Why every major certification has a portal
Certifying bodies bear reputational risk when forgers claim their credentials. PMI loses trust if anyone can print a fake PMP. ISC2 loses standing if uncertified practitioners claim CISSP. Every major credential body has converged on the same defense: a public verification portal that the certifying body controls and the employer can query.
The portals differ in coverage, search method, and what they return. The flow below covers the four highest-value credentials in 2026 hiring.
PMP: PMI Online Registry
The Project Management Institute operates a public online registry at pmi.org/certifications/certification-resources/registry. Search fields: first name, last name, credential type (PMP and other PMI credentials), country, ZIP or postal code.
The registry returns one of three results:
- Active. The holder is currently PMP certified and meeting PDU (Professional Development Unit) requirements.
- Inactive or expired. The holder passed the exam but has not maintained certification. Many candidates list PMP on a resume after the certification has lapsed.
- No record. No entry under the given name and location. The candidate may have changed name, opted out of the public registry, or never earned the credential.
For the third case, ask the candidate to enable registry visibility, change the ZIP they submitted, or provide a PMI member ID. A candidate who refuses all three on a public credential is worth a closer look. PMI also covers PgMP, PfMP, PMI-ACP, PMI-RMP, PMI-SP, and CAPM through the same registry.
CISSP: ISC2 Member Verification
ISC2 operates the verification portal at isc2.org/MemberVerification. Required inputs: the holder’s name and the certification number (also called member number).
The certification number is the friction. Holders can share it freely, but they have to share it; without it, the portal does not return results. Best practice is to ask the candidate for their ISC2 member number when CISSP is listed on the resume. Most CISSPs share it without hesitation; reluctance is itself a signal.
The portal returns each ISC2 certification held by that member and the expiration date. CISSPs are required to accrue Continuing Professional Education (CPE) credits annually; a lapsed entry signals failure to meet CPE obligations.
The same portal covers CCSP, SSCP, CSSLP, CAP, HCISPP, and other ISC2 credentials.
CFA: through CFA Institute, not a public name lookup
The CFA Institute does not publish a public name-based charter lookup. The standard verification paths:
- Charter verification letter.The charterholder requests a verification letter from CFA Institute and forwards it to the employer. The letter is signed by the Institute and includes the charterholder’s name, charter date, and current membership status.
- CFA Institute Charter Verification Service. For HR teams and background-check vendors processing many candidates, CFA Institute offers a charter-verification service that confirms charter status directly with the requesting organization (subject to candidate consent).
- Member profile share. Charterholders can share their CFA Institute member profile URL. The page displays charter status and CFA-related professional history.
The lack of a public name lookup is a deliberate CFA Institute policy. The implication for HR is that CFA verification requires either a letter or candidate cooperation. PDF charters alone are not authoritative.
CPA: state boards and CPAverify.org
CPA licensure is state-issued; verification runs through the relevant State Board of Accountancy. Two paths:
- The state board’s own license lookup. Most states publish an online lookup. California, New York, Texas, and Illinois all expose a free name-and-license-number search.
- CPAverify.org. A free aggregator operated by NASBA covering most US jurisdictions. One search across states is more efficient than fifty separate boards.
The lookup returns license number, status (active, expired, suspended), issue date, and any disciplinary actions on record. CPA licenses require continuing professional education to maintain; an active license in 2026 means the holder has met CPE obligations. Disciplinary actions, even historical ones, are part of the public record and worth surfacing.
For non-US CPAs (Chartered Accountants in the UK, Canada, India, Australia), the relevant body is the national institute: ICAEW, CPA Canada, ICAI, CA ANZ. Each operates its own member-status portal.
Lapsed is not the same as fake. Both matter. A registry that returns “inactive” on a candidate’s claimed certification is a yellow flag worth a conversation.
When the body has no public portal
Outside the big four, many credential bodies operate differently. Some smaller bodies have no public lookup at all. The fallback hierarchy:
- Request a verification letter directly from the certifying body. Most issue these on request from the credential holder.
- Use the body’s direct verification service if one exists, often called “employer verification” or “third-party verification”.
- Run forensic AI on the candidate-supplied certificate. This catches PDF forgeries and Photoshop-edited documents at intake. See our photoshop detection guide.
- If the credential lists the certificate number on the PDF, the body usually offers a number-based lookup even if there is no name search.
Operationalizing for an HR team
What works at scale:
- Add a structured field per claimed certification on the candidate application: certification number, issuing body, expiry date.
- Automate the public-portal lookups where possible. PMI registry and CPAverify.org can be hit programmatically with respect for terms of service. ISC2 requires the certification number, which the application form should ask for.
- For CFA, configure a standard candidate workflow: request the charter verification letter from CFA Institute at offer stage. Most candidates can produce one within a few days.
- Run forensic AI on any candidate-supplied certificate PDF as a routine intake step. The cost is cents per document, and it catches the obvious fakes before any human time is spent. The same engine handles diplomas and IDs; see our how-employers-verify-education guide for the broader credential workflow.
Frequently asked questions
What is the most common professional-certification fraud in 2026?
The most common pattern is misrepresentation of an inactive credential as active. Candidates who passed the exam years ago but never maintained the certification list it on the resume hoping the recruiter does not run the registry check. The mitigation is to run the registry check, every time.
Can I rely on LinkedIn’s certification section?
LinkedIn certifications are self-reported. Some certifying bodies (Microsoft, AWS, Credly partners) support LinkedIn import from authoritative sources; those are reliable. Self-entered LinkedIn entries are not. Treat LinkedIn as context, not evidence.
What if the registry shows no record but the candidate insists?
Common reasons: name change, privacy opt-out on the public registry, search field mismatch (a maiden name vs married name, an incorrect ZIP), or a credential from a sibling body that does not appear in the searched registry. Ask the candidate for the certification number and run the number-based lookup where supported. If no match still, treat as unverified.
Are CFA Levels (I, II, III) verifiable?
Passing CFA Levels I, II, or III is a milestone, not a charter. CFA Institute confirms charter status, not level-pass status, through its verification services. Candidates who passed Level III but did not complete the work experience requirement are CFA candidates, not charterholders.
What about credentials from outside the US (ACCA, ICAEW, FRM)?
Each body operates its own member portal. ACCA (UK) has a public member lookup. ICAEW (UK) has a member directory. GARP (FRM, ERP) confirms certifications directly with the candidate’s consent. The same principle applies: find the certifying body’s official portal and use it.