This is page 2 of:
How Many Will Join The Lone Systems Integrator On PCI’s New List?
A possibly more interesting “push” effect will happen when resellers and systems integrators who are QIRs pitch their qualifications to the software vendors. Will the QIRs push out some current resellers who are not so qualified? I think anyone can tell where this QSA’s hopes lie, but it will be up to the software vendors. It will be interesting to see if and how software vendors use the QIR program to differentiate their own product offerings.
I can think of one way the card brands can support the QIR program: subsidize some of the cost, at least in the first few years. Based on the pricing on the PCI Council’s Web site, a reseller with two qualified employees can expect to pay about $3,000 the first year and $2,400 each subsequent year. For a reseller with, say, five staff members to qualify, the cost is $6,000 initially and about $4,500 each subsequent year. There is a substantial discount for Participating Organizations, but that membership cost, too, is increasing this year.
These are only the out-of-pocket costs, and as Reliant’s Weiner pointed out to me, the internal staff costs in time and resources to become a QIR can be higher. For some resellers the costs may not be too great, especially if they gain a competitive advantage, as I hope they will. But for some others it may be a barrier to having all (instead of just a few) installers qualified.
Because the ultimate beneficiaries of increasing PCI compliance and reducing cardholder data breaches are the card brands, could they consider footing part of the bill for becoming a QIR? It seems like this idea might merit at least some discussion among the card brands.
I give a lot of credit to the PCI Council staff for taking the lead with this program. I have spoken with a lot of QSAs—some of whom E-mailed me when I first wrote about the QIR program—and their support is very broad. A possible way to expand the number of QIRs quickly might be to allow trade or industry organizations to offer their own version of QIR training. Training fits with the associations’ own charters, their costs may be lower and the competition with the official PCI Council’s training could keep pressure on price.
Regardless of the training, all QIRs must pass the same test to guarantee the same high standard, and the PCI Council must control that test. The PCI Council could track pass and fail rates for each association and then assess whether they are doing a good job.
The QIR program is an important step to protect retailers and all merchants. The first QIR has come to the dance. Now we have to wait and see if retailers, software vendors and maybe even the card brands, among others, will come to the dance, too.
What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
