QIR for Merchants
Qualified Integrators and Reality (QIR) FAQ for Merchants
For more information on your responsibility as a merchant, please download this document.
Effective January 31, 2017, Visa is requiring merchants to use only Payment Card Industry (PCI) certified Qualified Integrators and Reseller (QIR) professionals for point-of-sale application terminal installation and integration. Using organizations that have completed the PCI SSC QIR training program helps improve payment security. They do this by ensuring that all payment applications and terminals are installed and integrated in a way that reduces payment data breaches, and promotes a merchant’s PCI DSS compliance.
Currently, the VISA QIR Requirement is limited to merchants that fall into the following categories:
- Small merchants processing fewer than 20,000 Visa e-Commerce transactions per year and all other merchants – regardless of acceptance channel – processing up to 1,000,000 Visa transactions per year (i.e. PCI DSS Level 4 merchants).
- Merchants operating in the U.S. and Canada.
- Merchants that have integrated POS applications and systems that are either installed, integrated, or monitored by a third-party.
Small merchants remain a target of hackers attempting to compromise payment data. Links have been identified between improperly installed POS applications, and merchant payment data environment breaches. Specifically, reports note security gaps in remote access services that integrators and resellers use to provide monitoring and software support. Visa is establishing these requirements now to ensure that small merchants are taking steps to secure their environment.
The lists of certified QIRs is maintained directly by the PCI SSC. You can access their list by clicking the following link: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_integrators_and_resellers
BluePay is categorized as a Service Provider and not a QIR. BluePay is required to comply with PCI DSS based upon our role of storing, transmitting and processing cardholder data. This is a comprehensive security standard and requires secure practices broader than what is required of QIR professionals.
This depends upon who completed the integration.
- If someone within your business completed the integration, no action is needed.
- If the integration was done directly by the POS vendor (who is not a reseller), no action is needed.
- If the POS system did not come direct from the vendor, but instead from a reseller, please contact the reseller to verify their QIR status.
- If a completely separate third-party outside of your business, the POS vendor, and the reseller completed integration, please contact them directly to verify their QIR status.
Yes. The QIR Requirement specifically focuses on the integrators and resellers. Merchants must still complete the PCI Compliance process to ensure that other aspects of the business are adhering to the PCI DSS (Payment Card Industry Data Security Standards).
Currently, Visa has not publically confirmed proactive fines being issued to merchants. It is important to keep in mind that the right to fine a merchant in the event of a breach does still exist and it is possible that those fines will be impacted by whether or not a QIR was used by the merchant location.
Currently, the liability of a breach falls on the merchant. Enforcing third-parties to certify as QIRs will help hold those third-parties accountable if a breach is determined to be caused by the installation or integration.