Here you’ll find additional information about the QIR (Qualified Integrator and Reseller) requirements and OpenEdge’s QIR ASSIST - our QIR Certification Education Program exclusively for OpenEdge partners.
Whether you’re currently QIR-certified, need to certify and want some help in preparing, or even if you know QIR certification isn’t for you, OpenEdge has you covered. For partners seeking both help in understanding the QIR exam process and assistance in preparing, we have solutions for you. If you don’t want to become a certified QIR, we have QIR-certified technicians on staff so regardless of your decision, your merchants will always have access to a certified resource to install and maintain their payments software.
On this site you’ll find:
- Background information and timelines regarding the QIR mandate
- Benefits to QIR certification
- Components of our QIR ASSIST Program for OpenEdge Partners
- Steps to begin the QIR certification process
We will continue to add more information to this site as we approach the January 31, 2017 deadline for merchant compliance. Until then, you can contact your Strategic Partner Manager for more information, or call 800-774-6462.
Small Merchant Qualified Integrator And Reseller (QIR) Mandate FAQ
Click to expand
- What are Qualified Integrators and Resellers (QIR)?
A Qualified Integrator and Reseller (QIR) is an organization qualified by the PCI Security Standards Council (PCI SSC) to implement, configure and/or support Payment Application Data Security Standard (PA DSS) validated Payment Applications on behalf of merchants and service providers. The quality, reliability and consistency of a QIR’s work provide confidence that the application has been implemented in a manner that supports the merchant’s Payment Card Industry Data Security Standard (PCI DSS) compliance.
- What is the Visa QIR program?
Visa is requiring acquirers in Canada and the United States to validate that small merchants and merchant agents use POS integrators and resellers selected from the list of approved Qualified Integrators and Resellers published on the PCI SSC website (Visa mandate).
- Who is impacted?
At this time, Visa has limited the QIR program requirements to those acquirers operating in Canada and the United States.
- Small merchants (i.e., PCI DSS Level 4 merchants) are impacted by the Visa mandate. These merchants are considered to be any entity that processes less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions, regardless of the payment acceptance channel.
- Additionally, a QIR is not required if a merchant does not use a third party for POS application or terminal installation, and/or integration or maintenance.
- What are the Visa QIR acquirer mandates?
This Visa mandate calls for the eventual use of QIRs by all Level 4 merchants whenever integrated POS applications and terminals are installed and integrated by a third party.
MARCH 31, 2016 All North American acquirers must communicate to all level 4 merchants the requirement to use certified Qualified Integrator and Resellers (QIR) from the listing of QIR companies on PCI SSC website for all integrated POS application and terminal installations, where installation is performed by a third-party.
JANUARY 31, 2017 All North American acquirers must ensure that all Level 4 merchants use a certified QIR from the QIR listing for servicing POS applications and Terminals.
- Why is Visa establishing these requirements now?
PCI Forensic Investigators (PFIs) have identified links between improperly installed POS applications and merchant payment data environment compromises. Specifically, small merchants remain to be targeted by hackers attempting to access cardholder data via security protocol gaps in remote–access services used by integrators and resellers to facilitate monitoring and software support.
Remote access solutions (e.g., LogMeIn, PCAnywhere, VNC, and Microsoft Remote Desktop) are commonly used to provide remote management and support for retailers. Used correctly, remote management applications are an efficient and cost effective method of providing technical support among large numbers of merchants. However, if exploited, they have the potential to expose payment card data and other sensitive information to cybercriminals. Insecurely deployed remote access applications create a conduit for cybercriminals to log in, establish additional “back doors” by installing malware, oftentimes with the capability to record keystrokes, capture audio and video from the affected computer and steal payment card track data. The risk of data compromise is increased when remote access applications are configured in a manner that does not comply with the PCI DSS.
- As a merchant, what do I need to do relative to this QIR mandate?
If You’re a Merchant Processing on a Dial-Up Terminal:
- Business as usual - no further action required
If You’re a Merchant Using an Integrated Partner POS that was Installed Prior to January 31, 2017:
- Business as usual - no further action required
If You’re a Merchant Who Will be Upgrading an Integrated Partner POS System After January 31, 2017:
- You will need to utilize a QIR resource to install your upgraded payment application
At this time, Visa has isolated the QIR program requirements to those acquirers operating in North America.
- PCI Security Standards Council (PCI SSC)
- Payment Application Data Security Standard (PA DSS)
- Payment Card Industry Data Security Standard (PCI DSS)
- Qualified Integrator and Reseller (QIR)
- PCI Forensic Investigators (PFI)
- Visa Small Merchant Security Program Requirements