Back to Blog
testimonial-strategy
pci-dss
payment-security
compliance-events
social-proof
cardholder-data

When a Customer Completes a PCI DSS Certification — Testimonial Wall Strategy for Payment-Card-Handling Customers

ProofShow Team··12 min read

The Payment Card Industry Data Security Standard — PCI DSS — is the mandatory security assessment that any organization processing, storing, or transmitting cardholder data must complete to remain in good standing with the major card brands (Visa, Mastercard, American Express, Discover, JCB). The current version is PCI DSS v4.0, which became the only valid assessment version on March 31, 2025, after a thirty-month migration window from v3.2.1. The standard is governed by the PCI Security Standards Council, an industry body jointly owned by the five card brands, and is enforced by the acquiring banks that maintain the merchant accounts of organizations subject to the standard. A PCI DSS assessment is performed annually for Level 1 merchants and service providers (a Qualified Security Assessor on-site assessment, with submission of a Report on Compliance), and on a self-assessment basis for the smaller merchant levels.

From a customer-success and testimonial-wall perspective, a PCI DSS certification is structurally different from the more familiar SOC 2 audit, ISO 27001 certification, and FedRAMP authorization milestones covered elsewhere in this series. The structural difference is the brand and trademark constraint. SOC 2 has a permissive marketing posture — a customer may state that a vendor is "SOC 2 Type II certified" without restriction, subject to the customer's own audit-firm guidance. ISO 27001 has a moderate brand constraint — the ISO logo may not be used by a certified organization itself, but the textual claim "ISO 27001 certified" is permissive. PCI DSS has the most restrictive brand and language constraint — the PCI Security Standards Council prohibits the use of "PCI compliant" as a standalone status claim, requires specific qualifying language ("PCI DSS validated for [scope]"), and reserves the use of the PCI logo and the Council's name for specific contexts under the PCI SSC Trademark Usage Guidelines.

This guide separates a PCI DSS certification into four phases, explains what changes for the testimonial wall in each phase, and provides per-phase playbooks. The phases are structured around the PCI DSS assessment lifecycle rather than around a single point-in-time event, because the assessment is annual and the testimonial wall must be calibrated to the certification cycle rather than to a one-time milestone.

The four phases of a PCI DSS certification

A PCI DSS certification runs through four phases each year, with the cycle repeating annually for Level 1 merchants and service providers. Each phase has a distinct testimonial-wall posture.

Phase 1: Pre-assessment readiness and scope definition. The merchant or service provider performs a gap assessment against the PCI DSS v4.0 control set, defines the cardholder data environment (CDE) scope, engages a Qualified Security Assessor (QSA), and completes remediation activities identified during the pre-assessment. This phase typically lasts three to six months for an established certified entity and six to twelve months for a first-time certification.

Phase 2: On-site assessment and Report on Compliance drafting. The QSA performs the on-site assessment, validates the controls in scope, and drafts the Report on Compliance (ROC). The ROC review may include multiple rounds of evidence requests and remediation. This phase typically lasts six to twelve weeks.

Phase 3: ROC finalization and Attestation of Compliance issuance. The QSA finalizes the ROC, the merchant or service provider signs the Attestation of Compliance (AOC), and the AOC is submitted to acquiring banks and other entities that require it. This phase typically lasts two to four weeks from the closing of the on-site assessment to AOC issuance.

Phase 4: Annual certification window and inter-assessment continuous compliance. The AOC is valid for one year from the assessment date, during which the merchant or service provider performs continuous-compliance activities (quarterly scans, change-management review, ongoing log review) and maintains the certification posture. This phase continues until the next annual assessment begins.

Each phase has its own testimonial-wall risks. The biggest mistake is to treat the PCI DSS certification as a single point-in-time event analogous to a SOC 2 Type I report, ignore the annual recertification cycle, and publish testimonials that imply permanent certification status without the qualifying language that the PCI SSC Trademark Usage Guidelines require.

Per-phase playbook for the testimonial wall

Phase 1: Pre-assessment readiness and scope definition

During the readiness phase, the merchant or service provider is preparing for the assessment but has not yet been certified for the current cycle. The testimonial wall faces a specific risk during this phase — anything that could be characterized as a claim of PCI DSS status before the current AOC is issued is prohibited under the PCI SSC Trademark Usage Guidelines and may trigger acquiring-bank exposure if used in commercial marketing.

