What are Qualified Integrators and Resellers (QIR)?

A Qualified Integrator and Reseller (QIR) is an organization qualified by the PCI Security Standards Council (PCI SSC) to implement, configure and/or support. Payment Application Data Security Standard (PA DSS) validated Payment Applications on behalf of merchants and service providers. The quality, reliability and consistency of a QIR’s work provide confidence that the application has been implemented in a manner that supports the merchant’s Payment Card Industry Data Security Standard (PCI DSS) compliance.

What is the Visa QIR program?

Visa is requiring acquirers in Canada and the United States to validate that small merchants and merchant agents use POS integrators and resellers selected from the listing of approved Qualified Integrators and Resellers published on the PCI SSC website (Visa mandate).

Who is impacted?

At this time, Visa has limited the QIR program requirements to those acquirers operating in Canada and the United States.

  • Small merchants (i.e., PCI DSS Level 4 merchants) are impacted by the Visa mandate. These merchants are considered to be any entity that processes less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions, regardless of the payment acceptance channel.
  • Additionally, a QIR is not required if a merchant does not use a third party for POS application or terminal installation, and/or integration or maintenance.

What are the Visa QIR acquirer mandates?

This Visa mandate calls for the eventual use of QIRs by all Level 4 merchants whenever integrated POS applications and terminals are installed and integrated by a third party.

MARCH 31, 2016 All North American acquirers must communicate to all level 4 merchants the requirement to use certified Qualified Integrator and Resellers (QIR) from the listing of QIR companies on PCI SSC website for all integrated POS application and terminal installations, where installation is performed by a third-party.

JANUARY 31, 2017 All North American acquirers must ensure that all Level 4 merchants use a certified QIR from the QIR listing for servicing POS applications and Terminals.

Why is Visa establishing these requirements now?

PCI Forensic Investigators (PFIs) have identified links between improperly installed POS applications and merchant payment data environment compromises. Specifically, small merchants remain to be targeted by hackers attempting to access cardholder data via security protocol gaps in remote–access services used by integrators and resellers to facilitate monitoring and software support.

Remote access solutions (e.g., LogMeIn, PCAnywhere, VNC, and Microsoft Remote Desktop) are commonly used to provide remote management and support for retailers. Used correctly, remote management applications are an efficient and cost effective method of providing technical support among large numbers of merchants. However, if exploited, they have the potential to expose payment card data and other sensitive information to cybercriminals. Insecurely deployed remote access applications create a conduit for cybercriminals to log in, establish additional “back doors” by installing malware, oftentimes with the capability to record keystrokes, capture audio and video from the affected computer and steal payment card track data. The risk of data compromise is increased when remote access applications are configured in a manner that does not comply with the PCI DSS.