PCI Certification Vs. PCI Compliance: Know The Difference

Striving to be PCI certified has grown increasingly important over the past 18 months, as major retailers have found themselves on the nightly news due to major security breaches. PCI certification refers to the Payment Card Industry Data Security Standard (PCI DSS) that sets requirements for businesses that handle credit card data. The goal of the PCI Council is to create a secure environment, and reduce the risk of processing credit cards by implementing proper prevention and detection controls. Essentially, complying with PCI standards means you are doing your best to keep customers valuable data protected.

Ensuring your company is PCI certified offers obvious benefits to both the company and their customer. However, many organizations fail to recognize the difference between being PCI compliant and PCI certified. 

PCI Compliance vs. PCI Certification

PCI compliance means a company has taken steps to help protect Card Holder Data (CHD) following the guidelines set by the PCI Council. A self-assessment questionnaire is completed by the company, whereby a checklist states that the organization is following all necessary requirements. The process takes less than a month to complete. While a self-assessment is a good practice, it is best to get a professional opinion, and that's where PCI certification comes in.

PCI certification is a rigorous and comprehensive process that involves a full-scale audit by a qualified security assessor (QSA). The QSA validates all areas of the business that come in contact with CHD to ensure proper controls and security measures are in place to protect the customer. The PCI certification audit includes reviews of the following;

  • How the software is developed
  • The process in which developers are trained
  • Technical and procedure controls

A full review and validation of the hundreds of PCI controls takes up to six months to complete.

It is important to understand the requirements for a self-assessment questionnaire and PCI certification are essentially the same. The key difference is the verification process by the QSA; PCI certification is proof, whereas PCI compliance is a claim. 

Your business is one of the most important things you have in your life and taking chances on something as important as PCI certification should not be something taken lightly. Feel free to contact our Security Specialists with any questions you may have on how to protect your micro market business.