PCI Certification vs. Compliance: What Is the Difference?Published December 12, 2019 by Shanna Nasiri • 2 min read
Organizations are often left wondering what is the difference between a certification granted by representatives of the Payment Card Industry (PCI) and that of obtaining compliance.
The Payment Card Industry Data Security Standard (PCI DSS) defines a framework for protecting cardholder data. The framework was developed by the Payment Card Industry Security Standards Council (PCI SSC) and enabled organizations to assess how well they are protecting cardholder data, training staff, and conducting PCI DSS audits. The PCI Security Standards Council enables organizations to become PCI DSS compliant. Accepting payment cards like Visa, Mastercard, American Express, Discover, and JCB are critical to a merchant’s ability to transact business. Cash and checks are becoming rarer in bricks and mortar companies and all but nonexistent in cyber transactions. Noncompliance is not an option in our age of online transactions and prevalent use of e-commerce.
The PCI certification is granted via a comprehensive process that involves an intensive audit performed by a Qualified Security Assessor (QSA). The QSA will examine the business environment looking in-depth anywhere that cardholder data may interface with systems, networks, and storage.
The QSA is most interested in validating proper PCI DSS controls and the overall PCI standards as well as the program of the organization. The PCI DSS compliance audit is critical to proving that the proper controls are in place and security policy is being followed. PCI DSS requirements are readily available for an organization seeking to understand what an auditor is looking for. Holding a PCI certification shows more than anything else that the organization is committed to compliance standards, properly configured security systems, a secure network, and overall information security.
PCI compliance is obtained by an organization following the detailed best practices laid out by the PCI Council to protect cardholder data. Compliance is very focused on the development and maintenance of systems and processes that have to do with protecting cardholder data.
Organizations should look at PCI compliance as the ongoing pursuit of excellence in safeguarding payment card information by perfecting the PCI DSS framework and always being prepared for an audit. Many organizations perform self-audits quarterly or yearly along with penetration testing to see how the controls they have established perform under real-life circumstances. PCI compliance is easier to obtain when using a framework like that of the PCI DSS, and can be strengthened by having a vulnerability management program, restricting public network access, and having proper firewall configurations.
There are obvious advantages to becoming PCI certified versus merely PCI compliant. Some have argued that both should be a requirement for continued data leak prevention.
How better to know that the merchant you are transacting with is truly following PCI DSS best practices, then to see that they are PCI certified?
The problem tends to come down to the cost of obtaining that PCI-certified status. Plus, if the merchant is small enough they may be operating under the Payment Card Industry Self Assessment Questionnaire (PCI SAQ) and the organization processing the payment card actually holds the certification.
In the instance of accepting, transmitting, and storing payment card data, there are wide gaps. Just because a merchant accepts payment cards, does not mean they are the one who actually stores or processes the information. The real difference between compliance and certification comes down to the level of audit that the organization must follow. Ultimately the goals of PCI DSS regardless of certification of compliance are to prevent data breaches and to continue to accept and/or process payment cards.