The PCI QIR: What Is It and Why Should One Care?

The PCI QIR: What Is It and Why Should One Care?

15th November 2019 by Elton Jones @ID-3

In a recent report, VISA stated that 80% of small business data breaches are associated with insecure implementation and/or servicing by the integrators and resellers. It’s time therefore that organisations urgently consider how best to demonstrate due diligence on their implementation where their Hardware Security Modules (HSMs) are concerned.

The Qualified Installer and Reseller (QIR) program mandates completion of a document known as an ‘Implementation Statement’ which forces any PCI application or hardware deployment to be demonstrable through performance attestation. What’s more, VISA has already taken strong action by issuing a QIR that will impact any non-specialist resellers who sell Hardware Security Modules but do not have capability themselves and depend on the vendors for implementation. In this instance however, best practices of the PCI SCC (who will ultimately validate the deployment) are not taken into account.

ID-3 has already witnessed platforms that have been removed form service due to easily avoidable, insufficiently attested implementations.

Do I need a QIR?

Any organisation implementing solutions that need to be PCI certified have a decision to make around what they feel is important at design stage or at least before implementation.
Just as an organisation needs to decide upon which PCI Certified application and device to use, they should also check the Qualified Integrators and Resellers list to validate that the implementation is carried out by a trusted individual from an approved company.
The PCI Council lists all QIRs on its website and the number of companies that are QIR Validated is growing very quickly.

The PCI requirements do not mandate the use of a QIR in PIN and P2PE yet; however the ‘2018 PCI QIR Program Guide’ sets the tone for industry practitioners to demonstrate their knowledge of critical security controls that mitigate the most common causes of loss of Cardholder Data in the payment card industry today.
Regardless of your business size, the PCI DSS v3.2 Self-Assessment Questionnaire (SAQ) will require a ‘Yes’ answer to the question: Does your company use a Qualified Integrator & Reseller?

What does your business need to do?

ID-3 provide the important steps to take as you prepare:

Identify and list the organisation(s) responsible for integrating and/or servicing your system, along with a description of the specific services they provide.
Don’t just buy from anybody! Know who you are dealing with and check that your service provider or reseller is on the PCI Qualified Integrators and Resellers List.

If your provider is on the list, add the name of the QIR individual to your deployment procedure attestation document.
If your provider is not on the list, contact them immediately to verify that they are working toward PCI QIR validation—and if they are not, begin seeking out a validated QIR to perform that service in the future.

ID-3 are continuing to educate and assist payment service providers in their efforts to fully comply with the PCI mandates. If you want to know more about how ID-3 can help your businesses PCI journey, do not hesitate to get in touch.