Retailers have a lot of hoops to jump through to ensure their payment environments are secure. They must make sure their payment applications are PA-DSS compliant. They must follow PCI-DSS to the letter to prove their payment environment is robust and secure. But until recently, it was hard to be sure the work of implementing these into their stores was done properly, and that leaves them vulnerable.
The PCI Security Standards Council’s Qualified Integrator and Reseller (QIR) certification bridges that gap, ensuring solution providers install and configure validated PA-DSS payment applications in a manner that ensures PCI-DSS compliance. Level 10 is happy to announce we are now officially QIR certified.
Risks and Vulnerabilities
The need for QIR emerged when it became clear that not every system integrator implemented payment products according to the recommendations of the payment software developer. An implementation might include added third-party software, a remote access FTP for a vendor, payment hardware stored insecurely ─ all practices that violate PCI terms and open up vulnerabilities in payment environments. Sometimes these changes are made after a retailer is certified as compliant.
Headline-grabbing breaches to date have mostly resulted from attacks on the back end of retailers’ payment systems. But as those are addressed, the customer-facing components of payment systems will become a target. Custom research by RIS News found that while retailers are most concerned about the security of payment software, payment hardware security is a rising worry.
Because of growing awareness of risks in implementation, Visa’s “requirement 8” remote access standard requires some retailers to “ensure your Integrator/Reseller is an approved PCI QIR and work with them to ensure your remote access is compliantly configured. In fact, smaller retailers are required to use only QIR certified integrators to install payment systems by March 2017.
Savvy retailers are already adding QIR certification to their payment system RFPs, and by 2018 others will likely to be forced to do so by evolving card brand requirements.
Without a process to validate an integrator’s work – a time-consuming process of double- or triple-checking every step the integrator has taken -- a retailer has no way of ensuring that they followed software developer guidelines for key processes such as configuring software, setting up encryption and injecting service keys, or even seemingly mundane steps such as securely storing hardware prior to installation. Any irregularities would emerge only on a subsequent audit, or even worse, after a costly and embarrassing breach. Installation irregularities can be difficult to find, especially if they are undocumented.
As the cost of data breaches rises and hackers grow ever more sophisticated in their attacks, it has become clear that simply ensuring the payment application is PA-DSS compliant and the environment follows PCI-DSS rules is no longer enough. QIR is now the most important payment security credential retailers can rely on to protect their data, their customers, and their brand value. No retailer should work with an integrator without this key credential.