Effective January 31, 2017, Visa will officially require merchant acquirers to ensure that Level 4 merchants use only PCI QIR professionals for POS application and terminal installation and integration. The purpose of Visa’s QIR mandate is to shore up payment security, specifically the weak practices in remote access to payment systems that have caused many breaches affecting smaller merchants.
Visa defines the Level 4 merchant category as businesses that process fewer than 20,000 Visa e-commerce transactions each year and merchants processing up to 1 million Visa transactions, regardless of channel. For quite some time, many communications about the QIR mandate have been sent to Level 4 merchants, from industry news articles to Visa-issued bulletins. In fact, Visa sent out an update last year giving an intermediate deadline of March 2016 for acquirers to communicate the QIR mandate to its Level 4 merchants.
Although awareness about the QIR mandate has spread, fewer than expected have completed the training and testing required to be listed as a certified QIR on the PCI Council’s website. Digital Transactions cites that the PCI Council estimates only about 300 companies are on the approved list of QIRs.
Many acquirers exclude merchants from the mandate, deeming these merchants to be a low risk due to single-use terminals that do not have Internet connectivity. Others fall outside QIR coverage because they do not employ a third party for POS application or terminal installation, integration, or maintenance. If they do the deployment themselves or the software vendor does the deployment, the merchant does not need to use a QIR.
For those integrators who are appropriate candidates for the QIR mandate, many are hesitant to pay for training and certification for the job they have been doing for many years already. Others have diligently pursued the training, only to have to retake the test which has been known as a very user-unfriendly and tough exam.
Yet another reason for eligible third-parties to overlook QIR certification is Visa’s recent acknowledgment that QIR enforcement would not be required proactively, but would be required in the event of a breach. Understandably, many interpreted this as the QIR certification may be optional, and many who were already on the road to certification were no longer motivated to see the process to completion.
The QIR mandate’s deadline is fast-approaching, but many integrators have ignored this phase of breach prevention. Despite the obstacles to certification and a less-than-encouraging enforcement plan, third-party integrators would do well to pursue QIR certification. Data breaches are becoming more common, and any defensive measures individuals can contribute would benefit the entire payment security community.