Page 35 - GS180302
P. 35
CoverStory
He noted that roughly 80 percent of the standards' contents streamlined curriculum, require fewer hours to complete,
are comparable; which means much of the work by the PCI cost less than the existing program, and require annual
PIN Assessment Working Group will involve unifying the requalification versus the three-year cycle previously in ef-
remaining 20 percent, with the second quarter of 2018 the fect. Existing QIRs, which are listed on the PCI SSC website,
target for a final unified standard. will be phased into the new program as certification quali-
fication terms expire.
Hints of further collaboration are in the offing. "The agree-
ment between X9 and PCI SSC has the ability to extend be- "The other piece of feedback we received was that a sig-
yond just this one agreement to other things in the future," nificant percentage of QIRs are sole proprietor one-person
Stevens said. "The foundation is already there, so it would companies, and therefore the model we had in which we
make things rather quick to do." qualify the company and then we qualify the employees
was cumbersome for them," said PCI SSC Chief Operating
Leach agreed, adding that there is a lot of synergy between Officer Mauro Lance. "So we eliminated the company re-
the two organizations. "ASC X9 requirements are typically quirements. Now the individual is going to qualify and be
much more detailed, for example, on cryptography and cer- recognized as a QIR."
tain elements of key management," he said. "We reference
such organizations as ISO, ANSI, X9, EMVCo, NIST and Anderson encourages individuals to become QIR certified.
others that provide much more specificity as guidance for "We've seen cases where the installer leaves operator ports
how to apply that from a practical business perspective." open after leaving the merchant, which allows any hacker
out there to get into those systems," he mentioned as just
Another cross-industry effort resulted in the late 2017 re- one example of the pitfalls of not being certified.
lease of two new security standards supporting secure
implementation of the EMVCo 3-D Secure protocol for dy- Software standards refresh
namic authentication of card-not-present transactions, an Also underway is a plan for migrating Payment Application
assessor program, and subsequent release of an SDK pro- (PA)-DSS to a new software security framework validation
gram currently in development. program and listing; however, in the interim, the PA-DSS
More inclusive QIR program and program will continue to function as it does now, the
council noted.
Launched in 2012, the PCI SCC Qualified Integrators and
Resellers (QIR) program geared for payment system install- The PCI SSC Software Security Taskforce, which includes
ers has just been revised. Since implementing the January members from Microsoft Corp. and SAFECode (Software
2017 mandate requiring most POS systems to be installed Assurance Forum for Excellence in Code), is working to
by a certified QIR technician, the PCI SSC has closely moni- develop a Software Security Standard Framework to be
tored program adop-
tion.
To boost participation
in the QIR program, the
council invited indus-
try feedback and did
a thorough analysis of
data breach forensic re-
ports. What resulted is
a leaner, more focused
certification program
that focuses on the
three primary points
of vulnerability most
commonly linked to
payment data breaches:
password, remote ac-
cess and software.
On March 14, 2018, the
PCI SSC released de-
tails regarding changes
to the QIR program.
The revised program
will offer a more
35
