If a vendor gets an ROC (Report on Compliance) from an auditor, does it mean that his entire retail environment is PCI compliant, hence PCI Certified? In reality, is there even such a term?
I bring up this question since in one of the recent articles I read, a PCI security vendor for mobile payments claimed to be PCI compliant and also sent out in the marketing message its own PCI Council seal of approval icon. Later the vendor sent a correction saying, “there is no such thing as ‘PCI-certified’ mobile payment application or an official mobile certification logo.” Now this is for mobile payment applications.
What about PCI certification for non-mobile environments? Can a vendor claim that their applications or software used in POS sytems and backoffices for example are PCI certified? If yes, what makes it so?