Assessing PCI SSC's Changes to QIR ProgramWill Revisions Help Smaller Merchants in Their Efforts to Prevent Breaches?
Security experts are analyzing the potential impact of recently announced changes to the PCI Security Standards Council's Qualified Integrators and Resellers Program that are designed to help smaller merchants prevent payment card data breaches.
As a result of the changes, PCI SSC hopes that more individuals will be certified as QIRs who can advise merchants on payment security and that they'll focus more narrowly on mitigating the risks that matter most. That will prove particularly helpful to smaller merchants who needs security help the most, PCI SSC says.
While some security experts say the changes are a good move, others contend the changes should have happened years ago at the height of retailer card data breaches.
Since 2012, when the QIR program was unveiled, consultancies and other firms could have members of their team qualify as QIR examiners who help retailers implement PCI-compliant payment applications. The examiners were re-certified every three years, and they focused on a broad range of risk mitigation issues.
Now, as a result of the changes, individuals approved to participate in the QIR program will need to be re-certified annually so they can better help retailers stay up to date with current risks.
In another major change, QIRs will focus on the three most prevalent causes of data breaches in the payments industry: insecure remote access, weak or default passwords and unpatched or outdated software.
Also, those who qualify as QIRs now can move their credentials with them when they switch to a new employer. And the fee for professional certification has been reduced to $100 from $395.
Smaller Businesses Targeted
Since the inception of the QIR program, the profile of data breaches has considerably changed, with increasingly significant attacks on small and midsized enterprises that are ill-equipped to deal with the cost of lost business, fines and ongoing systematic upkeep of fraud and security protection measures.
Small companies are disproportionately impacted by data breaches. Nearly half of all data breaches in 2017 affected businesses with less than $50 million in annual revenue, according to Netdiligence. By contrast, companies with revenue of more than $10 billion accounted for just 4 percent of breaches.
"Small businesses are not necessarily sophisticated, and frankly, payment security is not top of their minds," Mauro Lance, chief operating officer at PCI SSC, tells Information Security Media Group. "This [QIR] program is very important for small and medium businesses; those are the ones that are being hit with the breaches, so this is really for them and how to address those three critical controls."
Why Just 3 Controls?
Shifting QIRs' focus to just three specific vulnerabilities reflects research on the cause of breaches.
For example, the 2017 Verizon Data Breach Investigations Report showed that 88 percent of data breaches are caused by just nine attack vectors and 81 percent of hacking-based breaches leverage stolen or weak passwords.
"If you want to move the needle and focus on the causes of the vast majority of breaches out there, then go back to insecure remote access, weak or default passwords and unpatched or outdated software," Lance says.
Julie Conroy, research director at Aite Group, says that, based on the common causes of most breaches, "overall, these look like positive, common-sense based [QIR program] changes to me. Reading the annual Verizon data breach report feels a bit like Groundhog Day every year, because it's always those basic, easily preventable vectors."
Some payment security experts, however, argue that the changes are coming too late to have much impact, given that many PCI-related vulnerabilities at retailers are being addressed with the shift from magnetic stripe cards to EMV cards.
Many data breaches at retailers occurred shortly after the inception of the QIR program in 2012, and now the issues are less acute, contends a senior fraud analyst at a large payment technology vendor, who requested to remain anonymous. Thus, the new changes are "too little, too late," the analyst claims.
James Wester, research director at IDC Financial Insights, a provider of market intelligence and advisory services, contends that while the council's aim may be to make the QIR acronym as prestigious and recognized as CISSP and CISM, lowering barriers to entry and simplifying the program will "devalue the credential."
But the revamped QIR program could gain respect, he says, "if those newly minted QIRs can actually help stem the problem of data breaches by addressing the very basic issues that often lead to those breaches."