The Payment Card Industry Security Standards Council is introducing a security credential for people who set up transaction services for merchants.
To qualify for the credential -- known as the Qualified Integrator Reseller, or QIR -- candidates complete a six-hour online course and pass a 70-question, one-hour exam, says Bob Russo, the PCI Council’s general manager.
The certification remains valid for two years before the council requires renewal, Russo says. The council plans to list holders of the credential on the council website, he notes.
“So, they’ll get a little publicity,” Russo adds.
The council sees a need for the credential because Trustwave, a security vendor, reports that 63% of data breaches investigated in 2012 resulted from vulnerabilities introduced by a third party responsible for system support.
“Most of the problems are small and easily fixable,” Russo says of the glitches that allow criminals to hack into point of sale systems.
The most common miscues include failing to change the system’s default password or neglecting to keep remote access secure, he notes.
Merchants often find remote access to their systems an attractive proposition because it enables them to monitor their businesses without dropping by the store.
Problems arise, however, because too many installers set up the systems in such a way that almost anyone can gain access to the data, Russo says.
Mom and pop storekeepers often have a son or daughter install the POS system after having a class or two in computer science, he maintains.
Many systems use the word “password” as the default password, making it easy for crooks to breach the system and pilfer data they can use to commit fraud, says Russo.
Criminals choose a chain of stores or restaurants and try gaining entry with “password” until they happen onto a location where no one has bothered to choose a different password, he says.
The PCI Council is working with retailing associations, including the National Retail Federation, to get the word out about the QIR credential.
Savvy independent sales organizations could earn the credential and use it to differentiate their companies from competitors, observers note.
In other news, the council has issued three “pieces of guidance” on mobile payments.
“Convenience always trumps security,” Russo says of the way users and vendors approach mobile payments.
Still, the council hasn’t issued mobile standards because the technology is changing so quickly that mandates would quickly become outdated, he contends.
At a minimum, anyone handling mobile payments should make sure to encrypt the data, Russo says.
Breaches have not been occurring very often in mobile payments, but they will in the future, he predicts.
“These hackers are lazy,” Russo says. “They look at traditional payments and say, ‘Let’s exhaust that first.’”
Russo also predicts a sharp increase in fraud as the United States moves toward the EMV standard because criminals will seize their “last chance” to steal data before such thefts become more difficult because of EMV increased security.
He expects five to 10 years to pass before chip-and-PIN becomes ubiquitous here.
Even with the advent of EMV, PCI security standards will remain in force because chip cards alone won’t ensure data safety, Russo says.
Security will still require point-to-point encryption, tokenization and PCI standards – even in the EMV era, he contends.