Effective March 31, 2016, acquirers must communicate to all Level 4 merchants, they must use only Payment Card Industry (PCI)-certified Integrators and Reseller (QIR) professionals for point-of-sale (POS) application and terminal installation and integration. Level 4 merchants must have all protocols in place by January 31, 2017 in order to be compliant.
Visa will now require all Level 4 merchants in the US and Canada to validate PCI DSS compliance annually starting January 31, 2017. Visa has always required Level 4 merchants to comply with PCI DSS Compliance. But now Visa is also requiring annual validation of that compliance. A level 4 merchant performs less than 20,000 Visa or MasterCard e-commerce transactions annually. Comparatively, IVR Technology Group is Level 1 PCI-DSS Compliant, which means we process over 6 million Visa transactions per year.
In a post to Visa’s blog Eduardo Perez, Senior Vice President for Payments System Risk at Visa, said this reasoning behind this is was an analysis of data breaches investigated by Visa in 2015. In these reports, it was proven that 95 percent of breaches involved small and midsize businesses. Perez wrote, “Visa has found that cyber criminals are exploiting basic vulnerabilities in these vendors’ remote access controls in order to gain access to a merchant’s systems and install malicious code.”
Furthermore, small businesses are more likely to use resellers and integrators than their larger counterparts. Perez notes that this can leave companies at risk for a number of reasons. In some cases, a reseller or integrator may use a generic password or one that is too weak. An integrator may have left the network remote access port open, after work is complete, which would leave them vulnerable.
Perez also noted that some retailers may not have a proper software in place that would be able to protect against malware and spyware. It’s also important for retailers to have a proper security protocol in place, which would involve only using licensed software and making sure they are securely updated.