Council to provide training on secure installation of payment applications to support merchant PCI DSS compliance efforts.
The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), has announced plans to train and certify payment software integrators and resellers on the secure installation and maintenance of validated PA-DSS applications into merchant environments to support PCI DSS compliance.
The PCI Qualified Integrators and Resellers (QIR) program is set to be rolled out over the coming months, with training set to begin in late summer and a global list of PCI Qualified Integrators and Resellers to be available later this year.
“This program comes as a direct result of industry feedback and stakeholder requests for greater quality assurance and accountability around the secure installation of payment software,” said Bob Russo, general manager, PCI Security Standards Council. “Not only will it help integrators and resellers better understand how to address some of the basic security flaws we’re seeing that can be easily avoided, but it will also make it easier for merchants to have confidence in the services being provided to them. Retailers and franchise operators alike will have a go-to resource they can trust for making sure their applications and systems are being installed and maintained properly.”
In its 2012 Global Security Report, Trustwave reports that 76% of the breaches investigated in 2011 were a result of security vulnerabilities introduced by a third party responsible for system support, development and/or maintenance of business environments. Errors introduced during implementation, configuration and support of PA-DSS validated payment applications by third parties into merchant environments were identified as a significant risk to the security of cardholder data. Specifically, small businesses in the food and beverage industry that rely heavily on outsourcing are particularly vulnerable, as they made up the bulk of the compromises.
To help address this security challenge, merchants, acquirers, payment software vendors and card brands participated in a Council taskforce to evaluate market needs and make recommendations on how to address them. This included development of more guidance and best practices for integrators and resellers and a global list of PCI Council certified integrators and resellers.
The QIR program will provide integrators and resellers that sell, install and/or service payment applications on behalf of software vendors or others the opportunity to receive specialized training and certification on the secure installation and maintenance of validated payment applications into merchant environments in a manner that supports PCI DSS compliance. The PCI SSC will maintain a global list of QIRs, ensuring merchants a trusted resource for selecting PCI approved partners.
Training will be offered online beginning in late summer 2012, and the validated list for merchants will be published on the PCI SSC Website shortly thereafter. More details on the program, including eligibility requirements and training course information and costs will be made available soon. In the meantime, those interested in participating in the program can visit https://www.pcisecuritystandards.org/qir and contact firstname.lastname@example.org with questions.
“Product solutions that are a good fit for a PCI compliant organization need to be installed, configured, and managed properly to support PCI DSS,” said Diana Kelley, principal analyst at security IT research firm SecurityCurve. “Integrators and resellers need to understand what makes a solution effective for protecting cardholder data and the cardholder data environment in order to provide the most value to their customers. That’s why I think the new integrator and reseller certification and training for 2012 is a welcome addition to the Council’s comprehensive training offerings.”