First, audit testimonials for "PCI compliant" as a standalone claim. The phrase "PCI compliant" is prohibited by the PCI SSC Trademark Usage Guidelines as a standalone status claim because it conflates the standard with the assessment outcome. A common pre-assessment testimonial pattern reads "we chose this vendor because they are PCI compliant" or "the platform's PCI compliance was decisive for us." These quotes are problematic regardless of the certification status, because the standalone phrase implies a permanent status that the PCI DSS framework does not support. Treat each "PCI compliant" quote with one of three options:

  1. Rewrite to "PCI DSS validated." "We chose this vendor because they are PCI compliant" can be tightened to "We chose this vendor because they are PCI DSS validated for cardholder data processing." The validated language acknowledges the assessment-based nature of the certification and includes the scope qualifier that the Trademark Usage Guidelines require.
  2. Rewrite to "PCI DSS v4.0 attested." For testimonials that emphasize the current standard version, the phrase "PCI DSS v4.0 attested" combines the version specificity with the attestation language that maps to the AOC document.
  3. Strip the certification frame entirely. If a quote uses "PCI compliant" in a way that cannot be rewritten without distorting the testifying customer's message, strip the certification frame and rewrite around the underlying security-posture statement.

Second, audit testimonials for PCI logo use in the testimonial graphics. The PCI Security Standards Council reserves the use of the PCI DSS logo for certified entities that meet specific Trademark Usage Guidelines criteria. Most testimonial-wall graphics that include a "PCI" logo are using either the wrong logo (the PCI SSC corporate logo rather than the PCI DSS certification logo) or using a permitted logo without the qualifying language that the Guidelines require alongside it. The remediation is to strip the logo from the testimonial graphic during Phase 1, replace it with the text "PCI DSS Validated Service Provider" or "PCI DSS Validated Merchant" without graphical embellishment, and reserve any logo use for Phase 4 contexts that meet the Guidelines criteria.

Third, queue Phase 2 and Phase 3 testimonial-collection prompts. The pre-assessment readiness phase is the right time to identify the customers who will be approached for testimonial collection during and after the assessment. The selection criteria should prioritize customers who have integrated the merchant or service provider's PCI-scoped offering deeply enough to make a substantive statement about security posture, and exclude customers whose engagement is too shallow to support a defensible PCI-related testimonial.

Phase 2: On-site assessment and Report on Compliance drafting

During the on-site assessment phase, the QSA is actively validating the controls and the certification outcome is not yet determined. The testimonial wall faces two distinct risks during this phase — the conditional-status risk and the assessment-disclosure risk.

Conditional-status risk. Publishing testimonials that imply current certification status during a phase in which the certification has not been finalized is prohibited under the PCI SSC Trademark Usage Guidelines and creates exposure under the FTC's unfair-competition framework for material misrepresentation. The remediation is to freeze the publication of new PCI-related testimonials during the on-site assessment phase. Existing PCI-related testimonials that reference a prior year's AOC may remain published if they include the year-specific qualifying language ("PCI DSS validated for 2025-2026 attestation period") that anchors the claim to the prior cycle rather than to the current one.

Assessment-disclosure risk. A QSA assessment generates information about the merchant or service provider's security posture, including findings of nonconformance that are remediated before AOC issuance. The QSA assessment is governed by a confidentiality agreement with the QSA company and by the PCI SSC's Reporting Instructions for the QSA. Disclosing assessment details — even favorable details, such as "the QSA found no major nonconformances" — in a testimonial during the assessment phase risks breach of the confidentiality agreement and may trigger remediation by the QSA before AOC issuance. The remediation is to defer any assessment-detail disclosure to Phase 3 and later, after the AOC is issued.

Phase 3: ROC finalization and Attestation of Compliance issuance

During the AOC issuance phase, the certification is finalized for the current cycle and the testimonial wall can be activated for the new certification status. The remediation activities of Phase 1 and Phase 2 can be reversed in a specific sequence.

