Cyber criminals and hackers continue to pose a threat to smaller businesses. Not only are they easier to hack but they lack many of the resources put in place that create safeguards and protective barriers against these perpetrators. The situation is made worse by improperly installed POS software and applications, as well as breaches into merchant payment data. Malware exposure is creating the most significant risk to merchants of payment data, through gaps in their security protocols. Due to the increase in small business data breaches, Visa has established a new data security program. This program will require small businesses that are utilizing third party providers for POS applications and terminal installations and integrations to involve only the help of IT professionals that have achieved their Payment Card Industry Qualified Integrator and Reseller (PCI QIR) compliance.
Based off of recent investigations from Visa, they have found that smaller merchants continue to be the target of hackers attempting to collect or compromise data. These new requirements will be taking effect January 31, 2017 for all Level 4 merchants. Level 4 merchants are classified as those that process less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants that process up to one million Visa or MasterCard transactions annually. All Level 4 merchants in an acquirers portfolio that are using third parties for their POS applications and terminal installation must use PCI-certified QIR professionals, and they must guarantee that those merchants validate their PCI DSS annually and/ or participate in Visa’s Technology Innovation Program (TIP).
The TIP program is a part of Visa’s continued strategy to defend payment systems and push forward security practices that will help protect cardholder’s data. This program will reward and encourage the use of EMV and P2PE technologies. According to Visa, in order to qualify for TIP and receive the program’s benefits, a merchant will need to meet these three pieces of criteria:
This program will also be effective January 31, 2017.
Merchants that use a third party for POS application or terminal installation are still required to be QIR certified. In addition, merchants that rely on single-use terminals that do not have Internet connectivity are classified as low risk and they may be left out of the new requirements. All organizations that store and transmit data, as well as process payment card data, must still comply with PCI DSS, regardless of whether they are eligible for the TIP program.