The PCI Council’s Data Security Standard is built upon a 3-step continuous process of uncovering vulnerabilities, fixing the problems and submitting reports to the council.
This isn’t new and should be familiar to most POS solution providers. However, many think that if the POS system and payment processing components (integrated or not) are deemed to be out of PCI scope, then they don’t have to worry about PCI. Additionally, many believe that if a customer is deemed PCI compliant, they don’t have to worry about PCI.
Wrong in both cases.
Take another look at the PCI Council’s compliance process. It’s continuous and never ending. Just because a merchant is PCI compliant today doesn’t mean that they’ll be tomorrow. PCI compliance can be shattered by leaving one server room door unlocked. You must be ever-vigil, constantly looking for weaknesses and aware of the latest payment security trends.
Get QIR-certified ASAP
Realizing that payment security can be complex and confusing to deal with, the PCI Council created its QIR program, which is a payment security training program and certification for POS and payment solution providers.
Citing that many legacy POS solution providers were failing the QIR exam the first time through, the council added a prerequisite exam in June to establish baseline knowledge levels. After that, you go through self-guided education, pass the final exam and you’re on the list of QIRs. The whole thing costs a few hundred dollars.
Not only will being a QIR give you the education necessary to understand best practices and deal with the payment security issues of your customers, it could become necessary to stay in business. As of January 2017, Visa requires all Level 4 merchants to use only QIR-certified solution providers for POS application and terminal installation and integration.
Before you think you’re being strong-armed into this, consider that being QIR-certified gives you a competitive advantage. Also, know that you can bundle proactive security and compliance monitoring with antivirus and other security solutions to create a new revenue stream. Your customers’ pain is an opportunity for you.
As the big chain retailers continue to lock down their networks and protect their customers’ data, criminals will begin working downstream to smaller unsecured merchants. If your customers suffer a breach, it will most likely be catastrophic to their business. If that’s the case, there’s no doubt they’ll blame you for the loss—possibly in court. As much as you probably don’t want to deal with payment security, you don’t really have a choice anymore.