Why we chose PCI certification over PCI compliance

Organizations that collect credit card and personal data not only need to ensure PCI compliance, they also need to consider how their vendors and partners that touch cardholder data address PCI standards.

Just recently, Ricoh earned PCI certification for our inbound services. (You can read more in this press release.) Our certification ensures we help you maintain your compliance and assures you of our commitment to data security and securing your data.

Of course, we also recognize that the more common term is PCI compliance. This might prompt the question, “ Is PCI certification different than compliance?”

In this article, we will answer that question, and we will also:

• Define PCI  and explain its purpose

• Share the differences between PCI compliance and certification

• Explain why we chose the tough path of getting PCI certified

What does PCI stand for?

PCI is the acronym for Payment Card Industry. It refers to the data security standards established by the credit card companies to protect credit card payment transactions. The PCI standards define how a business stores, processes, and communicates cardholder data, including credit card and debit numbers, social security numbers, and even driver’s license numbers. This involves technical elements such as hardware and data security applications and operational factors like how employees engage with the data.

The standards for compliance have been developed and managed by the PCI Security Standards Council. As an element of consumer protection, the Federal Trade Commission oversees how credit cards are processed with legal precedent established for PCI compliance.

Any organization that meets the Payment Card Industry Data Security Standards, abbreviated to PCI DSS, is considered PCI compliant.

What is the difference between PCI compliance and PCI certification?

Every organization that runs credit card transactions must be PCI compliant. Those companies should also see that any vendors involved with the exchange or storage of their data minimally meet those standards as well.

As you evaluate vendors, you might find some are PCI certified. Is there a difference? The simple answer is yes.

What is PCI compliance?

The PCI DSS defines what an organization must do to protect cardholder information when stored, processed, and transmitted. The organization itself assesses, monitors, and measures its own level of PCI compliance – PCI compliance is a self-assessment. Compliance reports must be submitted regularly, but these are also compiled and completed by the organization.

Failing to meet the basic requirements can result in large fines, so there is certainly a great inclination to do so.

What is PCI certification?

PCI certification involves a documented, third-party assessment by a qualified security assessor (QSA) that features an in-depth evaluation of the systems, policies, and procedures to protect data and information. Companies that pass the certification process earn formal attestation of compliance.

Why Ricoh chose PCI certification

As a digital services provider, we help our customers store, manage, share, and protect data every day. We understood that much of this data required PCI compliant systems.

And for Ricoh, information security has always been a priority. As David Levine, VP Corporate Information Security, CSO, Ricoh USA, said, “It was important for us to become one of the first in our industry to secure this highly regarded certification.”

The PCI certification applies to our inbound services, including Intelligent Capture, Claims Processing and Accounts Payable/Receivable services, Digital Mail and Hosting Services, and Capture and Conversion services.

For more information about these services or how we can help you, please contact us and speak with one of our representatives.