PCI 101: Compliance vs Certification
Have you ever made food or baked a dessert, and while it tastes great, you know there’s something that could make it even better? Achieving PCI certification is like finding that missing ingredient.
Just like one ingredient can bring out the flavor in your food, PCI certification can enhance your company’s PCI compliance. Although the two may sound similar, and in many cases are, there are subtle differences between the two. Let’s break it down, starting with a refresher of PCI compliance.
PCI compliance is a set of requirements that serve as guidelines for businesses to operate safely while managing customer data, and it's become the standard for accepting, storing, processing, and transmitting credit cards.
While PCI compliance is not legally mandated, and therefore businesses who fail to become compliant won’t face criminal charges, you could face steep fines and other fallout if a breach occurs and you're not compliant.
How is PCI compliancy achieved?
- Completing a self-assessment questionnaire stating that the company is following the necessary guidelines and the proper requirements are being met
- Attaining PCI compliance typically takes less than a month
- Maintaining PCI compliance requires continued upkeep of cardholder data protection policies
PCI compliance is a necessity when it comes to keeping your customers’ data safe from hackers and fraudsters.
PCI certification is achieved through a comprehensive process by which a full-scale audit is conducted to ensure the company is in fact following the proper procedures to protect data. The assessment is much the same as the one conducted in the self-assessment, however, to reach PCI certification, the audit must be performed by a third party, trusted qualified security assessor (QSA). The QSA will review and validate all aspects of the business that touch cardholder data.
Achieving PCI certification is an intensive process, lasting up to six months and examining and authenticating hundreds of aspects of the businesses, including:
- How the software was developed
- How the developers are trained
- Technical and procedure controls
Ensuring your company is not only PCI compliant, but also PCI certified, adds an extra layer of trust for your customers. The investment shows not only your dedication and commitment to protecting your customers but also shows how much you value them and is a way to repay their trust in your organization.
Which brings us to the question: are they both necessary?
While the requirements for the self-assessment questionnaire involved in PCI compliance and the audit performed to achieve PCI certification are essentially the same, the verification process for certification must be done through a third party, trusted QSA. The self-assessment for achieving PCI compliance is a good practice, but it’s even better to get an audit done by a professional.
Essentially, PCI compliance is a claim, whereas PCI certification is proof that a company is doing everything in its power to protect valuable data. If you want to go the extra mile, make sure you’re not only PCI compliant, but PCI certified as well. By achieving PCI certification, you’re assuring your customers that you’ve taken greater precautions to protect them and their personal information, thereby instilling a greater sense of trust.
PCI certification, as the saying so aptly puts it, really is the cherry on top.
Get a Deeper Look at PCI
To learn more about PCI compliance, PCI certification, and other laws and regulations that go into protecting cardholder data, check out our Definitive Guide to PCI Compliance Part II: Hotels.