The PCI SSC continually listens to feedback and adapts its standards and programs to meet evolving needs of the payment security community. As a result of this feedback, we are revising the approach to the Qualified Integrators and Resellers (QIR) program to better reduce merchant risk and combat industry pain points on data breaches. The revised program will focus specifically on how to address the leading causes of data breaches: insecure remote access, weak password practices, and outdated and unpatched software. Gill Woodcock, Senior Director of Certification Programs for PCI Security Standards Council discusses the changes to the program.
How is the PCI SSC changing the QIR program?
Gill Woodcock: The revisions to the QIR program are designed to better mitigate merchant risk and combat industry pain points on data breaches. Industry feedback continues to show that the most common causes of payment security breaches are due to remote access vulnerabilities, weak password practices and outdated and unpatched software. The revised QIR training program will focus heavily on these three critical security control areas to better mitigate merchant risk.
Why is the PCI SSC revising the QIR program?
Gill Woodcock: The Council’s goal is to train as many security professionals as possible to install payment systems properly and in a secure manner. To achieve this, we are making changes to the program to reduce barriers for professionals to become QIRs, particularly smaller integrators and resellers in order to increase the program’s reach to small businesses. The changes are designed to increase the number of trained integrators and resellers available to merchants, and to ensure that these integrators and resellers are trained specifically in the three most common causes of data breaches.
Can you outline the specific changes to the program?
Gill Woodcock: The PCI SSC is evolving the QIR program to make it more accessible to integrators and resellers and to address the specific risk areas that are leading to the majority of merchant payment data breaches. The specific changes include:
- Shorter training course time with a shift in focus to critical security controls, with training content and exam offered online.
- Program certification tied to individuals rather than a company, creating opportunity for any company to employ QIR professionals
- Price reduction to $100 USD per person for new and requalification training
- Introduction of annual requalification cycle (instead of a three-year cycle)
- Expanded program eligibility to include industry practitioners who implement, configure and/or support any payment applications and related payment technologies
Why the shift from a company qualification to an individual qualification?
Gill Woodcock: The Council recognizes that the knowledge an individual acquires through the QIR training is not tied to the company they work for. In other words, if a QIR professional moves to a new organization the knowledge and training they received is still current as long as they are within their qualification window.
How does this change QIR professionals’ responsibilities?
Gill Woodcock: Although the focus of the program will encourage QIRs to better address critical controls leading to data breaches, the QIR’s primary responsibilities won’t change.
How will the revised QIR program impact merchants?
Gill Woodcock: The QIR program changes are designed to help reduce merchant risk, by providing information and resources that make it easier for merchant partners to address critical vulnerabilities that are causing data breaches. Merchants can have confidence that QIRs will be specially trained in the data security essentials which lead to the largest number of data breaches: insecure remote access, weak password practices and outdated and unpatched software.
How do these changes impact current QIR professionals?
Gill Woodcock: Please be assured that the status of current QIR professionals will not be affected as a result of these program updates. The QIR listing will include each QIR professional’s contact information and company name. Existing QIRs will keep their three-year qualification period, and move to the new requalification lifecycle once their existing certificate expires.
QIR professionals will now also be able to access program resources and manage their own continued program participation through the PCI SSC portal (previously managed by a company-based primary contact).
What are the benefits of becoming a QIR?
Gill Woodcock: QIR professionals stand apart from other services providers by achieving an industry-recognized qualification. The QIR training helps service providers understand critical security controls to better help merchants reduce their risk. Finally, successful candidates are listed in the go-to global directory of qualified providers on the PCI SSC website.
You’ve mentioned that the revised program will focus its training on the three critical security controls that could prevent the majority of payment data breaches: insecure remote access, weak password practices, and outdated and unpatched software. Does the PCI SSC have additional educational resources on these three controls?
Gill Woodcock: Educating the marketplace on best practices when it comes to remote access controls, strong password practices and patching software is a major priority for the Council as these three areas are paramount to protecting payment card data. We have a number of resources on these topics which can be found on our blog (insecure remote access, weak password practices, and outdated and unpatched software.) Additionally, in the coming months we will be rolling out a video and infographic series on these topics, so I encourage readers to subscribe to our blog to receive instant updates when these resources become available.
Where can I go for additional information on the QIR program?
Gill Woodcock: Interested applicants can register for the QIR program here. Merchants looking to hire a QIR can search the listing here. Learn more about the changes to the program by reading the PCI Perspectives blog post Q&A and QIR Program Changes FAQ. Finally, on 25 April the Council will be hosting a webinar for existing QIR professionals and companies to help address any questions they have about the changes to the program. Registration for the webinar can be found here.
