PCI Compliance versus PCI Certification

You have probably heard the terminologies PCI compliance and PCI certification bandied about, but did you know that they are not interchangeable?

Data security has surpassed being just an industry buzzword; it’s now a basic tenet of responsible business ownership.

The highest levels of data security are measured based on one primary standard, and that measuring stick is called the Payment Card Industry Data Security Standard (shortened up, it often reads as PCI DSS, PCI-compliant, or PCI-certified. Each moniker means that the service provider has implemented rigorous measures to prove that they take data security seriously.

The Need for PCI DSS Arises

While PCI DSS is a hot topic, it is not a new concept. Many business owners are stunned to learn that the idea turns twenty years old in October of 2019. In fact, it’s evolved many times over that span of time. Here are several of the more significant milestones.

The need for increased security measures was first noted by the payment card industry giant Visa in 1999. As the internet gave birth to a new concept—e-commerce—card security became of paramount importance due to the rise in online fraud.

As the internet exploded and connected shoppers with worldwide vendors in the early 2000s, a new concern arose. The standards set forth by companies operating on one continent wildly varied from those in use on another. This inconsistency still left unsuspecting online shoppers subject to the threat of data theft. Thus, these standards were tightened up to close loopholes and standardize practices.

As a consequence of the continued upswing in malware, cyber-attacks, and data theft, the five largest payment processing companies banded together to form the Payment Card Industry Security Standards Council (PCI SSC) in 2006. Payment processing companies were mandated to comply with the strictest of requirements.

The founding members of the PCI SSC are:

• Visa
• MasterCard
• American Express
• Discover Financial Services
• JCB International

For the past decade, the council members have impacted the payment industry by advocating for strict compliance by any payment processors with a goal of protecting both consumers and merchants from losses resulting from online fraud.

This summary underscores the need for—plus the vital role of—PCI DSS for any company who accepts payments.

Comparison of PCI Compliance and PCI Certification

Both PCI compliance and PCI certification require participating businesses to undergo a rigorous vetting process that ensures they are securing data according to the PCI standards.

What companies participate? Companies that process, transmit or store customer payment data are the ones who must become PCI compliant.

• Payment processing companies
• Data processing companies
• Banks and financial institutions
• Hospitals
• Social media platform
• Online travel agencies
• Insurance companies
• Online retailers and services

But, there they spend a significant investment to achieve these esteemed credentials. For small businesses, be certain that you are using banks, online services, and other providers that have got you covered with at least PCI Compliance. Or, even better, choose a provider that’s PCI Certified.

What is PCI Compliance?

PCI Compliance demonstrates that a business has completed a comprehensive checklist of security measures prescribed by PCI DSS. The process takes about 30 to 45 days to complete.

In the end, the company conducts a self-assessment and attests to the PCI Council that they are compliant.

What is PCI Certification?

PCI Certification takes that same checklist, then ups the ante.

To earn a PCI Certificate, the company must meet all the same criteria as compliance. However, they must then submit to an independent audit conducted by a PCI Qualified Security Assessor (QSA) who was selected, trained, and qualified by the PCI body itself.

The entire certification effort takes approximately six months to one year to complete, and the presence of the QSA serves as proof of a company’s compliance of the checklist.

Summarizing the key difference

Here’s a thumbnail sketch that summarizes the key differentiator between PCI compliance and PCI certification.

Being PCI compliant is like a student swearing that they completed all of his/her homework. Holding a PCI certificate, on the other hand, is like a teacher verifying completion of that student’s homework and scoring it an A+.

Is Your Form Provider PCI Compliant or PCI Certified?

So, you already know now that your payment providers are compliant and cardholder data is, therefore, secure.

But, what about all the data that is transmitted digitally via your online forms?

Some form companies are PCI DSS compliant while others are PCI DSS certified. In case you have not guessed by now, EmailMeForm is PCI-Certified.

We are proud to have passed the rigorous audit conducted by a QSA and achieved our PCI DSS in October of 2018. Woo-hoo!

Here are some ways to vet your form company to discern where they land.

• See if the website accepts payment on their site or sends you to a third party such as PayPal. If they process payments on their site, they’re more likely to be compliant. However, if they do send you to a third party, they are more likely non-compliant.
• Look at the URL and look for an indication that they have an up-to-date SSL Certificate. A website that does not have that essential SSL certificate to encrypt data transmission is non-compliant.

• If a company claims to be either compliant or certified, they will shout it from the rooftop. Does the company you’re considering partnering with make this claim?

  
  

• Contact the form company directly. Companies understand your need for reassurance that they comply with these PCI requirements. In fact, the best online form companies welcome questions.

Learn more about how we handle data security here in EmailMeForm.

Choose the Gold Standard: EmailMeForm

Your customers have some basic expectations of your company; one of these is your utmost attention to data security.

If you are not using a PCI certified form provider, you are leaving yourself open to data breaches and potential harm from malicious attackers, especially if you are collecting sensitive client information like credit card data.

EmailMeForm elected to pursue PCI certification because we wanted our valued clients to feel confident that they are providing a safe online environment that surpasses the basic expectations. Our forms integrate with trusted PCI compliant or certified companies like PayPal, Authorize.net, and Braintree.

And if you are collecting credit card information using forms, don’t settle for basic, choose the gold standard—the EmailMeForm Vault.

Vault is a robust solution that lets you collect and store credit card data securely.

Deborah Tayloe

Deborah is a blogger and freelancer who often writes for EmailMeForm. When she’s not blogging, you’ll probably find Deborah working on DIY projects around her home in North Carolina.