In our previous blog
, we shared some POS and payment security best practices for Cybersecurity Awareness Month. While the observance only runs through October, we ended noting that good security hygiene must be followed year-round and in perpetuity.
Security requires constant vigilance. It's easy to assume that by selling secure and compliant payment devices and offering PCI DSS-certified software, you are exempt from having to worry about security. Unfortunately, according to Verizon's 2020 Data Breach Investigations Report
, attacks have made the swing away from POS devices and controllers over the last few years and toward web applications. "As the infrastructure changes, the adversaries change along with it to take the easiest path to data," the report states, adding another change that personal data is now compromised more than payment data.
No matter how it happens or what data is compromised, should a significant security event befall one of your customers, it's safe to say fingers will point your way. Filling the role of trusted technology advisor and installing POS and payment systems means you're on the hook for security, whether it's on your list of services or not.
Invest in PCI QIR certification
Understanding the critical role that IT solution providers play in merchants' security, the PCI Council created its QIR (Qualified Integrators and Resellers) program
, a payment security training curriculum and certification for POS and payment solution providers. Early iterations of the program were confusing, costly and there wasn't widespread support within the POS community. That changed a few years ago. If you haven't looked at the program in a while, much has changed.
In 2017, Visa began requiring that all Level 4 merchants use only PCI QIR-certified solution providers for POS application and terminal installation and integration. In 2018, the PCI Council adjusted the program to make it more affordable and accessible to solution providers. For example, the Council reduced the time needed for QIR training and testing from 10 hours to just a couple and switched from $400 3-year certifications to $100 1-year certifications.
Offer security services to merchants
Today, QIR certification is a must-have. Not only has it become an operating requirement, but any solution provider that doesn't have it is missing out on opportunities. Verizon's report reveals that bad actors are "using unpatched vulnerabilities in web apps to gain access. Based on the vulnerability data collected, only about half of all vulnerabilities get patched within the first quarter after discovery. We know from past research that those unpatched vulnerabilities tend to linger for quite a while if they aren't patched promptly—people never get around to addressing them." Understanding this threat, savvy solution providers have bundled security, patch management, compliance services and ongoing monitoring to create lucrative new revenue streams.
Admittedly, security is a complicated topic and a moving target. Luckily, Ingram Micro offers several solutions and services to help keep the networks, POS and payment systems secure. For assistance in securing your POS and payment systems, the following resources are available: