PCI DSS Certification: Is It Real? What Businesses Actually Need

“PCI DSS certification” is a commonly used term that refers to a business’s ability to demonstrate compliance with Payment Card Industry Data Security Standard (PCI DSS) requirements, even though PCI DSS itself does not issue formal certifications. If a partner, payment processor, customer, or acquiring bank asks you for a PCI certificate to prove your compliance, it’s important to know what’s required and what you need to present to demonstrate compliance.

The evidence you can present to a requesting party varies depending on the size and type of organization, how many card payments you process annually, and the types of payment method your business uses.

In this guide, we look at what “PCI DSS certification” means in practice, what you can present as proof of compliance, and the most important points requesters need to know about.

PCI DSS Compliance vs. “Certification”: What the Terms Actually Mean

PCI DSS compliance refers to the ongoing measures and standards you set to ensure your cardholder data security is paramount. Really there is no such thing as PCI DSS certification, in the sense that there is no recognized certification nor is there any concept of safe harbor for demonstrating compliance. Rather, when people use the term PCI certification they are generally referring to the “proof” of compliance you offer third parties to show that you meet these standards.

The easiest way to understand the distinction is that compliance refers to meeting PCI DSS requirements, while “certification” is an informal way of describing the evidence used to demonstrate that compliance. However, there is no formal “certification” or certificate you can produce to confirm you meet these standards. Instead, there are specific types of proof you should obtain, complete, and provide to requesting parties.

Who Determines What You Need to Submit

Payment processors such as Visa and Mastercard align merchant businesses and service providers to PCI compliance levels, which determine how they validate and report evidence of PCI compliance. Your compliance level depends on how many card transactions you process each year.

Payment processors’ levels may vary in size and definition, but merchants, for example, can expect to fit into one of the following categories:

• Level 1: Processing more than six million yearly transactions, requiring an extensive independent Qualified Security Assessor (QSA) review and Report on Compliance (ROC)
• Level 2: Processing between one and six million yearly transactions, requiring a Self-Assessment Questionnaire (SAQ), with QSA or Internal Security Assessor (ISA) validation for certain SAQ types such as SAQ A, A-EP, or D
• Level 3: Processing between 20,000 and one million yearly e-commerce transactions, requiring Self-Assessment Questionnaires (SAQs)
• Level 4: Processing fewer than 20,000 yearly e-commerce transactions, and all other merchants processing up to one million total transactions annually.

As this is a general overview, we recommend consulting your processor for the specific levels and compliance requirements they set. For example, Visa has a set of specific compliance measurement standards to follow:

“Merchant level identification is based on the corporate entity’s total volume of Visa transactions (inclusive of credit, debit and prepaid) meeting the transaction thresholds in one country or with one acquirer per year. Volume from independently-owned and operated merchant locations (e.g., franchisee, licensee) may be excluded if it is not processed by the corporate entity.”

Visa Corporate

What Counts as Acceptable Proof of PCI DSS Compliance

Depending on your compliance level and your processor’s requirements, you can provide a Self-Assessment Questionnaires (SAQ), Attestation of Compliance (AOC), Report on Compliance (ROC), and ASV (Approved Scanning Vendor) documentation as proof on request.

SAQ + Attestation of Compliance (AOC)

SAQs are self-validation forms or tools that help you document and prove compliance for self-assessment eligible business processing fewer than six million yearly transactions. These checklists break down each of the 12 PCI DSS requirements and expect you to confirm how you meet compliance objectives.

As of PCI DSS V4, there are nine different SAQs you can complete to prove compliance, which vary depending on the types of payments you process. For example, The PCI Security Standards Council defines “SAQ A” businesses as:

“Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.”

PCI SSC

Following completion of your SAQ or ROC, you must complete an AOC which declares that you have measures and controls in place to stay compliant (as recorded in your SAQ). Businesses at all compliance levels must submit AOCs, but some will need to complete ROCs alongside.

At compliance level 1 (and in some level 2 cases), you will need to submit to an assessment by an external QSA or ISA to validate your compliance and produce a ROC and AOC.

SAQ and AOC forms are available to download directly from PCI SSC.

Report on Compliance

Level 1 and 2 businesses that require QSA assessment will undergo assessment to produce a ROC to confirm external review of PCI DSS compliance. ROCs are provided following extensive review and consultation with business owners to ensure that all 12 PCI compliance requirements are being met with evidence or describe how and when measures will be in place for remediation of any missing security controls.

Level 3 businesses generally use an SAQ and AOC, and some level 3 businesses may need to produce an ROC if requested by processors or acquiring banks. Level 4 businesses may self-assess and demonstrate compliance using an SAQ and AOC.

ASV scan documentation (when applicable)

Approved Scanning Vendors ASVs conduct vulnerability scans to ensure that data security standards meet a business’s compliance requirements. ASVs are validated and approved by the PCI Security Standards Council (SSC).

ASV scans are required for businesses with externally facing systems in scope for PCI DSS, and must be conducted at least quarterly when applicable (11.3). ASV scan results offer proof, assurance, and confidence to parties requesting PCI certification.

Penetration testing

The PCI DSS mandates that organizations perform both internal and external penetration testing on their cardholder data environment (CDE) once every 12 months, at least, and after any significant changes. Unlike automated vulnerability scans, penetration tests use humans to simulate real-world attacks.

Organizations must implement a penetration testing methodology (Requirement 11.4.1), and all exploitable vulnerabilities identified during testing must be remediated and verified through retesting (Requirement 11.4.4).

If your environment uses network segmentation to isolate the CDE, segmentation controls must also be validated through penetration testing at least annually—or every six months for service providers (Requirements 11.4.5 and 11.4.6).

Penetration testing may be performed by a qualified internal resource who is independent of the systems being tested. However best practice, and what’s most common, is for testing to be performed by a qualified third-party firm.

It is important to note that penetration testing is distinct from vulnerability scanning. While vulnerability scans are automated assessments that identify known weaknesses, penetration testing involves skilled testers actively attempting to exploit those weaknesses to determine the real-world impact. Both are required components of PCI DSS compliance, and penetration test results are not typically submitted as standalone compliance documentation, but they may be reviewed during a QSA assessment or requested by acquirers as part of the validation process.

If Someone Asks You for a “PCI Certificate,” What to Provide Instead

There is no official or single “PCI certificate” you can provide to requesters, so you must determine which documents to offer as proof depending on your compliance level, transaction volumes, and payment acceptance methods.

Let’s split this scenario into whether you validate via SAQ or ROC:

If validating with an SAQ, provide:

• Your completed SAQ (e.g., SAQ A, SAQ C-VT, or SAQ D)
• An AOC confirming you have met compliance requirements
• ASV scan evidence, where applicable

If validating with an ROC, provide:

• Your completed ROC validated by a QSA
• An AOC confirming you have met compliance requirements
• ASV scan evidence

How to Spot Misleading “PCI Certificates.”

There is no such thing as a PCI “certificate.” Anything purporting to be an official PCI SSC recognized certificate is fraudulent at worst and at best should not be trusted as proof of compliance.

The PCI SSC confirms that you should only trust documentation comprising of official templates and forms (e.g., SAQs, ROCs, AOCs, ASV reports), and that compliance “certificates” do not count as evidence:

“The only documentation recognized for PCI DSS validation are the official form documents from the PCI SSC website. Any other form of certificate or documentation issued for the purposes of documenting compliance to PCI DSS, or any other PCI SSC standard, are not authorized or validated by PCI SSC, and their use is not acceptable for evidencing compliance.”

PCI SSC

Do not accept any documentation outside of SAQs, ROCs, AOCs, and ASV reports as evidence of compliance.

What Businesses Actually Need to Do (High-Level Validation Steps)

To get PCI compliant and obtain necessary proof, businesses must assess their payment processes, confirm their validation path, and take regular steps to maintain compliance year-round.

A great place to start is by following our complete PCI compliance checklist. However, businesses must typically:

• Carefully determine all payment channels and annual card transaction volumes
• Determine and confirm their validation path based on their compliance level (i.e., SAQ type or ROC)
• Complete regular internal and external vulnerability scans at least quarterly
• Perform penetration testing at least annually covering internal and external attack surfaces
• Take various other steps to enact data minimization practice, encrypt the data you must hold, and test and maintain data security controls year-round

Conclusion

There is no specific “PCI certificate” you can present to confirm compliance. If you are asked to offer proof of compliance, you must complete SAQs, ROCs, AOCs, and ASV reports depending on your compliance level.

Ongoing compliance takes time, effort, and extensive scrutiny. With SecureTrust PCI Manager, you can protect your customers’ data year-round and always be ready to provide proof of compliance to those who need it.

FAQs

Let’s close our guide with some commonly-asked questions about PCI DSS certification and proof of compliance.

Is PCI DSS a legal requirement?

PCI DSS is not legally mandated, but is enforced by payment providers, acquiring banks, and card brands. Note that some states have enacted statutes that reference or incorporate PCI DSS requirements. Regardless of your business’s size and industry, you must maintain card security standards that adhere to PCI DSS requirements.

Who determines whether I complete an SAQ or need a ROC?

Your payment processor typically determines how you need to record and prove compliance, based on how many card transactions you process each year. Typically, businesses that process up to six million annual transactions need to submit SAQs. ROCs are mandatory if you process more than this volume.

What documents count as proof of PCI compliance?

You can prove PCI compliance on request with completed SAQ, AOC, ROC, and ASV reports, however, the documents you need will depend on how many transactions you process each year. There is no single “PCI certificate” you can offer as proof of compliance.

Do security tools count as proof of PCI DSS compliance?

No. Security tools support your controls, but they are not “certification” and they don’t replace PCI validation documents. Tools may generate supporting evidence (for example, ASV scan reports), but PCI SSC is clear that only the official PCI SSC form documents are recognized for evidencing compliance.

How much does PCI DSS compliance typically cost?

Costs vary based on the size, nature, and complexity of your business and whether you validate by SAQ or a QSA-led ROC. Common cost drivers include implementation of security tools to meet compliance requirements as well as the people and processes to support compliance.  There are costs for remediation work, security testing (such as ASV scanning, penetration testing, and segmentation testing where applicable). And finally there may be assessor fees for advisory services, a validated SAQ or a formal assessment and ROC.