RoC, AoC, and Other Elements of PCI DSS Compliance

Take a look at the main parts of PCI DSS compliance and learn why your organization’s merchant level matters

The Payment Card Industry Data Security Standard – PCI DSS – is a security requirement for all entities that store, process, or transmit cardholder data. Today, virtually any business that handles this information must comply with PCI DSS. Specifically, PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data and/or sensitive authentication data.

PCI DSS compliance demonstrates security commitment and gives more confidence to clients that their cardholder data is properly protected. The compliance may be achieved only after you’ve tested your organization’s systems and processes against 12 technical and operational requirements. In other words, the road to PCI compliance lies through a PCI assessment. 

There are three parts to a PCI DSS audit and the merchant level of your organization plays a part in determining what you need from a PCI DSS audit: 

  • PCI Report on Compliance (RoC) provides details about the entity’s environment and assessment methodology, and documents the entity’s compliance status for each PCI DSS Requirement. The RoC is developed through a thorough Qualified Security Assessors (QSA) assessment that includes an onsite audit and review of controls. 
  • PCI Attestation of Compliance (AoC) declares the results of the service provider’s assessment with the PCI DSS Requirements and Security Assessment Procedures. The AoC is also completed by QSA.  
  • PCI Self-Assessment Questionnaires (SAQ) enable merchants to measure and self-assess their compliance.

Let’s take a look at all these parts of the PCI DSS compliance audit and learn how the merchant level of your organization plays a part in determining what you need from a PCI DSS audit.

Identifying your Merchant Level 

Before making decisions around RoCs, AoCs, and SAQs, understand to what merchant level your business suits. The idea of the PCI compliance levels stems from the fact that all businesses process different amounts of card payments. Merchants vary in size and scope from retail industry giants to regional grocery stores. Hence, they have different levels of risk for data breaches and security incidents. 

The Security Standards Council – a council that consists of major payment card giants, including Visa, Mastercard, American Express, and Discover – defines four merchant levels (with several exceptions for each of the card brands):

  • PCI Merchant Level 1: Merchants with over 6 million transactions annually, across all channels, or any merchant that has had a data breach

Level 1 merchants process the greatest volumes of card transactions each year. So, they must undergo an annual PCI DSS assessment by a Qualified Security Assessor (QSA). As a result of the assessment, the merchant obtains a Report on Compliance (RoC) from their third-party assessor. The merchant is also required to submit regular network scans by the Approved Scanning Vendors (ASV) to demonstrate compliance. Hence the formula for success for PCI Merchant Level 1 looks like QSA + RoC + ASV.

  • PCI Merchant Level 2: Merchants with between 1 to 6 million transactions annually, across all channels

Level 2 merchants are also required to undergo a third-party PCI DSS assessment on annual basis. They also get the Report on Compliance as a result of the assessment and must submit ASV scans quarterly. In some cases, however, Level 2 merchants may be eligible to complete a Self-Assessment Questionnaire (SAQ) instead of RoC. This depends on the particular card brand requirements. Level 2 Merchants should remember the following – QSA + RoC/SAQ + ASV

  • PCI Merchant Level 3: Merchants with between 20,000 and 1 million online transactions annually

Level 3 merchants don’t need to undergo third-party security assessments. They conduct self-assessments using a Self-Assessment Questionnaire (SAQ). They must also complete an Attestation of Compliance (AoC) testifying to the results of their assessment. Like Level 1 and 2 merchants, Level 3 merchants must also submit quarterly ASV scans. The memory Jog for Merchants Level 3 is SAQ + AoC + ASV

Depending on the particular card brand requirements, Level 3 merchants may be responsible for meeting the requirements of another level. For instance, if the merchant falls victim to a data breach that impacts cardholder information, it may be penalized and responsible for meeting the PCI Merchant Level 1 requirements. 

  • PCI Merchant Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year

Level 4 merchants have no reporting requirements. Their transaction volumes are low and, therefore, their security risk is considered to be low. They only need to complete SAQ on an annual basis. 

Roc is the Result of the PCI DSS Assessment

The Report on Compliance is the central document resulting from the annual PCI DSS assessment. It details an organization’s security posture, environment, systems, and protection of cardholder data. The RoC is developed through a thorough QSA assessment that includes an audit and review of controls. 

Every RoC is organized according to the PCI Security Standards Council’s specifications which are derived from the RoC Reporting Template, available on the Council’s website. The template reflects the latest PCI Data Security Standards and is used by Qualified Security Assessors that conduct assessments against each of the 12 PCI DSS security requirements. 

The standardization of reporting allows you to provide every interested party with a clear representation of your status on PCI compliance.

Once you finished the assessment, complete an AoC.

AoC States Organizations’ PCI Compliance Status

The PCI Attestation of Compliance (AoC) is an attestation that states an organization’s PCI DSS compliance status. The AoC certifies that an organization has upheld security best practices to protect cardholder data. Just like RoC, AoC may only be completed by Qualified Security Assessors.  

AoC has several versions, including a merchant version, a service provider version as well a self-assessment version. The foremost version is the AoC for Onsite Assessments for Merchants – a form, which serves as written verification by the merchant that a valid assessment has been completed on their behalf.

The AoC has four main sections collecting specific details related to (1) Assessment Information, (2) the Report on Compliance, (3) Validation and Attestation, and (4) an Action Plan for Non-Compliant Requirements. The merchant is responsible for ensuring that each section is completed by the appropriate party, including the Qualified Security Assessor.

What is a PCI SAQ?

The Self-Assessment Questionnaires (SAQs) enable merchants to measure and assess their compliance with the 12 PCI Data Security Standard requirements. The updated versions of the Self-Assessment Questionnaire (SAQ) are available on the PCI Security Standards website. To determine which SAQ is right for your circumstances consider your status, depending on the business processes, cardholder data storage, and handling. 

For example, if you are an e-commerce store and outsource cardholder data processing then you should probably choose PCI SAQ A type. For those who outsource credit card sales to a third party, but handle the delivery of cardholder data to payment processors, SAQ A EP type may be suitable. Merchants who use imprint machines or terminals to collect credit card data would use the SAQ B. There are also options for merchants with other statuses of data processing. A precise list of those may be found on the Security Standards website. 

If you’re overwhelmed or confused by the PCI audit process, feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!



Phone:  888-437-3646




Leave a Reply