The new year will be ringing in with questions about Visa’s plan to improve the data-security work that third parties do on small merchants’ point-of-sale systems.
What happens when a payment-security requirement isn’t enforced and is largely ignored by vast numbers of the industry participants it covers?
We’re about to find out come Jan. 31, the day that Visa Inc. officially requires merchant acquirers to ensure that Level 4 merchants use only qualified integrators and resellers (QIRs) to install, integrate, and support point-of-sale applications and terminal installation and integration.
The aim of the QIR requirement is to plug persistent holes in payment-security defense: poor practices in remote access to payment systems that have resulted in a large, perhaps dominant, portion of data breaches affecting smaller merchant systems.
Thousands of independent software vendors (ISVs) provide payment applications that fall under the auspices of the PCI Security Standards Council’s Payment Application Data Security Standard (PA-DSS). The problem is nobody seems to have a handle on how many third parties should be undertaking the training, testing, and certification process through which the Wakefield, Mass.-based PCI Council designates QIRs. And nobody seems to know how many small merchants should be using them.
But it’s pretty certain there are thousands of the former and millions of the latter, and as of mid-November there were fewer than 300 companies on the approved list of QIRs.
Visa’s Level 4 merchant category encompasses businesses that process fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1 million Visa transactions—regardless of channel—per year. Visa has estimated this covers approximately 5 million merchants.
Many small merchants are using single-use terminals without Internet connectivity. Acquirers may exclude these from QIR coverage due to low risk. Others who do not use a third party for POS applications or terminal installation, integration or maintenance, fall outside the QIR requirement. That still leaves potentially millions of merchants that should be using QIRs come Jan. 31.
On the ISV side, First Annapolis Consulting Inc., an advisor to payment-industry participants, has estimated there are as many as 10,000 actively engaged in the payments industry (“Here Come the Developers,” June). A recent survey of 400 ISVs by First Annapolis found that only half actually do the integration of payments functionality into their software.
Many ISVs work through third parties or sell their software to other ISVs and payments providers, including independent sales organizations and acquirers that integrate it with their own. Some ISVs are also value-added resellers (VARs) that actually bundle their software with payment-acceptance devices.
“The VAR market is highly localized and fragmented, likely including at least several thousand companies, which suggests the 270-plus entities currently certified is just a small fraction of integrators and resellers,” says Brooke Ybarra, senior manager with Annapolis, Md.-based First Annapolis.
Visa declined a Digital Transactions request for an interview and would only respond via email to written questions. Asked to estimate what portion of impacted integrators and resellers have been validated, Visa responded: “We cannot provide a percentage of integrator/resellers because we do not know the entire population of them. That is why we are requiring acquirers to get them certified.”
Digital Transactions reached out to the top eight U.S. acquirers (which after recent acquisitions represent 2015’s top 10), and seven declined to provide interviews or respond to written inquiries.
Bank of America Merchant Services, a joint venture of Bank of America Corp. and processor First Data Corp., was the only top acquirer to respond to Digital Transactions regarding the QIR requirement. Larry Brennan, senior vice president of cybersecurity, says it is very difficult to determine what percentage of applicable integrators and resellers are reflected in the QIR designated lists published by Visa and the PCI Council.
“It’s hard to say whether it has met my expectation,” says Brennan, but he adds that his organization is focused on educating merchants to ensure they are aware of the requirement. “As the communications and education goes out to our client base throughout the ecosystem and they know they have to have a qualified integrator or reseller, they are going to press those existing integrators and resellers to actually get certified.”
Although Visa has charged acquirers with enforcing its mandate, there are few forums for them to engage with those responsible for installing and maintaining the software. “As an acquirer, we are really not involved with the integrators and resellers because a lot of them are regional,” Brennan says.
The Charlotte, N.C.-based Retail Solutions Providers Association has tried to provide a bridge into the integrator and reseller community. Its membership includes resellers, distributors, hardware manufacturers, software developers, payment processors, consultants, and service providers engaged in POS technology. It negotiated with the PCI Council early on to arrange for a discounted training and testing fee, which has since expired. During that initial promotion, over 700 individuals working for RSPA member companies initiated the QIR certification process and the association says nearly half of the companies certified today are RSPA members.
