The Payment Card Industry Security Standards Council plans to begin training and certifying integrators and resellers of payments-security software to address data security gaps software installers may cause, the council announced May 10.
"It's a major problem area,” Bob Russo, the council’s general manager, says of integrators and resellers.
The council cites data from Chicago-based security vendor Trustwave, which laid the blame for 76% of all data breaches investigated in 2011 on software integrators and resellers. The data appeared in Trustwave's 2012 Global Security Report.
To improve the situation, a council task force comprised of a cross-section of “15 or 20” industry players studied issues related to the Qualified Integrator and Reseller, or QIR, credential, Russo tells PaymentsSource.
The timing seems right for the credential because hackers have begun to turn their attention to small merchants likely to use third-party software vendors as larger merchants have tightened security, Russo says.
The initiative is designed to improve the process of installing software, while the council’s established programs, such as the Qualified Security Assessor credential, pursue security “after the fact” of installation, Avivah Litan, a vice president at the Stamford, Conn., market research company Gartner Inc., tells PaymentsSource.
“It makes sense” to move upstream, Litan says.
The training should prove especially valuable for companies with inexperienced integrators, but less so for those with a strong background in the field, notes Diana Kelley, a partner at SecurityCurve, a security consultancy.
Although the council is still working on details, Russo provides an outline of how the project is expected to work.
First, the council intends to devise a list of qualifications companies must meet to participate. Meeting those requirements, which the council plans to release in June or July, establish that a company is engaged in the integrator and reseller business.
Individuals from qualified companies would be eligible to take an online class, which will last two or three hours. Classes begin in July or August, Russo says. The council is developing training materials and content in collaboration with online-testing consultants. The cost of taking the test has not been established. Those who fail to pass may retake the course.
When a candidate passes the test and earns the credential, his or her company will receive a listing on the council website.
Vendors might choose to list the credential after their names on business cards, but that’s not the initiative’s real purpose, Russo says.
“It’s not so much to create a credential as to prevent fraud,” he notes.