Retail businesses are constantly under attack by cybercriminals trying to steal payment card data – and in some cases, retailers are making it easier for hackers to succeed. In fact, credit card company Visa has found that improperly installed POS applications and merchant payment devices create the conditions hackers like to exploit to steal information.

That’s why the financial services giant is pushing merchants, payment application developers, POS system integrators and resellers to comply with security requirements designed to combat the threat of hacker attacks. Visa has set a deadline of March 31 for small merchants to meet a set of requirements that restricts who they can buy POS technology from.

These requirements may affect APG Cash Drawer partners, and we want you to know what is going on so you can prepare for them.

As of March 31, all new Level 4 merchants (owner-operated retail locations of franchise or corporate organizations) must use only Payment Card Industry (PCI)-certified QIR resellers and integrators for the installation and integration of POS applications and terminal installations. Also, as of Jan. 31, 2017, all Level 4 merchants must validate full PCI DSS compliance annually.

The QIR (Qualified and Integrators and Resellers) designation is issued to solution providers that have received training and qualification on the secure installation of Payment Application Data Security Standard (PA-DSS)-validated payment in compliance with the PCI Data Security Standard.

Visa’s new requirement affects merchants and their POS suppliers alike. If as a reseller or integrator, you have yet to earn QIR certification, you’ll be excluded from a lot of business opportunities going forward.

Requirement Revisions

As the March deadline looms, it’s important to know that the Payment Card Industry Security Standards Council (PCI SSC) has eased QIR requirements. Changes to the requirements, which had caused some concern among solution providers, include condensing the QIR agreement (from 12 pages to less than three) and requiring only one employee per company – or a sole proprietor – to qualify for QIR. The previous requirement called for two qualified employees.

This easing of requirements should remove some of the obstacles for POS solution providers to earn their QIR certifications. While the mandate may feel like a burden, integrators and resellers should look at it this way: Visa is effectively forcing merchants to work with the best qualified providers to ensure retail operations have properly designed and installed systems with the security they need to protect themselves and their customers.

For you, our partners, QIR certification brings some real benefits. Qualified providers stand to expand their businesses with existing customers, win new customers and boost revenue. So if you don’t have QIR certification yet, it’s time to start the process. Learn more about the process by visiting the PCI site, or by contacting the RSPA (Retail Solutions Provider Association) for more information.

3/15/16 UPDATE:

(NEW) Effective 31 March 2016, acquirers must communicate to all Level 4 merchants that beginning 31 January 2017, they must use only Payment Card Industry (PCI)-certified Qualified Integrators and Reseller (QIR) professionals for point-of-sale (POS) application and terminal installation and integration.

• Effective 31 January 2017, acquirers must ensure that Level 4 merchants using third parties for POS application and terminal installation and integration engage only PCI QIR professionals.
• Effective 31 January 2017, acquirers must ensure Level 4 merchants annually validate PCI DSS compliance or participate in the Technology Innovation Program (TIP).