QIR for Merchants

Qualified Integrators and Reality (QIR) FAQ for Merchants

For more information on your responsibility as a merchant, please download this document.

What is the Visa QIR Requirement?

Effective January 31, 2017, Visa is requiring merchants to use only Payment Card Industry (PCI) certified Qualified Integrators and Reseller (QIR) professionals for point-of-sale application terminal installation and integration. Using organizations that have completed the PCI SSC QIR training program helps improve payment security. They do this by ensuring that all payment applications and terminals are installed and integrated in a way that reduces payment data breaches, and promotes a merchant’s PCI DSS compliance.

Do these requirements apply to all merchants?

Currently, the VISA QIR Requirement is limited to merchants that fall into the following categories:

  • Small merchants processing fewer than 20,000 Visa e-Commerce transactions per year and all other merchants – regardless of acceptance channel – processing up to 1,000,000 Visa transactions per year (i.e. PCI DSS Level 4 merchants).
  • Merchants operating in the U.S. and Canada.
  • Merchants that have integrated POS applications and systems that are either installed, integrated, or monitored by a third-party.
Why is Visa establishing these requirements now?

Small merchants remain a target of hackers attempting to compromise payment data. Links have been identified between improperly installed POS applications, and merchant payment data environment breaches. Specifically, reports note security gaps in remote access services that integrators and resellers use to provide monitoring and software support. Visa is establishing these requirements now to ensure that small merchants are taking steps to secure their environment.

Where can I find a list of certified QIR’s?

The lists of certified QIRs is maintained directly by the PCI SSC.  You can access their list by clicking the following link:  https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_integrators_and_resellers

I reviewed the list and don’t see BluePay listed as a QIR. Is BluePay certified?

BluePay is categorized as a Service Provider and not a QIR. BluePay is required to comply with PCI DSS based upon our role of storing, transmitting and processing cardholder data. This is a comprehensive security standard and requires secure practices broader than what is required of QIR professionals.

I use a POS system in my business, but they are not on the QIR list. What do I do?

This depends upon who completed the integration. 

  • If someone within your business completed the integration, no action is needed. 
  • If the integration was done directly by the POS vendor (who is not a reseller), no action is needed.
  • If the POS system did not come direct from the vendor, but instead from a reseller, please contact the reseller to verify their QIR status.
  • If a completely separate third-party outside of your business, the POS vendor, and the reseller completed integration, please contact them directly to verify their QIR status.
Do I still need to complete PCI compliance if I am using a QIR?

Yes. The QIR Requirement specifically focuses on the integrators and resellers. Merchants must still complete the PCI Compliance process to ensure that other aspects of the business are adhering to the PCI DSS (Payment Card Industry Data Security Standards).

Am I going to be penalized if I am not using a QIR?

Currently, Visa has not publically confirmed proactive fines being issued to merchants. It is important to keep in mind that the right to fine a merchant in the event of a breach does still exist and it is possible that those fines will be impacted by whether or not a QIR was used by the merchant location.

This sounds very complicated, why should I care?

Currently, the liability of a breach falls on the merchant. Enforcing third-parties to certify as QIRs will help hold those third-parties accountable if a breach is determined to be caused by the installation or integration.

An Award-Winning Integrated payment Provider
  • Microsoft Gold Partner Badge
  • Susan G. Komen for the Cure Supporter
  • 2018 American Business Awards Gold Stevie® Winner Badge for Best Payment and Electronic Commerce Solution
  • 2018 CNP Awards Customer Choice Winner Badge for Best E-Commerce Platform/Gateway
  • 2017 TSG Gateway Awards Winner Badge for Best Onboarding Process
  • Best in Biz Awards 2018 Silver Winner Badge for Business Development Department of the Year
BluePay Processing, LLC is a registered ISO of Wells Fargo Bank, N.A., Concord, CA, 94524 U.S.A.
BluePay Canada ULC, is a Registered ISO/MSP of Peoples Trust Company, Vancouver, Canada.