In 2012 it was reported that 76% of data breaches were a result of security vulnerabilities introduced by a third party responsible for system support, development and/or maintenance of business environments. Errors introduced during implementation, configuration and support of validated payment applications by third parties into merchant environments were identified as a significant risk to the security of cardholder data (source). To address this, the Council introduced the Qualified Integrator and Reseller program in 2012 which trains integrators and resellers in the guidelines and best practices on the secure installation and maintenance of validated payment applications. Proper installation of payment applications remains a priority in order to protect payment card data.
To further educate the marketplace on payment security practices, the PCI SSC has launched a new training module to the Qualified Integrators and Resellers (QIR) program. The prerequisite training is available now and provides background on information security and other topics that will help in preparation for the QIR qualification training, as well as field work. In this blog post we talk with Director of Training Programs Gareth Bowker on the new training and PCI SSC plans for evolving the program to attract new cyber talent to the marketplace.
Can you provide a little background on the QIR program?
Gareth Bowker: Certainly! The QIR program was introduced in 2012, to give integrators and resellers a better understanding of the payment card ecosystem, to help them install, configure and maintain payment applications in a more secure manner. Since then, we’ve made a couple of tweaks to the program to allow sole providers to join the program, and we’ve worked closely with industry groups to understand their needs too. At last count, we had 370 QIR companies, and nearly 1,000 certified professionals, which is great, but there’s always more to do.
Why is the Council introducing this new module?
Gareth Bowker: The Council is always keen to respond to the feedback that we hear, and QIR is one where we get a lot of good feedback. We’ve also been watching the QIR exam results closely, to identify areas where people have difficulties. One such area is around information security. Often, people come into the program knowing the payment applications they install brilliantly, they know all the configuration options and what they do, and so on. But where they struggle is on the wider security front – the firewalls that their applications communicate through, why those firewalls are important for their customers, and so we decided to build a new module for the QIR training that talks about the importance of information security. We often hear small merchants (QIR’s customers) asking why anyone would bother to attack them? It’s the wrong question – the right question is why wouldn’t a cybercriminal attack them? And that’s the starting point for the new module.
Who is this training for?
Gareth Bowker: All new QIRs entering the program after 1 June will receive the new training module. For anyone who’s already in the program, they will continue with their existing training. That said, if anyone would like access to the new materials, please let us know and we’ll happily transfer you to the new training!
What are specific benefits for the QIR associated with taking this new QIR course – what can they do that they couldn’t do before?
Gareth Bowker: In terms of what QIRs can do, this new module doesn’t change anything. The QIR program remains exactly the same, so old and new QIRs can continue to install PA-DSS validated payment applications just as they do today. What the new module does is to give a better insight into the role the QIR plays, and the importance of this role, which we hope will help QIRs understand their responsibilities better. We hope this will give QIRs a better understanding of their role in the payment ecosystem, and enable them to ultimately serve their customers’ needs better and reduce the risk of a breach occurring.
How can merchants find a QIR company to help with the secure installation?
Gareth Bowker: The Council maintains a list of QIRs on its website, which you can find here. That said, if you’ve got a particular PA-DSS validated payment application in mind, you can also contact the software vendor to see if they have a QIR in your area.
What is next for the QIR program?
Gareth Bowker: We’re always looking at ways to improve our programs and training, and we listen closely to what the industry has to say. Right now, we’re working on a few improvements to the program that should surface later in the year, but it’s probably a bit too early to say more just now!
Learn more about becoming a QIR here: