PCI certification is the process a company go through to verify that it is in compliance with the Payment Card Industry Data Security Standards (known as PCI DSS). These standards are set by the major credit card companies and are designed to help reduce theft of credit card information. In general, companies that use, store or share credit card information in any way are required to obtain PCI certification.
Requirements for obtaining PCI certification often vary depending on what level merchant a company is classified as. The number of credit card transactions a company has on average each year typically determines this. In general, a company may be labeled a level one, two, three or four merchant, with a level one company typically dealing with many millions of transactions a year and a level four company generally dealing with less than a million. Companies that have been involved in credit card theft schemes before may automatically be labeled as level one merchants, regardless of the number of transactions they typically deal with.
Those companies with the highest merchant level must often complete more rigorous testing to obtain PCI certification. For example, level one companies must often submit to rigorous testing of computer networks and security systems on an ongoing basis. PCI certification for such companies is generally only issued for a three-month period, after which more testing must be done to keep certification. The smallest, level four companies, such as those with just a few hundred credit card transactions a year, however, can often earn PCI certification simply by completing a self-assessments. If only such an assessment needs to be completed, the company’s certification will typically last for a full year.
While the process of obtaining PCI certification may vary, the same basic principles typically apply to all merchant levels. These generally include having a secure computer network, protecting credit card information that’s stored or transmitted electronically, regularly testing computer networks to make sure they are not at risk for being broken into, having a system to control who has access to credit card information, and regularly testing the processes previously put in place to protect credit card information. Within each of these overall categories, there are often more specific requirements, but they all usually aim to meet these six main principles.
PCI certification is typically required for any company that uses, stores or shares credit card and/or certain debit card information. Debit cards that are usually included in this requirement are those that are affiliated with the major credit card companies. Failure to obtain PCI certification can result in fines issued by the credit card companies. Also, not being in compliance can put a company at greater risk for having credit card data stolen, which can be very costly.