RoC, AoC, and Other Elements of PCI DSS Compliance

Achieving PCI DSS compliance is essential for any business that stores, processes or transmits payment card data. The process involves identifying the scope, assessing security controls, implementing missing requirements, and validating compliance. While applying controls may seem straightforward, compliance validation often becomes a major hurdle for businesses. At the heart of PCI DSS compliance validation are PCI ROC, AOC, and SAQ:

• PCI Report on Compliance (RoC);
• PCI Self-Assessment Questionnaire (SAQ);
• PCI Attestation of Compliance (AoC).

These processes require a deep understanding, resources, and expertise. Yet, many businesses, especially small and mid-sized (SMBs) struggle with implementation, leading to PCI compliance failures, gaps, and delays. Some of the most common challenges include:

• misidentifying the correct compliance validation method (SAQ vs. RoC vs. AoC);
• lack of in-house expertise or resources to navigate compliance effectively;
• failing ASV scans due to unpatched vulnerabilities or incorrect configurations;
• viewing PCI DSS as a one-time effort rather than an ongoing security commitment.

Let’s break down the ROC, SAQ, and AOC as the key elements of PCI DSS compliance validation and how to navigate them successfully.

Identifying your Merchant Level

Before making decisions around RoCs, AoCs, and SAQs, businesses should clearly understand to what merchant level they belong. The idea of the PCI compliance levels stems from the fact that all businesses process different amounts of card payments. Merchants vary in size and scope, from retail industry giants to regional grocery stores. Hence, they have different levels of risk for data breaches and security incidents. The Security Standards Council defines four merchant levels (with several exceptions for each of the card brands):

• PCI Merchant Level 1: Merchants with over 6 million transactions annually across all channels or any merchant that has had a data breach.
• PCI Merchant Level 2: Merchants with between 1 to 6 million transactions annually across all channels
• PCI Merchant Level 3: Merchants with between 20,000 and 1 million online transactions annually
• PCI Merchant Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year

Read more about how to identify your PCI compliance level.

PCI DSS Report on Compliance (ROC)

The PCI DSS Report on Compliance (ROC) is a detailed report that assesses an organization's adherence to the PCI DSS. It is required for Level 1 merchants and service providers that handle payment card data and want to ensure their cardholder data are handled securely and in compliance with PCI DSS. The ROC includes:

• detailed assessment of the organization’s environment and security controls;
• validation of compliance with all 12 PCI DSS requirements;
• evidence of security measures (e.g., policies, system configurations, access management).

The ROC is developed as a result of a thorough assessment completed by Qualified Security Assessors (QSA). This assessment contains comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and other evidence collected during the assessment. Every ROC is organized according to the PCI Security Standards Council’s specifications which are derived from the PCI DSS v4.0.1 Report on Compliance Template (ROC Template) available in the Council’s Document Library. The ROC Template is the mandatory template for completing a ROC for all PCI DSS v4.0.1 submissions.

PCI DSS Self-Assessment Questionnaire (SAQ)

The Self-Assessment Questionnaire (SAQ) is a tool for merchants and service providers to evaluate their PCI DSS compliance without requiring third-party audits. It is primarily designed for smaller businesses that process fewer transactions and have a lower risk profile compared to large enterprises. Particularly, SAQ is eligible for:

• merchants that don’t require a full ROC (typically Levels 2, 3, and 4);
• businesses that do not store cardholder data or use secure third-party payment processors;
• companies that meet the specific eligibility criteria for a particular SAQ type.

NOTE: Not all merchants qualify for an SAQ! If a business stores cardholder data or has a complex payment environment, it may need a ROC instead. The SAQs are completed by merchants and service providers themselves during their self-assessment. No third-party assessors are needed. Yet, some SAQs require external vulnerability scanning from an Approved Scanning Vendor (ASV). The main feature distinguishing SAQs from third-party ROCs is that the former

• allows smaller businesses to demonstrate PCI DSS compliance without undergoing a time- and resource-intense third-party audit;
• simplifies the compliance process based on the specific payment method used.

However, despite the simplicity that SAQs offer compared to ROCs, businesses should not underestimate their PCI DSS SAQ obligations.

SAQ types

There are different SAQ types, each designed for specific payment processing environments. Choosing the wrong SAQ can lead to compliance gaps or incorrectly reported security controls. Here is a short layout of the main SAQ types:

• SAQ A – for e-commerce or mail/telephone order merchants using third-party payment services (e.g., PayPal) that handle all cardholder data.
• SAQ A-EP - for e-commerce merchants who use a third-party processor but manage their own website redirecting customers to a hosted payment page.
• SAQ B - for merchants that use dial-up payment terminals with no internet connection. They also have no cardholder data storage and direct internet connection for transactions.
• SAQ B-IP - for merchants using standalone payment terminals that connect to a payment processor via the internet.
• SAQ C - for merchants running payment software on a separate, secure network and have no cardholder data storage.
• SAQ C-VT - merchants processing transactions manually using a web-based virtual terminal.
• SAQ D for Merchants - for merchants who are eligible to complete a self-assessment questionnaire but do not meet the criteria for any other SAQ type.
• SAQ D for Service Providers - for service providers that store, process, or transmit cardholder data on behalf of merchants as well as third-party vendors offering payment-related services, hosting environments, or security solutions. This SAQ type is also eligible for businesses that do not qualify for any other SAQ type.
• SAQ P2PE - for merchants using PCI-validated P2PE solutions that encrypt card data at entry.
• SAQ SPoC - for merchants using Secure PIN Entry on Commercial Off-The-Shelf (COTS) devices, such as smartphones or tablets, as part of their payment processing.

