers and business from a data breach. And, those data breaches would be much more costly and burdensome than these requirements. Think of it as staying one or two steps ahead of those hackers seeking to get to your transaction data from credit card processing.