Retail VAR Warning: The Truth About PCI Certification
If you're a retail IT provider, you've probably heard about the PCI Security Standards Council's (PCISSC) new QIR (Qualified Integrators and Resellers) program, which involves training and certification to ensure you're able to install payment applications "in a manner that facilitates PCI DSS compliance."
Bob Russo, the Council's GM, has been quoted for months on the topic of security training and certification in various industry publications. In many cases, these articles have done a disservice to retail solutions providers. In fact, some articles even point at retail solutions providers as the root cause of many security problems facing merchants today. As if your job isn't hard enough, now you've got merchants reading these articles and casting suspicious eyes your way.[pullquote]It seems like the Council is more interested in turning the security issues facing retailers into a money-making opportunity."[/pullquote]
Up to this point, there hasn't been good coverage in the media about what the RSPA (Retail Solutions Providers Association - the only association dedicated to you, the retail solutions provider) has already done and is doing to address the issue of education and certification.
While the PCISSC has been slowly updating standards and figuring out new ways to make money (yes, they're charging you for training and certification), here's what the RSPA has done:
Way back in 2006, the RSPA recognized there was a problem and created a PCI committee. The first thing they did was create the "Are You At Risk?" video to explain the importance of not storing card information and the value of upgrading POS systems. This, to influence merchants who were confused by changing PCI standards, thinking the changes were a money-making effort by solutions providers.
The RSPA put together a coalition of merchant-based associations such as NRF, NRA, FMI, NGA, NACS, PCATS, and the Merchant Advisory Group to deal with the issues of payments and security. Reportedly, progress has been slow for the coalition's continuous attempts to engage and collaborate with the PCISSC. Interestingly, their direct work with the credit card brands has apparently yielded more progress.
The RSPA also put together PCIwise, a training and certification program. Visa helped the organization create the curriculum, which is available for both solutions providers and merchants. I'm told that the PCISSC declined to participate in the development of this education. Understand, this training is free and has been around now for more than a year while the Council just got its paid version off the ground.
Additionally, the RSPA's certification program has been accredited by many of the organizations that are a part of the above-mentioned coalition. Today, merchants can find certified retail solutions providers on a customer facing website, RSPACertified.com. To date, the NRA, NGA and CSRA (Council of State Restaurant Associations) all endorse RSPA’s certification and encourage their members to use RSPA Certifed Retail Technology Providers.
If the Council was really concerned with solving the security problems being created by antiquated technology for the most part -- not ignorant solutions providers -- they'd make their training free like the RSPA has, or, better yet, work with the RSPA and the coalition of associations to utilize training and certification programs already in place. Unfortunately, it seems like the Council is more interested in turning the security issues facing retailers into a money-making opportunity.
Sadly, I don't think there's much that can be done to sway the direction the Council has decided to take. I bring all this up because I feel it's my duty as a member of the media dedicated to solutions providers to paint a complete picture of the situation.
I welcome your thoughts on PCI certification, the RSPA, and the Security Standards Council in the comment section below.