“QIR validation made progress in the past 12 to 15 months,” says Kelly Funk, president and chief executive of the RSPA. “I know there are people in the ecosystem that still have a way to go, but I also know that there are at least several hundred that are in the queue who are going through training or have taken the test and still need to submit the paperwork.”
Many larger companies have multiple people who have completed the process, and the PCI Council says by early November there was a total of 659 certified QIR professionals, representing 281 companies in 47 states and six other countries.
Time And Financial Commitment
Funk declined to estimate how many of her members have completed the process or what proportion of QIR-applicable companies have failed to participate. But she noted that it requires a not insignificant amount of time to train and test. It also represents an additional financial burden.
“Many of them have already been doing installations for many years, and helping them understand how this helps them do this better or differently hasn’t, I think, been quite articulated,” she says.
The RSPA is continuing its education and promotion effort with a new online member resource and is continuing to advocate for measures to remove perceived barriers to taking the test.
“I can say from an association standpoint we’ll continue to ask for and encourage more ways for people to enter into it without having necessarily to pay $395 and go through only one provider,” says Funk. “We’re looking for all partners in the ecosystem to help.”
Another industry association with a stake in the issue is the Washington, D.C.-based Electronic Transactions Association (ETA), which engages with the PCI Council on behalf of a membership that includes many ISOs, the card brands, acquirers, and others involved in the payments industry.
“A number of our members looked at QIR as a reasonable way to deal with merchant breaches and risk and to address this head on,” says Amy Zirkle, ETA director of industry affairs.
But, Zirkle points out that the payments industry has been changing rapidly since the PCI Council first offered the QIR program.
“There are more and more entities out there that are dealing with payments that are not used to dealing with payments,” she says. “It may be the QIR of 2012 doesn’t fully address the market environment of 2016. There is a lot of confusion over the program and a desire for clarity over Visa’s requirement. Everybody wants to address the security issue, but there has got to be more discussion on how best to do so.”
Taking the Test
Shane Zaborac, owner of Spokane, Wash.-based Northwest POS and developer of the software that drives his POS service primarily for food-and-beverage establishments, believes in the intent of the requirement. He completed QIR validation in February, but not without some angst about the test, which has a reputation for being very tough.
“It’s pass or fail; I failed the first time and had to go in a second time,” Zaborac recalls. “The first time I studied, studied, studied. The second time I studied harder.”
Zaborac’s chief complaint is that when he took the test the first time, he received no information on what the passing score was and how well he did. Nor was he told what areas he needed to study harder. Furthermore, there’s a $150 fee for retaking the test.
John F. Maguire III, senior computer technician with Bluestone Restaurant Systems Ltd., a Phoenix-based reseller of the RPower POS solution, believes the QIR program “creates a good structure and framework for cardholder security” and says six technicians at Bluestone have undertaken the training and testing. But, he adds, “We’re all still wondering if we’re going to be able to do remote installations.”
Maguire says his company took advantage of the RSPA-negotiated discounts for taking and retaking the exam. He also attended a QIR information session this past summer at RSPA’s RetailNOW conference that featured executives from Visa and the PCI Council. But when he heard the Visa representative saying the card network was not going to enforce the requirement, “this was disheartening” in light of the time and energy he’d invested.
That Visa executive was Diana Greenhaw, senior director of global data security and third-party risk. She told attendees: “We have no intention of proactively enforcing these requirements. There are millions of merchants in the U.S. and it’s not about us trying to measure if every individual merchant who uses an integrator that that integrator is QIR-certified.”
Still, she added, “in the event of a compromise, we absolutely will enforce our requirements.”
Responding to a request for clarification, a Visa spokesman says, “In the event of a compromise linked to a merchant’s non-compliance with Visa rules or PCI DSS, acquirers may be subject to non-compliance assessments for not meeting these or other data-security requirements.”
One thing is sure. In the age of the data breach, the end of next month will usher in a new phase of prevention. How effective it will be remains to be determined.