Protect customer data and process card payments securely – with a “qualified installation” by a QIR
As a Qualified Integrator and Reseller (QIR), we support you with the installation, maintenance and compliance with security standards for payments with credit cards or debit cards. Compliance with these standards is mandatory as defined by the major card schemes. It is designed to protect card data from fraud and theft.
In this article you will learn who needs a QIR and what advantages it gives you as a merchant and also as a customer.
First of all, what do all the abbreviations mean?
There are abbreviations without end in the field of card payments. The abbreviations relevant for this article are:
PCI: Payment Card Industry
PCI DSS: Payment Card Industry Data Security Standard
PCI SSC: Payment Card Industry Security Standards Council
QIR: Qualified Integrator and Reseller
Who must comply with PCI DSS and why?
The PCI SSC was initiated and founded by the five most important credit card companies (American Express, JCB, MasterCard, Discover Financial Services, Visa). The aim was to standardise the requirements for security standards in payment transactions with credit cards and debit cards.
These requirements were formulated and elaborated in the PCI DSS. Compliance with the security standards described in the PCI DSS is mandatory. And this must be done by all participants in card-related payment transactions.
The aim of the PCI DSS is to protect the personal data of buyers, prevent credit card fraud and thus ensure secure transactions.
For whom is PCI DSS mandatory?
Anyone who offers credit/debit card payments or processes, stores and transmits card data is obliged to implement and comply with the security standards. This is irrespective of whether the transaction is made online, at a point of sale or over the phone.
The size of the company and the number of transactions are used to define the “level” of the standards to be met. As of today, these would be:
- Level 1: over 6 million transactions annually
- Level 2: between 1 and 6 million transactions annually
- Level 3: between 20,000 and 1 million transactions per year
- Level 4: up to 20,000 e-commerce transactions per year
And what about external service providers who have taken over payment processing for you?
Again, you need to ensure that this service provider is PCI DSS certified.
Tip: Ask your service provider for the PCI DSS certificate as a pdf. The certificate is valid for a maximum of one year and must then be renewed. You can therefore put asking your service provider for the certificate in your calendar with an annual reminder.
Advantages of using a PCI SSC QIR
No matter how small or large your company is, no matter what you sell: as soon as you accept credit cards or debit cards, you have to comply with PCI DSS. Depending on the classification, i.e. level, more or less elaborate.
Your bank may be able to help you here, perhaps it even has an expert for the card business. This expert will (should) certainly hold one of the higher qualified certifications of the PCI.
Occasionally, however, it is helpful to have an independent person take a look at the overall workings of your payment transactions. Time for a QIR.
By the way: Visa requires the mandatory use of a QIR for any installation related to card-based payment transactions for the North American market.
What are the advantages of consulting a QIR?
With a so-called Qualified Installation by a QIR, you are on the safe side when it comes to card payments. Your advantages come down to three points:
- Security of customer and card data
- Safeguarding your business
- More time for your core competencies
What does that mean in detail?
1. Security of customer and card data
Protecting card data and thus preventing credit card fraud is the main concern of the PCI SSC.
Most security vulnerabilities are based on a faulty installation and insufficient maintenance of payment applications.
You can avoid or solve this problem with a certified QIR.
2. Safeguarding your business
Not only your customers benefit from using the expertise of a QIR, but also you or your company. With the proof of a Qualified Installation, you increase your reputation and, last but not least, secure the continued existence of your company.
Fraudsters now prefer to target smaller companies that process their card payments via external service providers. If fraud occurs due to security gaps or a lack of PCI certification, you are fully liable for the damage incurred. Smaller companies in particular often do not have a sufficient financial cushion for such cases.
A lack of PCI certification can also result in penalties, with the final punishment being a ban on payments by credit card. And I guess this is something you surely would like to avoid.
3. More time for your core competencies
The PCI requirements and security standards are admittedly complex and not easy to understand. However, to ensure sufficient security, they need to be.
A QIR takes the installation and maintenance of the payment transaction system off your hands. You can therefore concentrate on your professional and core competences and do your actual job.
In addition, a QIR will explain and train you and your staff on the correct use of your payment transaction system.
What is and what does a Qualified Installation involve?
A Qualified Installation is carried out by a PCI certified QIR. This gives you a guarantee of security and quality. A Qualified Installation includes the installation of a new payment application as well as upgrades and maintenance of existing applications.
In detail – these are the activities we undertake for you as part of our QIR activity:
- Supervision of the installation until going live
- Checking and adjusting security configurations such as antivirus software, firewall and secure passwords
- Defining and setting up the access logic to the application
- Definition of processes for various safety topics, including training of those responsible in the company.
- Create an implementation protocol
- Documentation of potential security risks
We help you to implement the requirements of the PCI SSC.
Certification as a Qualified Integrator and Reseller is carried out by the Payment Card Industry Security Standards Council (PCI SSC) – so much for the complicated title. The certification takes place through a corresponding training incl. examination. It must be renewed and repeated annually.
Here you can check the official verifications. View the QIRs for the Europe region and you will find
- Hubert Hell
as our certified QIR.
Do you offer credit card and/or debit card payments?
You need the support of a QIR or have questions about this?
Please feel free to contact us. Together we will find out what your situation is regarding secure payment processing and what still needs to be done.
You would like to get more information in advance? No problem.
- here you will find some reading material on the QIR
- and here are our PCI-related articles published so far.
Hubert,
I run a small onlineshop as a side hustle. My customers can pay via Paypal. Do I need to be PCI compliant? If yes, can you help me?
Please email as I look after my shop in lunchbreak and evenings only.
Thanks!
Ron
Hi Ron,
briefly here, more via email. In general, as soon as you “do something” with credit cards and the cardholder data, you’d need to be PCI-compliant. If you’re not and some of the cardholder data gets compromised, you’re in trouble.
Regarding compliance itself, it all/mostly depends on how many transactions you process per year.
Happy to help you on this one, have a look in your inbox and let me know what you think.
Best regards
Hubert
Ron’s question has inspired me to write an article about that topic. Have a read if you are a merchant and not sure whether you need to be PCI-compliant or not.
Hope this is helpful!
https://www.cpmhh.com/do-i-have-to-be-pci-compliant-as-a-merchant/