Can you provide a breakdown of the PCI SSC's new QIR program? Is it strictly for retail IT providers? Is it similar...
to any other security audits or compliance standards?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous
The Payment Card Industry Security Standards Council (PCI SSC), the governing body for the Payment Card Industry Data Security Standard (PCI DSS), recently announced the launch of its new Qualified Integrators and Resellers program, also known as QIR. This program is designed to close a gap in the payment card software installation process.
Prior to the program's launch, merchants that used software for processing payment card transactions were subject to PCI DSS, and developers that created the software had to do so in accordance with the Payment Application Data Security Standard (PA DSS). However, there was no compliance program covering the integrators and resellers that installed and configured the software at a merchant's site.
QIR is not a new compliance standard or audit requirement. It is a certification program for integrators and resellers. The educational component of the program is designed to ensure that the reseller can install and configure PA DSS-certified applications in a manner that allows merchants to comply with PCI DSS. In order to become a QIR, a firm must submit a written application documenting that its staff has the skill, knowledge and experience required to install software in a PCI DSS-compliant fashion.
Merchants are not required to use a QIR, but they will have access to a registry of QIRs, allowing them to select integration partners that fulfill the PCI SSC requirements that have demonstrated a base-level of PCI DSS and PA DSS knowledge. While this program is not a requirement, it does provide peace of mind to merchants that rightly make PCI DSS compliance a top priority.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.