PCI is entitled to suspend, withdraw or reduce the scope of a client’s management system certification. Any suspension, withdrawal or reduction of scope will have respective subsequent action(s) to be taken by PCI as well as the affected client.
Certification suspension will be implemented in cases when, for example:
- the client’s certified management system has persistently or seriously failed to meet certification requirements, including requirements for the effectiveness of the management system;
- the certified client does not allow surveillance or recertification audits to be conducted at the required frequencies;
- the certified client has voluntarily requested a suspension.
- corrective action(s) to the management system have not been demonstrated and implemented within the maximum of 5 working days from the last day of an audit;
- PCI has not been informed in a timely manner about planned changes to client’s management system and other changes which affect the system’s conformity with the standard or specification which forms the basis for the audit;
- a PCI certificate or a certification mark has been used in a misleading or unauthorized manner;
- due payments for audit and certification services have not been made timely after at least one written reminder.
Under a suspension, the affected certification is temporarily invalid. PCI customer service personnel will inform the affected client in writing i.e. PCI Certification Suspension Withdrawal Letter (PCI-F047) on the decision and stating the reason(s) as well as any corrective action necessary for the certification to be reinstated.
PCI will restore the suspended certification if the issue that have resulted in the suspension has been resolved. Failure to resolve the issue in maximum of 6 months will result in withdrawal or reduction of the scope of the management system certification. The client shall be informed in writing on the decision. In most cases, the suspension would not exceed 6 months.
For action of scope reduction, PCI will reduce the scope of a certified client’s management system certification to exclude the parts that are not meeting the requirements, when the certified client has persistently or seriously failed to meet the certification requirements for those parts of the scope of certification. Any such reduction shall be in line with the requirements of the standard used for certification.
On the other hand, PCI is entitled to withdraw a certified client’s certificate or to declare it invalid upon written notice to the client if:
- the 6-months period of the certificate has been exceeded;
- the conformity of the management system with the standard or specification on which it is based is not ensured or client is not willing or not able to eliminate the nonconformities;
- client continues to use the certification for promotion following the suspension of the certificate;
- client uses the certification in such a way as to undermine the reputation of PCI;
- the preconditions which led to issuing the certificate no longer apply;
- client files any voluntary or involuntary petition in bankruptcy;
- client effectively terminates its contractual relationship with PCI.
Where the decision to withdraw a client’s certificate is made, PCI customer service personnel will notify the affected client in written notice i.e. PCI Certification Suspension Withdrawal Letter (PCI-F047) and at the same time request the client to return the certificate to PCI.