The following is a guest post by Steve Levinson, PCI Goon. You can contact him here.
The PCI (Payment Card Industry) Council (PCICo) has pointed their elbow in the direction of those responsible for installing payment applications. PCICo issued a press release yesterday announcing the PCI Qualified Integrators and Resellers (QIR) program. The QIR program is designed to improve the quality of the integrator/reseller community often tasked with installing and maintaining payment systems. Is this the silver bullet we’ve been waiting for?
According to the release, the PCI Council is in the process of rolling out this program to train and certify software resellers and system integrators. The Council will list those certified organizations and individual employees on their web site, similar to how they list QSAs (Qualified Security Assessors).
The lack of accountability for POS installers to set up systems in a compliant manner is a known issue in the PCI community. While performing PCI assessments, I’ve come across merchants who own applications on the PA-DSS (Payment Application Data Security Standard) compliant list who are at risk (i.e. NOT PCI compliant) because their payment applications were not implemented properly or on a secure platform. A common cause of this issue is that the installer of the POS system was a third party who was only interested in getting the POS up and running but did not consider implementing it in accordance with security Best Practices, PCI DSS, or the implementation guide.
This program will focus on both the installation of POS systems and also focus on the maintenance of said systems. The installation portion is a good start, since it is not uncommon for POS systems to be implemented with default settings and with weak or commonly-known passwords. This program will also address the proper care and feeding of POS systems (patching, anti-malware, scanning, etc.). It is important that someone has the responsibility for maintaining these systems. Note: to be PCI compliant, this (updating/maintaining POS systems) should have been happening all along. If it has not been happening, additional cost/effort may be needed.
A large percentage of larger merchant clients install and maintain their own POS systems, so this program will most likely not benefit many larger merchants. That said, this program will be good for smaller merchants—especially those in the hospitality industry—many of whom do not have the time, knowledge, or wherewithal to implement/manage POS systems. It will also raise the bar for the installers of POS systems and potentially weed out the ones who are incompetent.
Will this be beneficial for merchants who use a third party to install or maintain their POS systems? It will potentially increase security since there will be a better chance that the POS systems have been implemented in a PCI compliant manner. When a system is installed improperly or insecurely, the merchant pays the price—especially if they are breached. This increased security will come at some cost since the QIR companies will need to pay for QIR training for their employees and most likely those costs will be passed to the merchants, but those costs should be negligible.
Let’s kick a few numbers around. According to the Ponemon Institute, 41% of breaches were caused by “negligence”. Trustwave’s 2012 Global Security Report claimed that 76% of the breaches were caused by a third party’s vulnerabilities. While the QIR program may not be a cure-all for these risks, it can certainly play a significant role in reducing that number. I think this is a move in a positive direction and will ultimately reduce finger-pointing between merchants, installers, and payment application vendors. What do you think?
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?