Is PCI’s QIR the Achilles Heel for Cloud POS?

31 Jul

The Payment Card Industry Security Standards Council (PCI SSC) has established a program designed to mitigate card theft. At this juncture, most folks in the industry have surely heard of it: the Qualified Integrator and Reseller (QIR) program. The QIR effort is part of a larger initiative by Visa to mitigate cardholder data security breaches at small businesses – which typically do not have the same data security resources as larger organizations. Visa is relying on the PCI SSC to develop and maintain the QIR program.

The PCI SSC is uniquely situated to manage the QIR program standards since they also manage the Payment Application Data Security Standards (PA-DSS) program. The PA-DSS program “promotes the development and implementation of secure commercial payment applications that do not store prohibited data, and helps to ensure that payment applications support compliance with the PCI DSS.” It’s a verbose way of saying that the program is designed to minimize card theft and security breaches.

The QIR program was created in response to a belief that certifying installers of payment equipment would result in lower occurrences of theft. Protect the entire card environment, if you will. The QIR program explicitly lays out “guiding principles and procedures for the secure installation and maintenance of validated payment applications in a manner that supports PCI DSS compliance.” So if you install, support or maintain payment applications, QIR qualification ensures you’re educated to do so in a manner that conforms to PCI DSS.

Now this is where it gets interesting. According to Dustin Niglio, CEO of Payment Logistics and an expert on PCI, the QIR program implicitly defines its scope by stating that it applies to “secure installation and maintenance of validated payment applications”.  A validated payment application is one that has been reviewed by a PCI SSC Qualified Security Assessor (QSA) and found to be compliant with the Payment Application Data Security Standards (PA-DSS). The Payment Card Industry Data Security Standards (PCI DSS) require third party applications which process, store or transmit sensitive cardholder data to be PA-DSS validated. So in order for a merchant that uses a third party payment application that handles sensitive cardholder data to be compliant with the PCI DSS, the payment application they use has to be PA-DSS validated.

However, there exist payment solutions that isolate cardholder data to purpose-built payment devices and transmit that data directly to upstream payment processors. These payment devices fall outside of the scope of PA-DSS and ISVs (Independent Software Vendors) who utilize these devices for all handling of sensitive cardholder data within the merchant environment consequently place themselves, and their dealers, outside the scope of QIR.


Acronyms aside, what does this mean in plain English?

The card networks (specifically Visa) think small businesses are not adequately protecting their data. To minimize data theft and losses that arise from said activity (as if they don’t already have insurance against such fraud) they decided to force a new program (QIR) onto the payments channel – the cost of which is ultimately footed by the merchant. The QIR program says “Hey, if your payments system sees any sensitive cardholder data that might be stolen, you, merchant, need someone who’s ‘QIR certified’ to install and maintain your payment systems.”

If there is a breach and it’s discovered that the merchant is using a validated payment application that hasn’t been installed and maintained by a QIR-certified agent, the card network will assess fines to the merchant’s payments provider… even though the cost gets passed to the merchant. Make sense?

Moreover, the real-life scenario creeping into my mind is this: what happens with cloud POS installs? Many cloud ISVs simply drop ship the hardware and software to the end merchant. The merchant puts the “blue plug in the blue port” and setup is done. But merchants are not QIR certified… now what?

The merchant/ISV will need to find a payments provider that offers a solution which removes them from the scope of QIR. That is, the solution isolates all handling of cardholder data; any data within the merchant’s environment must be ran on a purpose-built, plug-and-play device that does not allow for remote access into the cardholder data environment. Most ISVs and merchant acquirers offer such options, dependent on compatibility with upstream processing networks, costs, etc.

Visa went so far as to address the same question.

Q: What if a service provider ships POS terminals to a merchant? Is that service provider in scope for the QIR program?

A. If the service provider is configuring the application within the terminal for the merchant and will support or service the terminal via remote access after installation, the service provider is in scope for the QIR Program and should complete the certification process. A service provider providing a merchant with a simple plug-and-play device which will not allow for remote access into the POS environment is not in scope of the QIR program (i.e. QIR is irrelevant).

Dustin finds Visa’s terminology interesting. “Instead, Visa should have used the term ‘remote access into the cardholder data environment’” Dustin says. “Furthermore, in my opinion, it was not correct to focus on ‘remote access’ as the qualifier of being in-scope of QIR. But I understand why they did it.”

Dustin details that, “The number one issue Visa has seen with small merchant data breaches has been the use of insecure remote access configurations by POS dealers. Many POS dealers have a long running habit of setting up unattended support on merchant POS servers and then using the same remote access password in their unattended support solution for all of their sites. So once a hacker compromised the password for one site, they could locate other customers of the dealer and easily hack into those sites remotely by using the same or a similar password. It’s such an easy vulnerability to mitigate, yet there are so many instances of this happening that Visa finally had enough and now we have QIR. Of course, this is my opinion, but Visa shows their hand by the types of questions and answers they included in their FAQ.”

It only gets more complicated from here. “When it comes to Android and iOS POS systems or any POS application which is designed to run on a handheld consumer device, there is a another can of worms we can open surrounding PA-DSS and QIR. But that’s for another time.”

Dustin can be contacted in response to this article by phone at 858-200-9634 or by email at I have found Dustin to possess unquestionable knowledge of this critical issue. A previous post of his on the same topic can be found here.