The PCI Security Standards Council (PCI SSC) is planning to restructure the Qualified Integrator and Reseller (QIR) program based on industry feedback and data breach reports. The QIR program is evolving to specifically focus on combatting the most common causes of merchant payment data breaches: remote access vulnerabilities, weak password practices, and outdated and unpatched software. Gill Woodcock, PCI SSC Senior Director of Certification Programs, discusses the changes to the program.
First, can you provide a little background on the QIR program, why the PCI SSC developed it in the first place and the role QIRs play in helping secure payment data?
Gill Woodcock: The program was developed in 2012 as a response to industry feedback that poor installation and maintenance of payment systems was leading to merchant data breaches. This feedback pointed to common basic security failures during installation, such as neglecting to change default passwords, which could easily be prevented with proper training. The Qualified Integrators and Resellers (QIR) program provides guidelines, training and qualification for installers and resellers to improve payment data security and reduce merchant risk. QIRs are qualified by the PCI SSC to securely install payment applications on merchant payment systems.
Why is the PCI SSC making changes to the QIR program?
Gill Woodcock: Criminals will always seek out the lowest hanging fruit. Breach headlines and industry feedback highlight that the majority of breaches are happening among smaller merchants because of security failures by installers during the set up and ongoing usage of remote access, such as using the same username and password information for all of their merchant customers. The QIR program is evolving to specifically focus on combatting the most common causes of merchant payment data breaches: remote access vulnerabilities, weak password practices, and outdated and unpatched software.
The changes being made to the program will help more people get involved and take the much- needed training. By simplifying the QIR program and focusing on critical controls we aim to increase the number of trained installers. We want to take risk off the table for merchants, particularly small and medium sized merchants that are suffering the lion share of breaches. The overall intent of the program remains the same: to improve payment data security and reduce merchant risk.
How is the QIR program changing?
Gill Woodcock: There will be two major shifts in the program. The first is to refocus the content of the training to address the most common causes of merchant payment data breaches that, if not implemented correctly, lead to the majority of payment data breaches: securing remote access, strong password practices and patching and updating software.
The second shift aims to increase the pool of QIRs available to merchants by simplifying the program. We know that many merchants rely on third parties to install payment systems and that improperly installed payment systems leave merchants vulnerable to cybercriminals. By making the training and certification more accessible, more integrators and resellers will adopt the program, which will expand the pool of trained experts to better secure payment card data. In addition to broadening the pool of qualified professionals, the revised program will also provide merchants the option to have a trained QIR on their staff.
Can you talk a little bit more about the three most common causes of merchant payment data breaches that the program will focus on?
Gill Woodcock: Happy to. I’d first like to mention that the Council has a library of resources on these vulnerabilities which can be accessed through our merchant site and on our blog:
- More Information on Remote Access Security
- More Information on Secure Password Practices
- More Information on Patching and Updating Software
Remote access is one of the most common attack methods used by criminal hackers and is often used in combination with other attacks such as malware. For example, remote access may be used to get into a merchant’s payment system (by using a commonly known vendor default password like “password” or “123456”). Once in, the hackers place malware on a merchant system which may be used to capture data. Merchants may not even know that remote access software is present or when the remote access is being used, especially if that remote access is left permanently switched on and not monitored. QIRs will be trained to help merchants understand and address the risks of remote access.
The second area is weak password practices. Industry reports show that 81% of hacking-related breaches leveraged either stolen and/or weak passwords. Computer equipment and software out-of-the-box (including payment terminals) often come with default or preset passwords such as “password” or “admin”, which are commonly known by criminals. QIRs will check that all payment application default passwords are changed and make their customers aware of the need to change other default passwords.
The final critical security control that QIRs will address is outdated and unpatched software. Often, software has flaws or mistakes, also known as bugs or vulnerabilities. Cybercriminals exploit these mistakes to break into a merchant’s computers and steal payment data. Software vendors provide security updates called “patches” to fix these coding errors, and need to be installed in a timely manner for maximum effectiveness. QIRs will ensure the latest security patches and updates have been applied and that the merchant is aware of the need to keep systems updated.
How will the revised program benefit the payment industry?
Gill Woodcock: The changes are intended to provide information and resources that make it easier for merchant partners to address critical vulnerabilities that are causing data breaches. Merchants can have confidence that QIRs will be specially trained in the areas the payment data security essentials which lead to the largest number of data breaches.
In today’s payment environment third party security accountability continues to be important as businesses rely more and more on outsourcing of services and software. Having employee training is the third most effective factor in reducing costs of a data breach according to the 2017 Ponemon Cost of Data Breach Study. More payment security awareness across the payment chain will ultimately positively impact merchant payment security.
When will these program changes take place?
Gill Woodcock: The Council is aiming to launch these program changes in Q1 2018. We will continue to provide information on this initiative as it develops.