You have probably heard the terminologies PCI compliance and PCI certification bandied about, but did you know that they are not interchangeable?

Data security has surpassed being just an industry buzzword; it’s now a basic tenet of responsible business ownership.

The highest levels of data security are measured based on one primary standard, and that measuring stick is called the Payment Card Industry Data Security Standard (shortened up, it often reads as PCI DSS, PCI-compliant, or PCI-certified. Each moniker means that the service provider has implemented rigorous measures to prove that they take data security seriously.

The Need for PCI DSS Arises

While PCI DSS is a hot topic, it is not a new concept. Many business owners are stunned to learn that the idea turns twenty years old in October of 2019. In fact, it’s evolved many times over that span of time. Here are several of the more significant milestones.

The need for increased security measures was first noted by the payment card industry giant Visa in 1999. As the internet gave birth to a new concept—e-commerce—card security became of paramount importance due to the rise in online fraud.

As the internet exploded and connected shoppers with worldwide vendors in the early 2000s, a new concern arose. The standards set forth by companies operating on one continent wildly varied from those in use on another. This inconsistency still left unsuspecting online shoppers subject to the threat of data theft. Thus, these standards were tightened up to close loopholes and standardize practices.

As a consequence of the continued upswing in malware, cyber-attacks, and data theft, the five largest payment processing companies banded together to form the Payment Card Industry Security Standards Council (PCI SSC) in 2006. Payment processing companies were mandated to comply with the strictest of requirements.

The founding members of the PCI SSC are:

For the past decade, the council members have impacted the payment industry by advocating for strict compliance by any payment processors with a goal of protecting both consumers and merchants from losses resulting from online fraud.

This summary underscores the need for—plus the vital role of—PCI DSS for any company who accepts payments.

Comparison of PCI Compliance and PCI Certification

Both PCI compliance and PCI certification require participating businesses to undergo a rigorous vetting process that ensures they are securing data according to the PCI standards.

What companies participate? Companies that process, transmit or store customer payment data are the ones who must become PCI compliant.

But, there they spend a significant investment to achieve these esteemed credentials. For small businesses, be certain that you are using banks, online services, and other providers that have got you covered with at least PCI Compliance. Or, even better, choose a provider that’s PCI Certified.

What is PCI Compliance?

PCI Compliance demonstrates that a business has completed a comprehensive checklist of security measures prescribed by PCI DSS. The process takes about 30 to 45 days to complete.

In the end, the company conducts a self-assessment and attests to the PCI Council that they are compliant.

What is PCI Certification?

PCI Certification takes that same checklist, then ups the ante.

To earn a PCI Certificate, the company must meet all the same criteria as compliance. However, they must then submit to an independent audit conducted by a PCI Qualified Security Assessor (QSA) who was selected, trained, and qualified by the PCI body itself.

The entire certification effort takes approximately six months to one year to complete, and the presence of the QSA serves as proof of a company’s compliance of the checklist.

Summarizing the key difference

Here’s a thumbnail sketch that summarizes the key differentiator between PCI compliance and PCI certification.

Being PCI compliant is like a student swearing that they completed all of his/her homework. Holding a PCI certificate, on the other hand, is like a teacher verifying completion of that student’s homework and scoring it an A+.

Is Your Form Provider PCI Compliant or PCI Certified?

So, you already know now that your payment providers are compliant and cardholder data is, therefore, secure.

But, what about all the data that is transmitted digitally via your online forms?

Some form companies are PCI DSS compliant while others are PCI DSS certified. In case you have not guessed by now, EmailMeForm is PCI-Certified.

We are proud to have passed the rigorous audit conducted by a QSA and achieved our PCI DSS in October of 2018. Woo-hoo!

Here are some ways to vet your form company to discern where they land.

Learn more about how we handle data security here in EmailMeForm.

Choose the Gold Standard: EmailMeForm

Your customers have some basic expectations of your company; one of these is your utmost attention to data security.

If you are not using a PCI certified form provider, you are leaving yourself open to data breaches and potential harm from malicious attackers, especially if you are collecting sensitive client information like credit card data.

EmailMeForm elected to pursue PCI certification because we wanted our valued clients to feel confident that they are providing a safe online environment that surpasses the basic expectations. Our forms integrate with trusted PCI compliant or certified companies like PayPal,, and Braintree.

And if you are collecting credit card information using forms, don’t settle for basic, choose the gold standard—the EmailMeForm Vault.

Vault is a robust solution that lets you collect and store credit card data securely.

Watch the video to learn more about Vault.
PCI DSS online forms

Author Deborah Tayloe

Deborah Tayloe

Deborah is a blogger and freelancer who often writes for EmailMeForm. When she’s not blogging, you’ll probably find Deborah working on DIY projects around her home in North Carolina.

Actionable data insights create new revenue opportunities, increase efficiency, and cut costs, but many executives still operate on gut instinct.

Creating business value from big data

GDPR Explained: the Basics

Demand for cybersecurity professionals rises as the industry fails to keep up with growing risk.

Cybersecurity Workforce Shortage

As education transitioned into the digital age, schools have an increased responsibility to safeguard their students’ data.

Schools’ digital responsibility to ensure student data privacy

More blog posts