The full list of different PCI DSS SAQ types, along with their templates, are available in the PCI DSS Document Library.

PCI DSS Attestation of Compliance

The PCI DSS Attestation of Compliance (AOC) is a formal document that confirms an organization has successfully completed its PCI DSS assessment and is compliant with the required security standards. It serves as proof of compliance for businesses, partners, acquirers, and payment processors. The AOC isn’t a stand-alone document but a summary that accompanies either SAQ or ROC. In other words, when a business completes an SAQ or ROC, it must generate an AOC to validate their compliance. AOC is signed by a company representative (and a QSA if applicable), confirming that all necessary PCI DSS requirements have been met. The AOC must be completed and signed by a legally authorized representative of the organization undergoing PCI DSS assessment. The responsible party depends on whether the organization is using SAQ or undergoing a ROC audit:

• merchants and service providers using a SAQ must self-complete and sign the AOC. It is then reviewed and signed by a senior executive or designated compliance officer.
• larger businesses undergoing a ROC need a third-party QSA to complete the AOC. A senior executive from the assessed company must also review and sign the AOC.
• service providers must complete an AOC as part of their compliance validation. Businesses that use third-party service providers should request an AOC from them to ensure compliance.

The AOC templates for each of the Self-Assessment Questionnaires are provided in PCI DSS Document Library. Achieving AOC is a complex process that requires time, expertise, and resources. Naturally, there are many challenges and misconceptions around it:

• Many businesses don’t realize they need an AOC in addition to their SAQ or ROC. This is especially common for those merchants and service providers who are eligible for SAQ.
• Businesses can submit incomplete documents or misunderstand reporting requirements, Many businesses also fail to provide all necessary information which may lead to compliance delays.
• Businesses struggle to obtain an AOC from third-party service providers.
• Businesses also wrongly assume AOC is a one-time requirement and thereby fail to allocate time and resources to renew AOC annually.

How to Achieve PCI DSS Compliance

Determine Your PCI DSS Scope. Identify all systems, networks, and processes that handle cardholder data. Determine whether your business is a merchant or service provider and what PCI compliance level applies. Identify Your Compliance Requirements. Determine if you need to complete a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC). If using an SAQ, select the correct SAQ type based on how you handle payments. If a ROC is required, engage a Qualified Security Assessor (QSA) for a formal audit. Implement PCI DSS Security Controls. Implement PCI DSS 12 core requirements categorized into six goals aiming to protect cardholder data by maintaining a secure network, using encryption, updating software, implementing strong access controls and audit logs, and training staff. Validate Compliance. Complete a SAQ or undergo a QSA-led audit for a ROC. Obtain an Attestation of Compliance (AOC), signed by an executive. Maintain Compliance. Conduct annual compliance activities, ensure third-party vendors handling card data also maintain compliance, and keep logs, policies, and security controls updated as PCI DSS evolves.

How Planet 9 Can Help

Unsure where to start with PCI DSS compliance? Planet 9 Security provides expert guidance to help your business meet compliance requirements, avoid costly fines, demonstrate a commitment to data security, and strengthen customer confidence—all while taking a cost-effective approach tailored to your needs. Depending on the size of the company and the volume of annual credit card transactions, we’ll assist your business in achieving PCI DSS compliance through the following steps:

• Initial assessment: Conduct a kickoff session to analyze the types and volumes of credit card transactions.
• Security maturity evaluation: Assess your organization’s current security posture to establish a baseline and determine gaps and remediation strategies for achieving compliance.
• Validation requirement analysis: Identify the necessary PCI DSS validation path (SAQ, ROC, AOC) based on transaction volumes and accepted credit card brands.
• Compliance planning: Develop a comprehensive PCI DSS compliance strategy tailored to your security maturity and validation requirements.
• Validation process support: Assist your organization in the annual compliance validation and attestation process.
• Ongoing compliance guidance: Provide expert advice on preparing for future validation efforts.

If you’re overwhelmed or confused by the PCI audit process, feel free to contact Planet 9. We’ll be happy to assist!

FAQs

What's the difference between a PCI SAQ, AoC, and RoC?

All the PCI SAQ, Report of Compliance (RoC), and Attestation of Compliance (AoC) are elements of PCI DSS compliance, yet they differ in their purpose and applicability. PCI SaQ is a self-assessment tool for merchants and service providers to evaluate their PCI DSS compliance. The PCI RoC is a detailed report on PCI compliance status issued by a third-party Qualified Security Assessor (QSA). The PCI AoC is a formal document that summarizes SaQ and RoC and confirms an organization has successfully completed its PCI DSS assessment.

What controls are necessary to be a PCI-compliant organization?

Organizations planning to validate their PCI DSS compliance must first look to implement the 12 requirements outlined in the PCI DSS standard by the PCI Council. These include implementing and maintaining secure networks and systems, protecting account data, having a vulnerability management program in place, implementing strong access controls, regularly monitoring and testing networks, and maintaining information security policy to name a few.

Is PCI DSS AoC mandatory for all businesses?

Yes, all businesses that fall under the PCI DSS compliance requirements must maintain AoC including merchants and service providers.

What happens if my business does not comply with a PCI DSS certification?

If you accept card payments or a service provider dealing with cardholder data, you must have signed a contract with a payment processor or client. These contracts include a clause mandating PCI DSS compliance. Violating the clause can result in fines of up to $100,000 per month of non-compliance.