The Visa mandate for small businesses to only use QIR qualified companies or individuals to implement and service their point of sale payment solution goes into effect on January 31, 2017. Most Independent Software Vendors (ISVs) and POS dealers are not prepared to meet this requirement. Understanding the nuanced details of the QIR mandate is a must for any POS ISV or POS dealer looking to remain competitive in the marketplace. Read on to learn more.
By now most ISV and POS dealers have heard about Visa’s QIR mandate. Much of the communication has been disseminated by important industry trade groups like the Retail Service Providers Association (RSPA) or by payment processors who are largely responsible for enforcing the mandate on merchants and by proxy the POS dealers merchants work with. In fact one entrenched payment processor went so far as to make the QIR mandate a chief proponent of their value proposition to their POS dealer network by offering to pay for the dealer to enroll in the QIR program which includes a self-study course and proctored exam.
What is QIR qualification?
QIR qualification allows a POS dealer to demonstrate proficiency with the Payment Card Industry Security Standards Council (PCI SSC) Qualified Integrator and Reseller program. According to the PCI SSC’s website, the QIR program outlines “guiding principles and procedures for the secure installation and maintenance of validated payment applications in a manner that supports PCI DSS compliance.” In other words, QIR qualification is designed to ensure those individuals and companies who install, support and maintain payment applications are sufficiently educated to do so in a manner that abides by the payment application’s PA-DSS Implementation Guide and does not introduce vulnerabilities to the cardholder data environment.
What payment solutions are covered by the QIR program and why is Visa mandating it?
This is where it starts to get a little tricky and it’s important to pay attention to the details. Notice how the PCI SSC describes the QIR program by saying “secure installation and maintenance of validated payment applications”. A validated payment application is a payment application that has been reviewed by a PCI SSC Qualified Security Assessor (QSA) and found to be compliant with the Payment Application Data Security Standards (PA-DSS). The Payment Card Industry Data Security Standards (PCI DSS) require third party applications which process, store or transmit sensitive cardholder data to be PA-DSS validated. So in order for a merchant that uses a third party payment application that handles sensitive cardholder data to be compliant with the PCI DSS, the payment application they use has to be PA-DSS validated. The reason being is that an application that processes, stores or transmits sensitive cardholder data and the endpoint it resides on is highly sensitive and if compromised could lead to a cardholder data breach.
A major part of PA-DSS validation involves publishing of a PA-DSS Implementation Guide which is designed to describe how the payment application effects an end user’s PCI DSS compliance status and what best practices should be taken to implement the application in a manner that is consistent with the PCI DSS. Unfortunately, time and again the best practices found in the implementation guide are not followed by the POS dealer or the end user themselves which introduce (or leave) vulnerabilities in the merchant’s cardholder data environment and result in a high incidence of cardholder data breaches at merchants who use PA-DSS validated payment applications. Visa realized that it was not enough to mandate the use of validated payment applications and that they also needed to require the proper implementation of validated payment applications which is what the QIR program is all about.
Here’s what ISVs and POS dealers need to understand.
Visa’s QIR mandate only impacts the installation and maintenance of validated payment applications. In today’s marketplace, payment integration technology exists that completely removes the traditional payment application from the cardholder data environment and instead isolates sensitive cardholder data to purpose built payment devices which transmit that data directly to upstream payment processors. These purpose built payment devices fall outside of the scope of PA-DSS because of their inherently small attack surfaces and almost nonexistent incidence of cardholder data breaches amongst their end users. As a result, ISVs who utilize these devices as part of their payment integration solution and POS dealers who sell systems that integrate with these devices don’t have to worry about QIR qualification because the payment integration solution they’re selling eliminates the reason QIR qualification was necessary in the first place.
So why would an ISV ever integrate with a solution that requires QIR qualification and why would a POS dealer ever sell such a solution?
First there is an asymmetric flow of information in the marketplace where payment processors know a lot more about the nuanced details and context of the QIR mandate than ISVs and POS dealers. Remember in the beginning of the article how we discussed the entrenched payment processor that made the QIR mandate a chief component of their value proposition. That’s because a large portion of this particular processor’s ISV and POS dealer relationships rely on the use of validated payment applications which handle sensitive cardholder data. The advent of better payment integration technology and methodology stands to uproot this processor’s existing and very lucrative ISV and POS dealer relationship channel and since they were unprepared to embrace the better way of doing things, their best option was to promote the existing way of doing things while subsidizing the QIR qualification mandate for their partners. In doing so, they reinforce the asymmetrical flow of information surrounding the QIR program and do not educate their partners on the important information found in this article. As ISVs and POS dealers become more educated on this topic, they will align their POS solutions with the payment technology that upholds their own best interest which may not coincide with the best interest of their incumbent processing partners.
Second and equally important, relying on purpose built payment devices alone as a comprehensive payment integration solution leaves several functionality gaps not otherwise found with traditional payment applications. On the other hand, utilizing these devices as part of a best-in-class payment integration solution which combines tokenization, real-time online reporting and value added services such as device estate management, online signature capture, pay-at-the-table, customer engagement and ongoing support can far exceed the functionality found in a traditional payment application. This type of best-in-class payment integration solution is becoming more readily identifiable in the marketplace and will eventually supplant reliance on validated payment applications altogether.
About Payment Logistics®
Payment Logistics is a QIR qualified payment technology and merchant acquirer. Our PCI DSS level 1 validated Paygistix® platform offers best-in-class payment integration solutions for restaurant, hospitality and retail merchant segments. ISVs and POS dealers work with us to power their integrated payments strategy while adding value to their distribution channel partners and end users. Our payment integration solutions eliminate PA-DSS compliance scope for ISVs, minimize PCI DSS compliance scope for end users, eliminate QIR program burden for POS dealers and provide support for critical emerging payment technologies such as EMV, NFC, online signature capture, pay-at-the-table, real-time online transaction reporting and other value added features and capabilities.