Digital Transactions Authoritative, insightful and timely information for payments professionals
By John Stewart
@DTPaymentNews
A relatively new program geared at shoring up data security at small merchants is making progress toward a crucial January deadline, but not without some full-throated grumbling, if comments and questions at an industry trade show this week in Grapevine, Texas, were any indication.
The program, aimed at technology companies that integrate payments applications into retailers’ business-management systems, is backed by Visa Inc. and the PCI Security Standards Council and is intended to address a tide of data breaches caused by misaligned systems. Personnel from technology companies who complete specialized training and pass an examination earn the designation Qualified Integrator/Reseller (QIR).
Questions and apparent confusion about the QIR designation, which Visa will begin requiring Jan. 31, led to a 50-minute session dedicated to the subject at the Retail Solutions Providers Association’s annual RetailNOW conference, which caters to value-added resellers and independent software vendors that serve mostly small merchants.
Diana Greenhaw, senior director of global payment system risk at Visa, said the network backs the QIR program because of “a significant increase” in card-data breaches caused by careless or faulty work by integrators, including open channels for remote access and unsophisticated passwords. But audience members fired back that too many candidates are failing the required QIR examination and that resellers don’t have enough input into the design of the program.
One questioner at the session claimed resellers are hobbled because most small merchants simply don’t care about the intricacies of tying payments into business-management systems. He suggested Visa raise interchange rates for merchants that fail to use QIRs. “You’ve got to hit them in the pocketbook,” the questioner said. “That’s something we’ll consider,” Greenhaw responded.
A second audience member complained that, of 250 employees at his company who have so far sat for the QIR examination, some 60% have failed. He suggested the cause is a lack of communication between the PCI Council and integrators. “What resellers have been involved in developing the program?” he asked. Post-exam communication, he said, is a particular problem. “There was very little feedback” from the Council, he noted, “and February will be here before we know it.”
On Jan. 31, Visa will begin mandating that acquirers use only QIRs for integration work with so-called Level 4 merchants. These are sellers that annually process fewer than 20,000 Visa transactions online or fewer than 1 million total Visa transactions. Some 242 companies have earned the QIR designation so far, according to the Council’s Web site, up from 108 at mid-March.
Brandy Cumberland, director of assessor quality management programs at the Wakefield, Mass.-based PCI Council, responded that the Council is aware of the feedback issue and is working on resolving it. She acknowledged the Council’s QIR examination is far from easy.
“We’ve got a pretty difficult exam, people fail it,” she said, while adding, “Often, that’s because the wrong people are taking the exam.”
Nonetheless, she said, the Council tracks the areas on the examination that candidates struggle with and offers webinars and other materials to help future candidates master the topics.
Another sore point, according to audience members, is cost. The Council’s fee, which covers training and the exam, is $395 per person. The fee to retake the exam is $150. That adds up in a hurry when multiple employees are in training, audience members said. Cumberland noted that the Council will “definitely” offer promotions and group discounts in an effort to make the program more affordable.
Visa’s Greenhaw made it clear Visa sees little alternative to its QIR mandate. “A year ago, we set this [QIR program] out as a best practice and saw almost no shift,” she said, leading to the conclusion that the program needed to be a requirement.
