QIR for Partners
Qualified Integrators and Reseller (QIR) FAQ for Partners
Effective January 31, 2017, Visa is requiring merchants to use only Payment Card Industry (PCI) certified Qualified Integrators and Reseller (QIR) professionals for point-of-sale application terminal installation and integration. Using organizations that have completed the PCI SSC QIR training program helps improve payment security. They do this by ensuring that all payment applications and terminals are installed and integrated in a way that reduces payment data breaches, and promotes a merchant’s PCI DSS compliance.
Currently, the VISA QIR Requirement is limited to merchants that fall into the following categories:
- Small merchants processing fewer than 20,000 Visa e-Commerce transactions per year and all other merchants – regardless of acceptance channel – processing up to 1,000,000 Visa transactions per year (i.e. PCI DSS Level 4 merchants).
- Merchants operating in the U.S. and Canada.
- Merchants that have integrated POS applications and systems that are either installed, integrated, or monitored by a third-party.
Small merchants remain a target of hackers attempting to compromise payment data. Links have been identified between improperly installed POS applications, and merchant payment data environment breaches. Specifically, reports note security gaps in remote access services that integrators and resellers use to provide monitoring and software support. Visa is establishing these requirements now to ensure that small merchants are taking steps to secure their environment.
It depends upon the scope of your business. Generally speaking, if you do not use a reseller or external third-party to install your systems into a merchant environment, the QIR requirement would not apply to you. In the event your organization installs a third-party software into a merchant environment, then you may be required to complete the QIR certification.
The PCI SSC manages the PCI QIR program. Detailed information about the course, including the training schedule, pricing, registration and qualification criteria are all listed at the link below: https://www.pcisecuritystandards.org/program_training_and_qualification/qualified_integrator_and_reseller_certification
The QIR Program is designed to educate, qualify, and train organizations involved in the implementation, configuration, support and/or maintenance of POS payment applications on behalf of merchants or service providers. The program focuses on ensuring that QIR companies install and configure payment applications into customer environments in a manner that supports PCI DSS compliance. The types of services offered that qualify a company for the QIR program include any of the following:
- Configuring and/or installing POS software, payment applications or terminals for merchants.
- Supporting or servicing POS software, payment applications or terminals for merchants – including accessing these systems remotely for troubleshooting, delivering system updates or offsite support.
**Companies that support ancillary applications integrated into the POS systems but are properly segmented from the payment processing operations are not subject to the requirement.
The QIR certification is the least intensive of all PCI certifications. The process to certify as a third-party requires secure practices broader than what is required of QIR professionals only. As long as all integration and/or reseller activities are identified and covered in your PCI scope, separate QIR certification should not be necessary.