PCI DSS Certification vs PCI DSS Compliance: What’s the difference?

When buying goods or services, you deserve the assurance that the merchant or vendor you buy from will take every possible measure to safeguard your bank details and financial information. PCI DSS certification gives consumers the firm reassurance that payment information is kept secure every step of the purchase process.

Payment Card Industry Data Security Standards (PCI DSS) is a set of standards that all businesses that process, transmit or store cardholder data must adhere to in order to keep payment information secure. The standards were set out by the Security Standards Council, which is comprised of founder members American Express, Visa, MasterCard, and JCB Co., Ltd.

Businesses in breach of these standards could face serious consequences. While PCI DSS compliance isn’t technically a legal requirement, it is enforced through contractual agreements between merchants and their bank or card issuers. Not adhering to the standards could result in fines, legal proceedings and higher fees for accepting card payments. It could even result in a ban on accepting card payments altogether. If non-compliance results in a data breach, there could also be additional fines from the Information Commissioner’s Office. There are also secondary impacts to think of, such as loss of customer trust and reputational damage.

There are notable differences between PCI DSS compliance and PCI DSS certification.

We highlight the main differences in the table below.

PCI DSS Compliance

PCI DSS Certification

Self-assessed. Assessed by a Qualified Security Assessor.
Typically takes less than one month to complete a self-assessment. Can take up to 6 months for a full audit.
A claim of compliance. Provides proof of compliance.


As you can see from the table above, PCI DSS compliance relies heavily on the capability of internal teams at self-auditing complex payment information protection systems. PCI DSS certification, on the other hand, gives a thorough and unbiased audit as proof of compliance. While the criteria for both assessments are mostly the same, the certification process gives concrete proof that the company being audited is taking all measures to protect payment information. With self-assessed compliance, the self-certification process is much less thorough and relies on consumer trust. You have to just put your faith in the company that says their own auditing measures are adequate. There is no proof.

Shred Station is PCI DSS Level 1 Service Provider certified, which is the highest certification available. Our PCI DSS certification, viewable here, gives our customers total reassurance that their payment information is treated with the highest levels of protection.

We recommend all customers look for PCI DSS certification rather than compliance when buying goods or services from any business.

Sign up for our newsletter to receive alerts about new blog articles, data protection advice, and Shred Station news.