First, unfreeze the pre-queued testimonials with current-cycle qualifying language. The testimonials queued during Phase 1 can now be published with the current AOC's date range as the qualifying language. The recommended language is "PCI DSS validated for the [start date] to [end date] attestation period" rather than the standalone "PCI compliant" phrase, because the date-range language anchors the claim to the specific certification cycle and avoids the implication of permanent status.

Second, refresh the testimonial-wall graphics with the new AOC qualifying language. The graphics that were stripped of PCI logos during Phase 1 can be republished with the new AOC's qualifying text. Logo use remains optional and is recommended only for entities that have reviewed the PCI SSC Trademark Usage Guidelines and confirmed that their proposed use meets the Guidelines criteria.

Third, collect new testimonials from customers who participated in the assessment cycle. The customers who provided evidence to the QSA, supported the on-site assessment, or integrated more deeply with the merchant or service provider during the assessment cycle are the strongest candidates for new testimonial collection. The testimonial-collection prompt should be calibrated to elicit substantive statements about security posture rather than generic "PCI compliant" affirmations.

Phase 4: Annual certification window and inter-assessment continuous compliance

During the inter-assessment phase, the certification is valid for one year and the testimonial wall maintains the active certification posture. The phase introduces a slow-decay risk that the testimonial wall must manage.

Slow-decay risk. A testimonial that was substantive at the time of AOC issuance may become misleading as the certification cycle progresses and the merchant or service provider's offering evolves. A testimonial published in month one of the cycle that describes a specific control or scope element may misrepresent the offering by month nine if the control has been modified, the scope has expanded, or the offering has changed in a way that affects the testifying customer's experience. The remediation is to set a six-month testimonial review cadence within the annual cycle, audit each PCI-related testimonial for ongoing accuracy, and either refresh the testimonial language or retire the testimonial if accuracy cannot be confirmed.

Annual refresh trigger. Approximately ninety days before the next annual assessment begins, the testimonial wall should be transitioned back to Phase 1 posture. The transition includes auditing all PCI-related testimonials for language that anchors to the current AOC's date range, queueing the Phase 2 freeze for the upcoming assessment, and beginning the Phase 1 testimonial-collection prompts for the next cycle.

How the PCI DSS testimonial wall differs from other security-certification walls

The four-phase structure above is specific to PCI DSS and differs from the testimonial-wall structures for other security certifications in three ways.

First, the annual recertification cycle. Unlike a SOC 2 Type II report (annual but typically permissive in marketing) or an ISO 27001 certification (three-year cycle with annual surveillance audits), PCI DSS requires a full annual reassessment with a discrete AOC issuance event. The testimonial wall must be calibrated to the annual cycle rather than to a longer or shorter window.

Second, the trademark and language constraints. PCI DSS has the most restrictive language constraints of the major security certifications, with specific prohibitions on standalone "PCI compliant" claims and specific guidance on the use of "validated" and "attested" qualifying language. SOC 2 and ISO 27001 do not have equivalent constraints, and FedRAMP has different but distinct constraints calibrated to federal procurement contexts.

Third, the scope-definition sensitivity. PCI DSS scope is defined by the cardholder data environment (CDE), which is a specific subset of the merchant or service provider's overall infrastructure. A testimonial that implies a broader certification scope than the actual CDE-defined scope creates a material misrepresentation risk. The remediation is to include the scope-defining language in any PCI-related testimonial — "PCI DSS validated for our cardholder data environment" rather than the broader "PCI DSS validated."

What to do next

If a customer of yours is approaching a PCI DSS assessment milestone, map the customer's position in the four-phase cycle and align the testimonial-wall posture before the assessment begins. The Phase 1 audit takes approximately four to six hours for a testimonial wall of fifty quotes, and the Phase 4 six-month review takes approximately two hours. The investment is small relative to the trademark-and-language risk that an unmanaged PCI-related testimonial wall creates.

For related compliance-event testimonial guides, see SOC 2 audit testimonial strategy, ISO 27001 certification testimonial strategy, FedRAMP authorization testimonial strategy, and HIPAA attestation testimonial strategy.

Ready to get started?

Start collecting and showcasing testimonials in under 5 minutes.

Start Free