76% of Credit Card Breaches result from third party system support, development and/or maintenance.

The PCI Security Standards Council (PCI SSC) quotes results from the Trustwave 2012 Global Security Report which states that 76% of the breaches they investigated were a result of security vulnerabilities introduced by a third party responsible for system support, development and/or maintenance of business environments. Errors introduced during implementation, configuration and support of PA-DSS validated payment applications by third parties into merchant environments was identified as a significant risk to the security of cardholder data. Specifically, small businesses in the food and beverage industry that rely heavily on outsourcing are particularly vulnerable, as they made up the bulk of the compromises.

Qualified Integrators & Resellers (QIR) program

To help address this security challenge, the new Qualified Integrators & Resellers (QIR) program will provide integrators and resellers that sell, install and/or service payment applications on behalf of software vendors or others the opportunity to receive specialized training and certification on the secure installation and maintenance of validated payment applications into merchant environments in a manner that supports PCI DSS compliance. The PCI SSC will maintain a global list of QIRs, ensuring merchants a trusted resource for selecting PCI approved partners. The PCI SSC will be offering training online in late summer 2012, and the validated list for merchants will be published on the PCI SSC website shortly thereafter. More details on the program, including eligibility requirements and training course information and costs will be made available soon. In the meantime, those interested in participating in the program can click here: https://www.pcisecuritystandards.org/training/qir_training.php

Approved Companies & Providers

The PCI Security Standards Council operates a number of programs to train, test and certify organizations and individuals to assess and validate adherence to PCI Security Standards. For specifics on each program, QSA, PA-QSA, ASV and ISA Programs. I strongly recommend that retailers review this list to confirm claims made by 3rd party parties that they possess the specialized training and qualifications to perform PCI compliance duties. For a current list, visit: https://www.pcisecuritystandards.org/approved_companies_providers/index.php

Email questions to qir.