New Updates to the QIR Program: Here’s What You Need to Know

March 28, 2018

Specifically the changes will address the leading causes of data breaches: poor password practices, insecure remote access, and outdated software that is unpatched.

The PCI SSC (Payment Card Industry Security Standards Council)  is making changes to the Qualified Integrators and Resellers (QIR) program in order to better reduce merchant risk and fight industry paint points regarding data breaches. Specifically the changes will address the leading causes of data breaches: poor password practices, insecure remote access, and outdated software that is unpatched. These changes to the program are being made to better mitigate merchant risk. The new training program will focus on the areas of weakness mentioned above.

The PCI SSC’s main goal is to train as many security professionals as possible who can properly install payment systems in a secure manner. The biggest thing the updates are doing is reducing the barriers for professionals to become QIRs, particularly the smaller integrators and resellers. Breaking down barriers for smaller integrators and resellers means breaking down barriers for smaller merchants.

According to the PCI SSC, the specific changes include:

• Shorter training course time with a shift in focus to critical security controls, with training content and exam offered online.
• Program certification tied to individuals rather than a company, creating opportunity for any company to employ QIR professionals
• Price reduction to $100 USD per person for new and requalification training
• Introduction of annual requalification cycle (instead of a three-year cycle)
• Expanded program eligibility to include industry practitioners who implement, configure and/or support any payment applications and related payment technologies

Shift from Company Qualification to Individual Qualification

One of the biggest barriers being broken down by the changes is the shift from a company qualification to an individual qualification. They are trying to emphasize that the knowledge an individual knows is not necessarily tied to a specific company. That way, if a QIR certified professional moves to a new company, their knowledge and training is still current as long as they are still within their qualification window.

How Will Merchants Be Impacted?

Merchants should be positively impacted by the changes since the program in general is aimed at reducing their risk across the board. Information and resources will be made more readily available because merchant partners have left barriers to obtain certification. Beyond access, merchants can sleep easier knowing that they are working with partners that are trained in the core three areas of data breaches.

Status of Current QIR Professionals

The status of current QIR professionals will not be affected by the program updates. The QIR list will still include their professional contact information and the name of the company they work for. Those who are currently QIR certified will keep their three-year qualification and once that cycle is expired, they will move on to the new requalification lifecycle. On top of that, QIR professionals will now be able to access the program resources and manager their participation through the PCI SSC portal.

What Are the Benefits of Becoming QIR Certified?

• A QIR Certification helps integrators and resellers stand out by achieving an industry-recognized qualification.
• Helps service providers understand critical security controls and industry practices to better help merchants reduce their risk.
• Once QIR certified, candidates are listed in the go-to global directory of qualified providers on the PCI SSC website.  

For those who are interested in additional information on the QIR program, registration is located here. For merchants who are interested in hiring a QIR, contact information is listed here.

Back To Blog