Can you provide a breakdown of the PCI SSC's new QIR program? Is it strictly for retail IT providers? Is it similar to any other security audits or compliance standards?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous
The Payment Card Industry Security Standards Council (PCI SSC), the governing body for the Payment Card Industry Data Security Standard (PCI DSS), recently announced the launch of its new Qualified Integrators and Resellers program, also known as QIR. This program is designed to close a gap in the payment card software installation process.
Prior to the program's launch, merchants that used software for processing payment card transactions were subject to PCI DSS, and developers that created the software had to do so in accordance with the Payment Application Data Security Standard (PA DSS). However, there was no compliance program covering the integrators and resellers that installed and configured the software at a merchant's site.
QIR is not a new compliance standard or audit requirement. It is a certification program for integrators and resellers. The educational component of the program is designed to ensure that the reseller can install and configure PA DSS-certified applications in a manner that allows merchants to comply with PCI DSS. In order to become a QIR, a firm must submit a written application documenting that its staff has the skill, knowledge and experience required to install software in a PCI DSS-compliant fashion.
Merchants are not required to use a QIR, but they will have access to a registry of QIRs, allowing them to select integration partners that fulfill the PCI SSC requirements that have demonstrated a base-level of PCI DSS and PA DSS knowledge. While this program is not a requirement, it does provide peace of mind to merchants that rightly make PCI DSS compliance a top priority.
Dig deeper on PCI Data Security Standard
Related Q&A from Mike Chapple, Enterprise Compliance
Social media compliance is not typically considered a big issue for companies, but expert Mike Chapple explains why it should be.continue reading
Metadata tagging is not just for security. Expert Mike Chapple explains how tagging tools can be used to achieve PCI DSS compliance.continue reading
Before using the HIPAA-compliant cloud services from Google, there are some things companies need to know, according to expert Mike Chapple.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.